Linux伺服器總是被猜測密碼怎麼辦?
我們在使用ssh登入伺服器的時候,經常會彈出類似於以下的提示: Last failed login: Fri May 1 23:31:22 CST 2021 from 87.251.74.56 on ssh:notty There were 187 failed login attempts since the last successful login.
後面一句意思是從上次登入成功之後,有187次失敗的登入。也就是說有人在嘗試登入我們的伺服器,但是登入失敗了,距離上次成功登入到本次登入之前產生了187的失敗記錄,不可質疑,有人在猜測伺服器的登入使用者名稱和密碼. 我們來檢視一下伺服器失敗登入記錄,用以下命令檢視:
# 檢視失敗登入記錄 lastb # 結果展示,跟上引數-xx,表示顯示多少記錄 root ssh:notty 110.188.85.88 Tue Oct 5 10:46 - 10:46 (00:00) pi ssh:notty 121.180.246.194 Mon Oct 4 10:53 - 10:53 (00:00) pi ssh:notty 121.180.246.194 Mon Oct 4 10:53 - 10:53 (00:00) pi ssh:notty 121.180.246.194 Mon Oct 4 10:53 - 10:53 (00:00) pi ssh:notty 121.180.246.194 Mon Oct 4 10:53 - 10:53 (00:00) root ssh:notty 110.188.84.142 Mon Oct 4 10:09 - 10:09 (00:00) root ssh:notty 110.188.84.142 Mon Oct 4 10:09 - 10:09 (00:00) root ssh:notty 125.70.165.6 Sun Oct 3 09:39 - 09:39 (00:00) db2inst1 ssh:notty 152.136.245.102 Sun Oct 3 09:00 - 09:00 (00:00) db2inst1 ssh:notty 152.136.245.102 Sun Oct 3 09:00 - 09:00 (00:00) db2inst1 ssh:notty 152.136.245.102 Sun Oct 3 08:57 - 08:57 (00:00) db2inst1 ssh:notty 152.136.245.102 Sun Oct 3 08:57 - 08:57 (00:00) db2inst1 ssh:notty 152.136.245.102 Sun Oct 3 08:55 - 08:55 (00:00) db2inst1 ssh:notty 152.136.245.102 Sun Oct 3 08:55 - 08:55 (00:00) rx ssh:notty 152.136.245.102 Sun Oct 3 08:53 - 08:53 (00:00) rx ssh:notty 152.136.245.102 Sun Oct 3 08:53 - 08:53 (00:00) rx ssh:notty 152.136.245.102 Sun Oct 3 08:50 - 08:50 (00:00) rx ssh:notty 152.136.245.102 Sun Oct 3 08:50 - 08:50 (00:00) rx ssh:notty 152.136.245.102 Sun Oct 3 08:48 - 08:48 (00:00) rx ssh:notty 152.136.245.102 Sun Oct 3 08:48 - 08:48 (00:00)
從結果可以看出,第一列為登入時所用的使用者名稱,第二列為登入方式(瞭解,具體含義可以參考以下摘要),第三列為登入客戶端IP地址,最後一列為登入時間。
“ Notty”一詞僅表示“ no tty”,大致翻譯為“ no terminal”。 當您本地登入到任何Linux計算機時,終端將始終在程序列表中顯示為“ tty”。 如果通過SFTP建立了連線,或者您正在使用SCP複製檔案,那麼它將顯示為tty(notty)。 Who or what is root@notty? If you’re looking through WHM’s process manager and you see root@notty mentioned as one of the processes, don’t be alarmed. It’s perfectly normal and it’s definitely not some hacker called ‘Notty’ who has suddenly got root permissions. Be honest, you’re here because you thought that You may also have seen sshd: root@notty in the output of ps aux too. Why notty? The term ‘notty’ just represents ‘no tty’ which roughly translates as meaning ‘no terminal’. When you login locally to any Linux machine the terminal will always appear in the process list as ‘tty’. If a connection is made via SFTP or you are copying files with SCP (as I did here on a test server prior to bringing up the screenshot above) then it will show as no tty (notty). Where does TTY come from? Many years ago, user terminals that were connected to computers were clunky and noisy Electro-mechanical Teleprinters also known as Teletypewriters. They took the latter phrase and chopped some characters out to get the TTY abbreviation: TeleTYpewriter = TTY Since then, TTY has been used as the shortened name for a text-only console. ———————————————— 版權宣告:本文為CSDN博主「bh6635」的原創文章,遵循CC 4.0 BY-SA版權協議,轉載請附上原文出處連結及本宣告。 原文連結:https://blog.csdn.net/u013601606/article/details/105226727/
從上面看到這些IP在一段時間內使用不同的使用者名稱和密碼在嘗試登入伺服器,要是通過shell指令碼的方式,統計出失敗登入IP的次數,如果大於我們的設定值,我們就把該IP放入黑名單中。
#!/bin/bash #Denyhosts SHELL SCRIPT # 分析登入日誌檔案,篩選失敗登入並統計次數存入檔案備用 cat /var/log/secure | awk '/Failed/{print $(NF-3)}'|sort|uniq -c|awk '{print $2"=" $1;}' >/root/Denyhosts.txt # 定義允許失敗登入的次數 DEFINE="10" # 讀取檔案,並把條件範圍內的IP寫到hosts.deny中,實現黑名單效果 for i in `cat /root/Denyhosts.txt` do IP=`echo $i|awk -F= '{print $1}'` NUM=`echo $i|awk -F= '{print $2}'` if [ $NUM -gt $DEFINE ] then ipExists=`grep $IP /etc/hosts.deny |grep -v grep |wc -l` if [ $ipExists -lt 1 ] then echo "sshd:$IP" >> /etc/hosts.deny fi fi done
最後把檔案儲存並新增執行許可權和定時任務,就可以自動的分析IP並加黑名單了。讓這些頑固分子知道我們管理員也是有做事的!