Block SSH brute force hack
Description
Today inadvertently read the next/var/log/secure log, startled, as follows:
sep 15 14:25:12 localhost sshd[5914]: failed password for root from 221.203.142.70 port 49476 ssh2sep 15 14:25:12 localhost sshd[5934 ]: failed password for root from 115.182.88.152 port 28712 Ssh2sep 15 14:25:13 localhost sshd[5918]: failed password for root from 221.203.142.72 port 44212 ssh2Sep 15 14:25:13 localhost sshd[5930]: failed password for root from 218.65.30.92 port 42513 ssh2Sep 15 14:25:15 localhost sshd[5946]: Failed password for Root from 115.182.88.152 port 29380 ssh2sep 15 14:25:16 localhost sshd[5930]: Failed password for root from 218.65.30.92 port 42513 ssh2sep 15 14:25:16 localhost sshd[5952]: failed password for root from 221.203.142.72 port 57263 ssh2Sep 15 14:25:16 localhost sshd[5949]: Failed password for root from 221.203.142.70 port 33909 ssh2sep 15 14:25:17 localhost sshd[5957]: failed password for root from 115.182.88.152 port 30023 ssh2sep 15 14:25:18 localhost sshd[5952]: failed password for root from 221.203.142.72 port 57263 ssh2sep 15 14:25:19 localhost sshd[5949]: failed password for root from 221.203.142.70 port 33909 ssh2sep 15 14:25:19 localhost sshd[5961]: Failed password for root from 218.65.30.92 port 56454 ssh2sep 15 14:25:19 localhost sshd[5967]: failed password for root from 115.182.88.152 port 30601 Ssh2sep 15 14:25:21 localhost sshd[5952]: failed password for root from 221.203.142.72 port 57263 ssh2Sep 15 14:25:21 localhost sshd[5949]: failed password for root from 221.203.142.70 port 33909 ssh2Sep 15 14:25:21 localhost sshd[5961]: Failed password for root from 218.65.30.92 port 56454 ssh2sep 15 14:25:23 localhost sshd[5991]: failed password for root from 115.182.88.152 port 31030 ssh2Sep 15 14:25:24 localhost sshd[5961]: Failed password for root from 218.65.30.92 port 56454 ssh2sep 15 14:25:24 localhost Sshd[5996]: failed password for root from 221.203.142.72 port 41459 ssh2sep 15 14:25:25 localhost sshd[5998]: failed password for root from 221.203.142.70 port 48277 ssh2sep 15 14:25:25 localhost sshd[6001]: Failed password for root from 115.182.88.152 port 31725 ssh2
Someone tried to hack the root password of the server.
Workaround:
Method One: The root user is not allowed to log in directly:
This method cannot be used because the root password is used in some programs on the line
Method Two: Disable the malicious IP directly
Write a shell script, as follows:
vi /root/scripts/denyrootssh/denyrootssh.sh#!/bin/bash# Filter Failed password for root, Write FailIP.txt file grep ' Failed password for root from ' /var/log/secure | awk ' {print $11} ' | sort | uniq -c | sort -rn > /root/scripts/denyrootssh/failip.txt# the number of failures greater than 100, write their IP to the/etc/hosts.deny file while read failstatusdo failtimes= ' echo $failStatus | awk ' {print $1} ' failip= ' echo $failStatus | awk ' {print $2} ' if [ $failTimes -gt 100 ];then denyip= ' grep $failIP /etc/hosts.deny ' if [ -z $denyIP ];then echo "sshd: $failIP" >> /etc/hosts.deny fi fidone < /root/scripts/ Denyrootssh/failip.tx
Script Interpretation:
/etc/hosts.deny file
sshd:43.229.53.55 # #禁止ip43.229.53.55 Access Root again
Write a scheduled task that executes once every 1 o'clock in the morning
This article is from the "See" blog, please be sure to keep this source http://732233048.blog.51cto.com/9323668/1694987
Block SSH brute force hack
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
