ایمن کردن سرور دربرابر تلاش برای ورود

[mahdiyar11]

سلام دوستان وقتتون بخیر

موقعی که با یوزر روت وارد (با دستور ssh ) سرور مجازی میشوم یه پیام جالب برام مینویسه...

میگه که از آخرین ورود موفق مثلا ۱۷۰۰ تلاش ناموفق برای ورود به سرور شده.(در حد فاصله یک روز)

چجوری میتونم یکار کنم این اتفاق نیوفته؟؟

راهی که به ذهنم رسید استفاده از جفت کلید بود که حداقل خیالم راحت باشه ولی بازم درخواست ورود به سرور زیاد هست. حتی فایروال هم فعال کردم که یکم خیالم راحت تر باشه.

راه حلی به ذهنتون میرسه؟؟

[M!lad]

- لاگین با حساب root رو غیر فعال کنید.
- حساب خودتون رو تنظیم کنید تا با کلید نامتقارن بشه لاگین کرد.
- لاگین با پسورد رو در SSH ببندید.
- پورت دیگه‌ای رو در فایروال ابتدا باز کنید.
- SSH رو تنظیم کنید تا روی پورت جدیدی که باز کردید Listen کنه.
- یک Honeypot بزارید روی پورت 22 تا وقت بات‌ها رو تلف کنه.

* می‌تونید از ابزارهایی مثل Fail2Ban هم استفاده کنید.

برای مثال، این آخرین تلاش‌های ورود به یکی از سرورهای من:

کد: [انتخاب]

{"username": "root", "password": "1q2w3e4r5t", "src_ip": "92.0.184", "src_port": 28425, "timestamp": "2021-05-31T23:58:44.193077", "software_version": "PuTTY", "cipher": "blowfish-cbc", "mac": "hmac-md5", "try": 8}
{"username": "root", "password": "123qwe!@#", "src_ip": "92.0.184", "src_port": 28425, "timestamp": "2021-05-31T23:58:45.539849", "software_version": "PuTTY", "cipher": "blowfish-cbc", "mac": "hmac-md5", "try": 9}
{"username": "root", "password": "1234567", "src_ip": "92.0.184", "src_port": 62490, "timestamp": "2021-05-31T23:58:57.254436", "software_version": "PuTTY", "cipher": "blowfish-cbc", "mac": "hmac-md5", "try": 1}
{"username": "root", "password": "0000", "src_ip": "92.0.184", "src_port": 62490, "timestamp": "2021-05-31T23:58:58.588236", "software_version": "PuTTY", "cipher": "blowfish-cbc", "mac": "hmac-md5", "try": 2}
{"username": "arma3", "password": "1q2w3e", "src_ip": "122.112.56", "src_port": 34276, "timestamp": "2021-06-01T00:05:15.367879", "software_version": "libssh-0.6.3", "cipher": "aes256-ctr", "mac": "hmac-sha1", "try": 1}
{"username": "daniel", "password": "1234567", "src_ip": "230.120.21", "src_port": 44604, "timestamp": "2021-06-01T00:06:43.230771", "software_version": "libssh-0.6.3", "cipher": "aes256-ctr", "mac": "hmac-sha1", "try": 1}
{"username": "webdev", "password": "123", "src_ip": "122.124.119", "src_port": 56950, "timestamp": "2021-06-01T00:10:30.925931", "software_version": "libssh-0.6.3", "cipher": "aes256-ctr", "mac": "hmac-sha1", "try": 1}
{"username": "ayie", "password": "123456", "src_ip": "15.132.43", "src_port": 47254, "timestamp": "2021-06-01T00:12:12.082619", "software_version": "libssh-0.6.3", "cipher": "aes256-ctr", "mac": "hmac-sha1", "try": 1}
{"username": "spark", "password": "111111", "src_ip": "35.70.5", "src_port": 34076, "timestamp": "2021-06-01T00:20:53.141672", "software_version": "libssh-0.6.3", "cipher": "aes256-ctr", "mac": "hmac-sha1", "try": 1}
{"username": "sleep", "password": "sleep", "src_ip": "59.129.44", "src_port": 48460, "timestamp": "2021-06-01T00:21:31.590584", "software_version": "libssh-0.6.3", "cipher": "aes256-ctr", "mac": "hmac-sha1", "try": 1}

[mahdiyar11]

برای مثال، این آخرین تلاش‌های ورود به یکی از سرورهای من:

کد: [انتخاب]

{"username": "root", "password": "1q2w3e4r5t", "src_ip": "92.0.184", "src_port": 28425, "timestamp": "2021-05-31T23:58:44.193077", "software_version": "PuTTY", "cipher": "blowfish-cbc", "mac": "hmac-md5", "try": 8}
{"username": "root", "password": "123qwe!@#", "src_ip": "92.0.184", "src_port": 28425, "timestamp": "2021-05-31T23:58:45.539849", "software_version": "PuTTY", "cipher": "blowfish-cbc", "mac": "hmac-md5", "try": 9}
{"username": "root", "password": "1234567", "src_ip": "92.0.184", "src_port": 62490, "timestamp": "2021-05-31T23:58:57.254436", "software_version": "PuTTY", "cipher": "blowfish-cbc", "mac": "hmac-md5", "try": 1}
{"username": "root", "password": "0000", "src_ip": "92.0.184", "src_port": 62490, "timestamp": "2021-05-31T23:58:58.588236", "software_version": "PuTTY", "cipher": "blowfish-cbc", "mac": "hmac-md5", "try": 2}
{"username": "arma3", "password": "1q2w3e", "src_ip": "122.112.56", "src_port": 34276, "timestamp": "2021-06-01T00:05:15.367879", "software_version": "libssh-0.6.3", "cipher": "aes256-ctr", "mac": "hmac-sha1", "try": 1}
{"username": "daniel", "password": "1234567", "src_ip": "230.120.21", "src_port": 44604, "timestamp": "2021-06-01T00:06:43.230771", "software_version": "libssh-0.6.3", "cipher": "aes256-ctr", "mac": "hmac-sha1", "try": 1}
{"username": "webdev", "password": "123", "src_ip": "122.124.119", "src_port": 56950, "timestamp": "2021-06-01T00:10:30.925931", "software_version": "libssh-0.6.3", "cipher": "aes256-ctr", "mac": "hmac-sha1", "try": 1}
{"username": "ayie", "password": "123456", "src_ip": "15.132.43", "src_port": 47254, "timestamp": "2021-06-01T00:12:12.082619", "software_version": "libssh-0.6.3", "cipher": "aes256-ctr", "mac": "hmac-sha1", "try": 1}
{"username": "spark", "password": "111111", "src_ip": "35.70.5", "src_port": 34076, "timestamp": "2021-06-01T00:20:53.141672", "software_version": "libssh-0.6.3", "cipher": "aes256-ctr", "mac": "hmac-sha1", "try": 1}
{"username": "sleep", "password": "sleep", "src_ip": "59.129.44", "src_port": 48460, "timestamp": "2021-06-01T00:21:31.590584", "software_version": "libssh-0.6.3", "cipher": "aes256-ctr", "mac": "hmac-sha1", "try": 1}

خروجی این دستور رو از کجا گذاشتید ؟؟

چطور میتونم بفهمم چه کسانی به سرورم درخواست ورود دادن یا حتی وارد شدند؟؟

[Dragon-]

برای مثال، این آخرین تلاش‌های ورود به یکی از سرورهای من:

کد: [انتخاب]

{"username": "root", "password": "1q2w3e4r5t", "src_ip": "92.0.184", "src_port": 28425, "timestamp": "2021-05-31T23:58:44.193077", "software_version": "PuTTY", "cipher": "blowfish-cbc", "mac": "hmac-md5", "try": 8}
{"username": "root", "password": "123qwe!@#", "src_ip": "92.0.184", "src_port": 28425, "timestamp": "2021-05-31T23:58:45.539849", "software_version": "PuTTY", "cipher": "blowfish-cbc", "mac": "hmac-md5", "try": 9}
{"username": "root", "password": "1234567", "src_ip": "92.0.184", "src_port": 62490, "timestamp": "2021-05-31T23:58:57.254436", "software_version": "PuTTY", "cipher": "blowfish-cbc", "mac": "hmac-md5", "try": 1}
{"username": "root", "password": "0000", "src_ip": "92.0.184", "src_port": 62490, "timestamp": "2021-05-31T23:58:58.588236", "software_version": "PuTTY", "cipher": "blowfish-cbc", "mac": "hmac-md5", "try": 2}
{"username": "arma3", "password": "1q2w3e", "src_ip": "122.112.56", "src_port": 34276, "timestamp": "2021-06-01T00:05:15.367879", "software_version": "libssh-0.6.3", "cipher": "aes256-ctr", "mac": "hmac-sha1", "try": 1}
{"username": "daniel", "password": "1234567", "src_ip": "230.120.21", "src_port": 44604, "timestamp": "2021-06-01T00:06:43.230771", "software_version": "libssh-0.6.3", "cipher": "aes256-ctr", "mac": "hmac-sha1", "try": 1}
{"username": "webdev", "password": "123", "src_ip": "122.124.119", "src_port": 56950, "timestamp": "2021-06-01T00:10:30.925931", "software_version": "libssh-0.6.3", "cipher": "aes256-ctr", "mac": "hmac-sha1", "try": 1}
{"username": "ayie", "password": "123456", "src_ip": "15.132.43", "src_port": 47254, "timestamp": "2021-06-01T00:12:12.082619", "software_version": "libssh-0.6.3", "cipher": "aes256-ctr", "mac": "hmac-sha1", "try": 1}
{"username": "spark", "password": "111111", "src_ip": "35.70.5", "src_port": 34076, "timestamp": "2021-06-01T00:20:53.141672", "software_version": "libssh-0.6.3", "cipher": "aes256-ctr", "mac": "hmac-sha1", "try": 1}
{"username": "sleep", "password": "sleep", "src_ip": "59.129.44", "src_port": 48460, "timestamp": "2021-06-01T00:21:31.590584", "software_version": "libssh-0.6.3", "cipher": "aes256-ctr", "mac": "hmac-sha1", "try": 1}

چرا src_ip سه قسمتی به‌جای ۴ قسمتی؟

[دانیال بهزادی]

به نظرم همون fail2ban کافیه.

[M!lad]

چطور میتونم بفهمم چه کسانی به سرورم درخواست ورود دادن یا حتی وارد شدند؟؟

یک ssh سرور fake بزارید رو پورت ۲۲ که اطلاعات رو جمع کنه.

چرا src_ip سه قسمتی به‌جای ۴ قسمتی؟

چون من حذف کردمشون.