How to Prevent ssh remote brute-force cracking in linux and how to configure and apply the fail2ban Software
I. modifying parameters makes brute-force cracking almost impossible. password settings must be complex enough. Try to have uppercase letters, lowercase letters, special characters, and numbers. The length must be at least 8. Of course, the longer the password, the better, as long as you can remember it. 2. modify the default port number nmap tool can detect the server Open remote port: # nmap 192.168.12.11StartingNmap 5.51 (http://nmap.org) at CSTNmapscan report for 192.168.220.22Hostis up (0.00017 s latency ). notshown: 998 closed portsPORT STATE SERVICE22/tcp open ssh111/tcpopen rpcbindMACAddress: 00: 0C: 29: 9C: 14: 74 (VMware) detects that port 22 is enabled, in this way, you can use ssh to brute force crack the root password. If we change 22 to 23, the result is as follows: 23/tcp open telnet is not enabled by telnet, but is our sshd service. In this way, although hackers are set up with something similar to a trap, it is not *** complete because it can be detected. Then we can change it to a very uncommon port number, such as 233, so that nmap cannot even be detected, so it plays a protective role. 3. Disable the default Administrator. We know that the default Administrator is root, and the uid and gid are both 0. Our operation is to change the uid and gid of the root user to others, and change the shell to/sbin/nologin or/bin/false. We will create a user (such as lius) change the uid and gid of to 0. The operation is to edit the/etc/passwd file: # vim/etc/passwdroot: x: 22: 22: root:/sbin/nologinlius: x: 0: 0 :: /home/lius/:/bin/bash # Some configuration items. We know the lius naming conventions. We can customize them as needed, this makes brute-force cracking almost impossible. 2. Use fail2ban to limit the number of cracking attempts. If the website is continuously cracked by others, the sshd service password may be overloaded even if it fails, the system constantly authenticates users and increases system resource overhead, resulting in slow Website access. Fail2ban can monitor system logs, then match the log error information (Regular Expression matching), and execute the corresponding blocking action (usually firewall). In addition, it can send an e-mail to notify the system administrator, very practical and powerful! Fail2ban official website fail2ban.org. You can download the stable version and install fail2ban. The usual installation directory is/usr/local/src. The directory contains cdns in wget).gz format. # Tar zxvf fail2ban-0.9.3.tar.gz # cd fail2ban-0.9.3 # python setup. py install # The Source Code installation method is different from the previous method. You can view README. md to obtain the installation steps. The python version must be later than 2.4. You can view the python-V version. # Cd files # cp redhat-initd/etc/init. d/fail2ban # copy and rename # chkconfig -- add fail2ban # Start up #/etc/init. d/fail2ban start # when the service is started, fail2ban is successfully started, but fail2ban has not been configured. The configuration process is as follows: description of the main files related to the fail2ban service:/etc/fail2ban/action. d # action folder, which contains the default file. Iptables, mail, and other action configurations/etc/fail2ban/fail2ban. conf # defines the fai2ban Log Level, log location, and sock File Location/etc/fail2ban/filter. d # The condition folder contains the default file. Filter key log content settings/etc/fail2ban/jail. conf # main configuration file, modular. Mainly sets the ban action enabled service and action threshold application instance: sets the ssh remote login five minutes three password verification failed, prohibit the user IP address to access the host for 1 hour, this restriction is automatically removed in one hour. You can log on to this IP address again. # Vim/etc/fail2ban/jail. confenabled = truefilter = sshdaction = iptables [name = SSH, port = ssh, protocol = tcp] sendmail-whois [name = SSH, dest = [email protected], sender = [email protected], sendername = "Fail2Ban"] logpath =/var/log/securefindtime = 300 maxretry = 3 bantime = 3600 note: enabled = true # Whether to activate this item (true/false) and change it to truelogpath =/var/log/secure # the log file of the detected system, the path to the sshd service log file is findtime = 300 # The operation will be executed if the specified number of times appears within five minutes. The default time unit is: Seconds maxretry = 3 # maximum number of failed password verification times is 3, after the implementation of bantime = 3600 # after more than 3 times, the Administrator's email address can be set for the configuration of disabling the user's IP address to access the host by sending an email within one hour. After the configuration ends, open the new terminal and deliberately enter the error three times. When logging on again, you will see the following error message: ssh: connect to host192.168.1.63 port 22: Connection refused