Build a robust and secure Linux server (SSH login)

Nov 3 01:22:06 Server sshd[11879]: Failed password for root from 123.127.5.131 Port 38917 ssh2
Nov 3 01:22:17 Server sshd[11880]: Received disconnect from 123.127.5.131:13:the user canceled authentication.

Nov 3 03:15:08 Server sshd[17524]: Pam_unix (Sshd:auth): Authentication failure; Logname= uid=0 euid=0 tty=ssh ruser= rhost=2
4.238.47.93.res-cmts.tv13.ptd.net User=root
Nov 3 03:15:11 Server sshd[17524]: Failed password for root from 24.238.47.93 Port 3033 SSH2
Nov 3 03:15:11 Server sshd[17525]: Received disconnect from 24.238.47.93:11:bye Bye
Nov 3 05:14:12 Server sshd[20460]: Invalid User A from 218.28.4.61
Nov 3 05:14:12 Server sshd[20460]: Address 218.28.4.61 maps to pc0.zz.ha.cn, but this does not map back to the Address-p OS
Sible break-in attempt!
Nov 3 05:14:12 Server sshd[20461]: Input_userauth_request:invalid User A
Nov 3 05:14:12 Server sshd[20460]: Pam_unix (sshd:auth): Check pass; User Unknown
Nov 3 05:14:12 Server sshd[20460]: Pam_unix (Sshd:auth): Authentication failure; Logname= uid=0 euid=0 tty=ssh ruser= rhost=2
18.28.4.61
Nov 3 05:14:14 Server sshd[20460]: Failed password for invalid User A from 218.28.4.61 port 15683 ssh2
Nov 3 05:14:14 Server sshd[20461]: Received disconnect from 218.28.4.61:11:bye Bye
Nov 3 05:14:16 Server sshd[20467]: Invalid user 1 from 218.28.4.61
Nov 3 05:14:16 Server sshd[20467]: Address 218.28.4.61 maps to pc0.zz.ha.cn, but this does not map back to the Address-p OS
Sible break-in attempt!
Nov 3 05:14:16 Server sshd[20468]: Input_userauth_request:invalid User 1
Nov 3 05:14:16 Server sshd[20467]: Pam_unix (sshd:auth): Check pass; User Unknown
Nov 3 05:14:16 Server sshd[20467]: Pam_unix (Sshd:auth): Authentication failure; Logname= uid=0 euid=0 tty=ssh ruser= rhost=2
18.28.4.61
Nov 3 05:14:18 Server sshd[20467]: Failed password for invalid user 1 from 218.28.4.61 Port 15817 ssh2
Nov 3 05:14:18 Server sshd[20468]: Received disconnect from 218.28.4.61:11:bye Bye
Nov 3 05:14:20 Server sshd[20473]: Address 218.28.4.61 maps to pc0.zz.ha.cn, but this does not map back to the Address-p OS
Sible break-in attempt!
Nov 3 05:14:20 Server sshd[20473]: Pam_unix (Sshd:auth): Authentication failure; Logname= uid=0 euid=0 tty=ssh ruser= rhost=2
18.28.4.61 User=root
Nov 3 05:14:22 Server sshd[20473]: Failed password for root from 218.28.4.61 Port 15940 ssh2
Nov 3 05:14:22 Server sshd[20475]: Received disconnect from 218.28.4.61:11:bye Bye
Nov 3 05:14:24 Server sshd[21504]: Address 218.28.4.61 maps to pc0.zz.ha.cn, but this does not map back to the Address-p OS
Sible break-in attempt!

More like this:

Nov 4 13:09:44 Server sshd[9319]: Did not receive identification string from 66.197.176.130
Nov 4 13:15:24 Server sshd[10015]: Did not receive identification string from UNKNOWN
Nov 4 13:16:25 Server sshd[10200]: Did not receive identification string from UNKNOWN
Nov 4 13:18:28 Server sshd[11524]: Did not receive identification string from UNKNOWN
Nov 4 13:19:24 Server sshd[11579]: Did not receive identification string from UNKNOWN
Nov 4 13:20:24 Server sshd[11707]: Did not receive identification string from UNKNOWN
Nov 4 13:21:24 Server sshd[11782]: Did not receive identification string from UNKNOWN
Nov 4 13:22:24 Server sshd[11854]: Did not receive identification string from UNKNOWN
Nov 4 13:24:26 Server sshd[12036]: Did not receive identification string from UNKNOWN
Nov 4 13:25:26 Server sshd[12201]: Did not receive identification string from UNKNOWN
Nov 4 13:26:26 Server sshd[13312]: Did not receive identification string from UNKNOWN
Nov 4 13:27:26 Server sshd[13400]: Did not receive identification string from UNKNOWN
Nov 4 13:28:26 Server sshd[13542]: Did not receive identification string from UNKNOWN

Seems to be a lot of security problems, hehe. So began to act, strengthen the security line of defense, to create a secure server, so that the old American hackers also take a break, haha.

First, disable root telnet, change ssh port

Vi/etc/ssh/sshd_config

Permitrootlogin No #禁用root login, create a normal user to use as a remote login, and then through Su-to root user

#Port 22
Port 36301 #改到一般扫描器扫到累死才能找到的端口 (from 20 sweeps to 36301 ... haha

Restart/etc/init.d/sshd restart

After the above changes, the security log for several days without movement, in addition to my own log logs, the results are beginning. However, a few days later found a test log:

Nov 9 15:57:02 server sshd[13948]: Did not receive identification string from 66.197.176.130
9 15:57:02 Server S SHD[13916]: Did not receive identification string from 66.197.176.130
Nov 9 15:57:02 server sshd[13949]: Do not receiv E identification string from 66.197.176.130
Nov 9 15:57:02 server sshd[13944]: Do not receive identification string FR Om 66.197.176.130
Nov 9 22:58:17 server sshd[15736]: Did not receive identification string from UNKNOWN

Nov 9 22:59:17 Server sshd[15972]: Did not receive identification string from UNKNOWN
Nov 9 23:00:18 Server sshd [16163]: Did not receive identification string from UNKNOWN
Nov 9 23:01:18 server sshd[16309]: Do not receive IdentiFi cation string from UNKNOWN
Nov 9 23:02:18 server sshd[17579]: Do not receive identification string from UNKNOWN
Nov 9 23:03:18 Server sshd[17736]: Did not receive identification string from UNKNOWN
Nov 9 23:04:17 server sshd[17846]: D ID not receive identification string from UNKNOWN
Nov 9 23:05:17 server sshd[18021]: Do not receive identification str ing from UNKNOWN
Nov 9 23:06:20 server sshd[18103]: Do not receive identification string from UNKNOWN
Nov 9 23:07:2 0 Server sshd[18166]: Did not receive identification string from UNKNOWN
Nov 9 23:08:20 server sshd[18307]: Do not rec Eive identification string from UNKNOWN

Well, it seems that this is a persistent hacker, his obsession is not in vain, finally found my ssh new port. (My God, how long does it take to scan from 22 to 36301??? ), it seems that I can only do with my killer cut. Seal Ipvi/etc/hosts.deny

Sshd:all EXCEPT xxx.xxx.xxx.0/255.255.255.0 Zzz.zzz.zzz.zz yyy.yyy.yyy.0/255.255.255.0

Above means deny all IP ssh logins in addition to the IP I list. I use the Internet is ADSL, usually in two IP pools, so the above xxx.xxx.xxx.0 and yyy.yyy.yyy.0 is my dynamic ADSL IP segment. Another zzz.zzz.zzz.zz is my fixed IP in the unit, this just in case, in case my ADSL network segment changed, is not the server also refused my login? So be careful when you do IP rejection, do not lock yourself outside the door, haha.

Secure the above reinforcement before viewing the log tail-fn100 secure

Nov 9 23:48:17 Server sshd[30249]: Refused connect from:: ffff:66.197.176.130 (:: ffff:66.197.176.130)
Nov 9 23:49:17 Server sshd[30319]: Refused connect from:: ffff:66.197.176.130 (:: ffff:66.197.176.130)
Nov 9 23:50:17 Server sshd[30475]: Refused connect from:: ffff:66.197.176.130 (:: ffff:66.197.176.130)
Nov 9 23:51:18 Server sshd[30539]: Refused connect from:: ffff:66.197.176.130 (:: ffff:66.197.176.130)
Nov 9 23:52:17 Server sshd[30609]: Refused connect from:: ffff:66.197.176.130 (:: ffff:66.197.176.130)
Nov 9 23:53:17 Server sshd[31752]: Refused connect from:: ffff:66.197.176.130 (:: ffff:66.197.176.130)
Nov 9 23:54:17 Server sshd[31833]: Refused connect from:: ffff:66.197.176.130 (:: ffff:66.197.176.130)
Nov 9 23:55:17 Server sshd[31978]: Refused connect from:: ffff:66.197.176.130 (:: ffff:66.197.176.130)
Nov 9 23:56:22 Server sshd[32045]: Refused connect from:: ffff:66.197.176.130 (:: ffff:66.197.176.130)
Nov 9 23:57:18 Server sshd[32105]: Refused connect from:: ffff:66.197.176.130 (:: ffff:66.197.176.130)
Nov 9 23:58:18 Server sshd[32171]: Refused connect from:: ffff:66.197.176.130 (:: ffff:66.197.176.130)
Nov 9 23:59:17 Server sshd[32238]: Refused connect from:: ffff:66.197.176.130 (:: ffff:66.197.176.130)
Nov 00:00:20 Server sshd[32378]: Refused connect from:: ffff:66.197.176.130 (:: ffff:66.197.176.130)
Nov 00:01:20 Server sshd[32450]: Refused connect from:: ffff:66.197.176.130 (:: ffff:66.197.176.130)
Nov 00:02:19 Server sshd[32484]: refused connect fro

Build a robust and secure Linux server (SSH login)