Build a robust and secure Linux server (ssh logon)

Last Update:2014-06-16 Source: Internet

Author: User

Tags ssh port

Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more ＞

Nov301: 22: 06 serversshd [11879]: failedpasswordforrootfrom123.127.5.20.port38917ssh2nov301: 22: 17 serversshd [11880]: Receiveddisconnectfrom123.127.5.131: 13: thecan

Nov 3 01:22:06 server sshd [11879]: Failed password for root from 123.127.5.131 port 38917 ssh2
Nov 3 01:22:17 server sshd [11880]: Received disconnect from 123.127.5.131: 13: The user canceled authentication.

Nov 3 03:15:08 server sshd [17524]: pam_unix (sshd: auth): authentication failure; logname = uid = 0 euid = 0 tty = ssh ruser = rhost = 2
4.238.47.93.res-cmts.tv13.ptd.net user = root
Nov 3 03:15:11 server sshd [17524]: Failed password for root from 24.238.47.93 port 3033 ssh2
Nov 3 03:15:11 server sshd [17525]: Received disconnect from 24.238.47.93: 11: Bye
Nov 3 05:14:12 server sshd [20460]: Invalid user a from 218.28.4.61
Nov 3 05:14:12 server sshd [20460]: Address 218.28.4.61 maps to pc0.zz.ha.cn, but this does not map back to the address-POS
Sible break-in attempt!
Nov 3 05:14:12 server sshd [20461]: input_userauth_request: invalid user
Nov 3 05:14:12 server sshd [20460]: pam_unix (sshd: auth): check pass; user unknown
Nov 3 05:14:12 server sshd [20460]: pam_unix (sshd: auth): authentication failure; logname = uid = 0 euid = 0 tty = ssh ruser = rhost = 2
18.28.4.61
Nov 3 05:14:14 server sshd [20460]: Failed password for invalid user a from 218.28.4.61 port 15683 ssh2
Nov 3 05:14:14 server sshd [20461]: Received disconnect from 218.28.4.61: 11: Bye
Nov 3 05:14:16 server sshd [20467]: Invalid user 1 from 218.28.4.61
Nov 3 05:14:16 server sshd [20467]: Address 218.28.4.61 maps to pc0.zz.ha.cn, but this does not map back to the address-POS
Sible break-in attempt!
Nov 3 05:14:16 server sshd [20468]: input_userauth_request: invalid user 1
Nov 3 05:14:16 server sshd [20467]: pam_unix (sshd: auth): check pass; user unknown
Nov 3 05:14:16 server sshd [20467]: pam_unix (sshd: auth): authentication failure; logname = uid = 0 euid = 0 tty = ssh ruser = rhost = 2
18.28.4.61
Nov 3 05:14:18 server sshd [20467]: Failed password for invalid user 1 from 218.28.4.61 port 15817 ssh2
Nov 3 05:14:18 server sshd [20468]: Received disconnect from 218.28.4.61: 11: Bye
Nov 3 05:14:20 server sshd [20473]: Address 218.28.4.61 maps to pc0.zz.ha.cn, but this does not map back to the address-POS
Sible break-in attempt!
Nov 3 05:14:20 server sshd [20473]: pam_unix (sshd: auth): authentication failure; logname = uid = 0 euid = 0 tty = ssh ruser = rhost = 2
18.28.4.61 user = root
Nov 3 05:14:22 server sshd [20473]: Failed password for root from 218.28.4.61 port 15940 ssh2
Nov 3 05:14:22 server sshd [20475]: Received disconnect from 218.28.4.61: 11: Bye
Nov 3 05:14:24 server sshd [21504]: Address 218.28.4.61 maps to pc0.zz.ha.cn, but this does not map back to the address-POS
Sible break-in attempt!

It is more like this:

Nov 4 13:09:44 server sshd [9319]: Did not receive identification string from 66.197.176.130
Nov 4 13:15:24 server sshd [10015]: Did not receive identification string from UNKNOWN
Nov 4 13:16:25 server sshd [10200]: Did not receive identification string from UNKNOWN
Nov 4 13:18:28 server sshd [11524]: Did not receive identification string from UNKNOWN
Nov 4 13:19:24 server sshd [11579]: Did not receive identification string from UNKNOWN
Nov 4 13:20:24 server sshd [11707]: Did not receive identification string from UNKNOWN
Nov 4 13:21:24 server sshd [11782]: Did not receive identification string from UNKNOWN
Nov 4 13:22:24 server sshd [11854]: Did not receive identification string from UNKNOWN
Nov 4 13:24:26 server sshd [12036]: Did not receive identification string from UNKNOWN
Nov 4 13:25:26 server sshd [12201]: Did not receive identification string from UNKNOWN
Nov 4 13:26:26 server sshd [13312]: Did not receive identification string from UNKNOWN
Nov 4 13:27:26 server sshd [13400]: Did not receive identification string from UNKNOWN
Nov 4 13:28:26 server sshd [13542]: Did not receive identification string from UNKNOWN

It seems that there are many security problems. So they started to reinforce the security line of defense and build a secure server, so that old and beautiful hackers could also take a break. haha.

First, disable root remote logon and change the ssh port.

Vi/etc/ssh/sshd_config

PermitRootLogin no # Disable root logon, create a common user for remote logon, and convert it to a root user through su-

# Port 22
Port 36301 # Change to the Port that can be found only when the scanner is exhausted (from 20 to 36301... Haha)

Restart/etc/init. d/sshd restart

After the above changes, the security log has not been dynamic for several days. in addition to my own logon log, the results have just begun. However, the good news is not long. a few days later, I found another test log:

Nov 9 15:57:02 server sshd [13948]: Did not receive identification string from 66.197.176.130
Nov 9 15:57:02 server sshd [13916]: Did not receive identification string from 66.197.176.130
Nov 9 15:57:02 server sshd [13949]: Did not receive identification string from 66.197.176.130
Nov 9 15:57:02 server sshd [13944]: Did not receive identification string from 66.197.176.130
Nov 9 22:58:17 server sshd [15736]: Did not receive identification string from UNKNOWN

Nov 9 22:59:17 server sshd [15972]: Did not receive identification string from UNKNOWN
Nov 9 23:00:18 server sshd [16163]: Did not receive identification string from UNKNOWN
Nov 9 23:01:18 server sshd [16309]: Did not receive identification string from UNKNOWN
Nov 9 23:02:18 server sshd [17579]: Did not receive identification string from UNKNOWN
Nov 9 23:03:18 server sshd [17736]: Did not receive identification string from UNKNOWN
Nov 9 23:04:17 server sshd [17846]: Did not receive identification string from UNKNOWN
Nov 9 23:05:17 server sshd [18021]: Did not receive identification string from UNKNOWN
Nov 9 23:06:20 server sshd [18103]: Did not receive identification string from UNKNOWN
Nov 9 23:07:20 server sshd [18166]: Did not receive identification string from UNKNOWN
Nov 9 23:08:20 server sshd [18307]: Did not receive identification string from UNKNOWN

Well, it seems that this is a persistent hacker who is not in vain and finally finds my new ssh port. (My god, how long does it take to scan from 22 to 36301 ???), It seems that I can only cut my killer. IPvi/etc/hosts. deny

Sshd: ALL instances T xxx. xxx. xxx.0/Latest versions 255.0 zzz. zz yyy. yyy. yyy.0/Latest versions 255.0

The above means that all IP addresses are refused to log on to ssh except the IP addresses listed by me. I use ADSL for Internet access, which is usually obtained in two IP address pools. Therefore, the above xxx. xxx. xxx.0 and yyy. yyy. yyy.0 are my dynamic ADSL ip segments. Another zzz. zz is my fixed IP address in the unit. in this case, if my ADSL network segment changes, will the server reject my logon? So be careful when rejecting IP addresses. do not lock yourself out of the door. haha.

After the above security reinforcement, check the log tail-fn100 secure

Nov 9 23:48:17 server sshd [30249]: refused connect from: ffff: 66.197.176.130 (: ffff: 66.197.176.130)
Nov 9 23:49:17 server sshd [30319]: refused connect from: ffff: 66.197.176.130 (: ffff: 66.197.176.130)
Nov 9 23:50:17 server sshd [30475]: refused connect from: ffff: 66.197.176.130 (: ffff: 66.197.176.130)
Nov 9 23:51:18 server sshd [30539]: refused connect from: ffff: 66.197.176.130 (: ffff: 66.197.176.130)
Nov 9 23:52:17 server sshd [30609]: refused connect from: ffff: 66.197.176.130 (: ffff: 66.197.176.130)
Nov 9 23:53:17 server sshd [31752]: refused connect from: ffff: 66.197.176.130 (: ffff: 66.197.176.130)
Nov 9 23:54:17 server sshd [31833]: refused connect from: ffff: 66.197.176.130 (: ffff: 66.197.176.130)
Nov 9 23:55:17 server sshd [31978]: refused connect from: ffff: 66.197.176.130 (: ffff: 66.197.176.130)
Nov 9 23:56:22 server sshd [32045]: refused connect from: ffff: 66.197.176.130 (: ffff: 66.197.176.130)
Nov 9 23:57:18 server sshd [32105]: refused connect from: ffff: 66.197.176.130 (: ffff: 66.197.176.130)
Nov 9 23:58:18 server sshd [32171]: refused connect from: ffff: 66.197.176.130 (: ffff: 66.197.176.130)
Nov 9 23:59:17 server sshd [32238]: refused connect from: ffff: 66.197.176.130 (: ffff: 66.197.176.130)
Nov 10 00:00:20 server sshd [32378]: refused connect from: ffff: 66.197.176.130 (: ffff: 66.197.176.130)
Nov 10 00:01:20 server sshd [32450]: refused connect from: ffff: 66.197.176.130 (: ffff: 66.197.176.130)
Nov 10 00:02:19 server sshd [1, 32484]: refused connect fro

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

Sales Support

1 on 1 presale consultation

Chat Contact Sales
After-Sales Support

24/7 Technical Support 6 Free Tickets per Quarter Faster Response

Open a Ticket
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

Learn More