انجمنهای فارسی اوبونتو
کمک و پشتیبانی => انجمن عمومی => نویسنده: mahdiyar11 در 18 خرداد 1400، 03:57 بظ
-
سلام دوستان وقتتون بخیر
موقعی که با یوزر روت وارد (با دستور ssh ) سرور مجازی میشوم یه پیام جالب برام مینویسه...
میگه که از آخرین ورود موفق مثلا ۱۷۰۰ تلاش ناموفق برای ورود به سرور شده.(در حد فاصله یک روز)
چجوری میتونم یکار کنم این اتفاق نیوفته؟؟
راهی که به ذهنم رسید استفاده از جفت کلید بود که حداقل خیالم راحت باشه ولی بازم درخواست ورود به سرور زیاد هست. حتی فایروال هم فعال کردم که یکم خیالم راحت تر باشه.
راه حلی به ذهنتون میرسه؟؟
-
- لاگین با حساب root رو غیر فعال کنید.
- حساب خودتون رو تنظیم کنید تا با کلید نامتقارن بشه لاگین کرد.
- لاگین با پسورد رو در SSH ببندید.
- پورت دیگهای رو در فایروال ابتدا باز کنید.
- SSH رو تنظیم کنید تا روی پورت جدیدی که باز کردید Listen کنه.
- یک Honeypot بزارید روی پورت 22 تا وقت باتها رو تلف کنه.
* میتونید از ابزارهایی مثل Fail2Ban هم استفاده کنید.
برای مثال، این آخرین تلاشهای ورود به یکی از سرورهای من:
{"username": "root", "password": "1q2w3e4r5t", "src_ip": "92.0.184", "src_port": 28425, "timestamp": "2021-05-31T23:58:44.193077", "software_version": "PuTTY", "cipher": "blowfish-cbc", "mac": "hmac-md5", "try": 8}
{"username": "root", "password": "123qwe!@#", "src_ip": "92.0.184", "src_port": 28425, "timestamp": "2021-05-31T23:58:45.539849", "software_version": "PuTTY", "cipher": "blowfish-cbc", "mac": "hmac-md5", "try": 9}
{"username": "root", "password": "1234567", "src_ip": "92.0.184", "src_port": 62490, "timestamp": "2021-05-31T23:58:57.254436", "software_version": "PuTTY", "cipher": "blowfish-cbc", "mac": "hmac-md5", "try": 1}
{"username": "root", "password": "0000", "src_ip": "92.0.184", "src_port": 62490, "timestamp": "2021-05-31T23:58:58.588236", "software_version": "PuTTY", "cipher": "blowfish-cbc", "mac": "hmac-md5", "try": 2}
{"username": "arma3", "password": "1q2w3e", "src_ip": "122.112.56", "src_port": 34276, "timestamp": "2021-06-01T00:05:15.367879", "software_version": "libssh-0.6.3", "cipher": "aes256-ctr", "mac": "hmac-sha1", "try": 1}
{"username": "daniel", "password": "1234567", "src_ip": "230.120.21", "src_port": 44604, "timestamp": "2021-06-01T00:06:43.230771", "software_version": "libssh-0.6.3", "cipher": "aes256-ctr", "mac": "hmac-sha1", "try": 1}
{"username": "webdev", "password": "123", "src_ip": "122.124.119", "src_port": 56950, "timestamp": "2021-06-01T00:10:30.925931", "software_version": "libssh-0.6.3", "cipher": "aes256-ctr", "mac": "hmac-sha1", "try": 1}
{"username": "ayie", "password": "123456", "src_ip": "15.132.43", "src_port": 47254, "timestamp": "2021-06-01T00:12:12.082619", "software_version": "libssh-0.6.3", "cipher": "aes256-ctr", "mac": "hmac-sha1", "try": 1}
{"username": "spark", "password": "111111", "src_ip": "35.70.5", "src_port": 34076, "timestamp": "2021-06-01T00:20:53.141672", "software_version": "libssh-0.6.3", "cipher": "aes256-ctr", "mac": "hmac-sha1", "try": 1}
{"username": "sleep", "password": "sleep", "src_ip": "59.129.44", "src_port": 48460, "timestamp": "2021-06-01T00:21:31.590584", "software_version": "libssh-0.6.3", "cipher": "aes256-ctr", "mac": "hmac-sha1", "try": 1}
-
برای مثال، این آخرین تلاشهای ورود به یکی از سرورهای من:
{"username": "root", "password": "1q2w3e4r5t", "src_ip": "92.0.184", "src_port": 28425, "timestamp": "2021-05-31T23:58:44.193077", "software_version": "PuTTY", "cipher": "blowfish-cbc", "mac": "hmac-md5", "try": 8}
{"username": "root", "password": "123qwe!@#", "src_ip": "92.0.184", "src_port": 28425, "timestamp": "2021-05-31T23:58:45.539849", "software_version": "PuTTY", "cipher": "blowfish-cbc", "mac": "hmac-md5", "try": 9}
{"username": "root", "password": "1234567", "src_ip": "92.0.184", "src_port": 62490, "timestamp": "2021-05-31T23:58:57.254436", "software_version": "PuTTY", "cipher": "blowfish-cbc", "mac": "hmac-md5", "try": 1}
{"username": "root", "password": "0000", "src_ip": "92.0.184", "src_port": 62490, "timestamp": "2021-05-31T23:58:58.588236", "software_version": "PuTTY", "cipher": "blowfish-cbc", "mac": "hmac-md5", "try": 2}
{"username": "arma3", "password": "1q2w3e", "src_ip": "122.112.56", "src_port": 34276, "timestamp": "2021-06-01T00:05:15.367879", "software_version": "libssh-0.6.3", "cipher": "aes256-ctr", "mac": "hmac-sha1", "try": 1}
{"username": "daniel", "password": "1234567", "src_ip": "230.120.21", "src_port": 44604, "timestamp": "2021-06-01T00:06:43.230771", "software_version": "libssh-0.6.3", "cipher": "aes256-ctr", "mac": "hmac-sha1", "try": 1}
{"username": "webdev", "password": "123", "src_ip": "122.124.119", "src_port": 56950, "timestamp": "2021-06-01T00:10:30.925931", "software_version": "libssh-0.6.3", "cipher": "aes256-ctr", "mac": "hmac-sha1", "try": 1}
{"username": "ayie", "password": "123456", "src_ip": "15.132.43", "src_port": 47254, "timestamp": "2021-06-01T00:12:12.082619", "software_version": "libssh-0.6.3", "cipher": "aes256-ctr", "mac": "hmac-sha1", "try": 1}
{"username": "spark", "password": "111111", "src_ip": "35.70.5", "src_port": 34076, "timestamp": "2021-06-01T00:20:53.141672", "software_version": "libssh-0.6.3", "cipher": "aes256-ctr", "mac": "hmac-sha1", "try": 1}
{"username": "sleep", "password": "sleep", "src_ip": "59.129.44", "src_port": 48460, "timestamp": "2021-06-01T00:21:31.590584", "software_version": "libssh-0.6.3", "cipher": "aes256-ctr", "mac": "hmac-sha1", "try": 1}
خروجی این دستور رو از کجا گذاشتید ؟؟
چطور میتونم بفهمم چه کسانی به سرورم درخواست ورود دادن یا حتی وارد شدند؟؟
-
برای مثال، این آخرین تلاشهای ورود به یکی از سرورهای من:
{"username": "root", "password": "1q2w3e4r5t", "src_ip": "92.0.184", "src_port": 28425, "timestamp": "2021-05-31T23:58:44.193077", "software_version": "PuTTY", "cipher": "blowfish-cbc", "mac": "hmac-md5", "try": 8}
{"username": "root", "password": "123qwe!@#", "src_ip": "92.0.184", "src_port": 28425, "timestamp": "2021-05-31T23:58:45.539849", "software_version": "PuTTY", "cipher": "blowfish-cbc", "mac": "hmac-md5", "try": 9}
{"username": "root", "password": "1234567", "src_ip": "92.0.184", "src_port": 62490, "timestamp": "2021-05-31T23:58:57.254436", "software_version": "PuTTY", "cipher": "blowfish-cbc", "mac": "hmac-md5", "try": 1}
{"username": "root", "password": "0000", "src_ip": "92.0.184", "src_port": 62490, "timestamp": "2021-05-31T23:58:58.588236", "software_version": "PuTTY", "cipher": "blowfish-cbc", "mac": "hmac-md5", "try": 2}
{"username": "arma3", "password": "1q2w3e", "src_ip": "122.112.56", "src_port": 34276, "timestamp": "2021-06-01T00:05:15.367879", "software_version": "libssh-0.6.3", "cipher": "aes256-ctr", "mac": "hmac-sha1", "try": 1}
{"username": "daniel", "password": "1234567", "src_ip": "230.120.21", "src_port": 44604, "timestamp": "2021-06-01T00:06:43.230771", "software_version": "libssh-0.6.3", "cipher": "aes256-ctr", "mac": "hmac-sha1", "try": 1}
{"username": "webdev", "password": "123", "src_ip": "122.124.119", "src_port": 56950, "timestamp": "2021-06-01T00:10:30.925931", "software_version": "libssh-0.6.3", "cipher": "aes256-ctr", "mac": "hmac-sha1", "try": 1}
{"username": "ayie", "password": "123456", "src_ip": "15.132.43", "src_port": 47254, "timestamp": "2021-06-01T00:12:12.082619", "software_version": "libssh-0.6.3", "cipher": "aes256-ctr", "mac": "hmac-sha1", "try": 1}
{"username": "spark", "password": "111111", "src_ip": "35.70.5", "src_port": 34076, "timestamp": "2021-06-01T00:20:53.141672", "software_version": "libssh-0.6.3", "cipher": "aes256-ctr", "mac": "hmac-sha1", "try": 1}
{"username": "sleep", "password": "sleep", "src_ip": "59.129.44", "src_port": 48460, "timestamp": "2021-06-01T00:21:31.590584", "software_version": "libssh-0.6.3", "cipher": "aes256-ctr", "mac": "hmac-sha1", "try": 1}
چرا src_ip سه قسمتی بهجای ۴ قسمتی؟ :o
-
به نظرم همون fail2ban کافیه.
-
چطور میتونم بفهمم چه کسانی به سرورم درخواست ورود دادن یا حتی وارد شدند؟؟
یک ssh سرور fake بزارید رو پورت ۲۲ که اطلاعات رو جمع کنه.
چرا src_ip سه قسمتی بهجای ۴ قسمتی؟
چون من حذف کردمشون.