Linux anti-SSH remote brute force hack method and configuration application of Fail2ban software

First , Modify the parameters to make brute force hack almost impossible

1. Password settings are complex enough

Password settings, as far as possible to have capital letters, lowercase letters, special symbols and numbers, the length of at least more than 8, of course, the longer the better, as long as you can remember.

2. Modify the default port number

Modifying the default port number of the SSHD service can further prevent malicious attacks from hackers. First introduce a tool: Nmap;nmap can probe a server's remote port number open list;

#nmap 192.168.1.163

Startingnmap 5.51 (http://nmap.org) at 2015-11-10 14:43 CST

Nmapscan Report for xuegod163.cn (192.168.1.163)

Hostis Up (0.0000060s latency).

notshown:998 closed ports

Portstate SERVICE

22/tcpopen rsh-spx

111/tcpopen Rpcbind

The default sshd port is 22, and if not modified, then this layer of protection is gone. Modification method: #vim/etc/ssh/sshd_config

Search for Port 22, modify 22 to a different port number to remember, save exit, restart the SSHD service. When using NMAP to probe the server, the remote service name displayed is also becoming unclear, further increasing the hack's difficulty. However, the opening of the port number of the few, the test is feasible, the following introduction of the big strokes.

3. Disable default Administrator

We know that the default administrator is Root,uid and GID are all 0. Our operation is to change the UID and GID of the root user to the other, the shell to/sbin/nologin or/bin/false, change the UID and GID of one of our established users (such as Lius) to 0. The way to do this is to edit the/etc/passwd file: #vim/etc/passwd

Root:x:22:22:root:/root:/sbin/nologin

lius:x:0:0::/home/lius/:/bin/bash## Partial configuration

We know Lius's name is strange, we can customize it at will, so it makes brute force almost impossible.

Second, the use of Fail2ban to achieve the number of crack limit

If the website has been violently cracked sshd service password, timely unsuccessful, it will also lead to high system load; The reason is that in the brute force, the system will continue to authenticate users, increase the system resource overhead, resulting in slow access to the site.

Fail2ban can monitor the system log, and then match the log error information (regular match), perform the corresponding shielding action (usually a firewall), and can send e-mail notification system administrator, very practical, very powerful! Fail2ban's official website fail2ban.org, can get stable version of the download link, install Fail2ban.

650) this.width=650; "src=" Http://s2.51cto.com/wyfs02/M02/75/D4/wKiom1ZDGrmSnEYJAACgswuHMr8077.jpg "title=" Qq20151111181131.jpg "width=" "height=" 159 "border=" 0 "hspace=" 0 "vspace=" 0 "style=" WIDTH:400PX;HEIGHT:159PX; "alt = "Wkiom1zdgrmsneyjaacgswuhmr8077.jpg"/>

The Custom installation directory is/USR/LOCAL/SRC, CD to this directory, with Wget to obtain. gz format files.

#tar ZXVF fail2ban-0.9.3.tar.gz

#cd fail2ban-0.9.3

#python setup.py Install # Source installation method is not the same as before, you can view readme.md to get the installation step python version is more than 2.4, python-v can view the version.

#cd files

#cp Redhat-initd/etc/init.d/fail2ban # Copy and rename

#chkconfig--add Fail2ban # boot up

#/etc/init.d/fail2ban Start # Startup service

So, Fail2ban started successfully, but we haven't configured Fail2ban yet, here is the configuration process:

Fail2ban Service Related main document description:

/etc/fail2ban/action.d# Action folder, including default files. Iptables and Mail and other action configuration

/etc/fail2ban/fail2ban.conf# defines the Fai2ban log level, log location, and sock file location

/etc/fail2ban/filter.d# the Conditional folder, which contains the default file. Filtering log key content settings

/etc/fail2ban/jail.conf# main configuration file, modular. Main settings enable ban Action Service and action threshold

Application Example: Set SSH telnet 5 minutes 3 times password authentication failed, prohibit user IP Access host 1 hours, 1 hours the limit is automatically lifted, this IP can be re-login.

#vim/etc/fail2ban/jail.conf

enabled= true

Filter= sshd

Action= iptables[name=ssh, Port=ssh, Protocol=tcp]

Sendmail-whois[name=ssh,[email protected], [email protected],sendername= "Fail2ban"]

Logpath=/var/log/secure

Findtime= 300

Maxretry= 3

Bantime= 3600

Comments:

enabled= true # whether to activate this entry (True/false) modified to True

Logpath=/var/log/secure # detects the login log file of the system, where to write the path of the SSHD service log file

Findtime= 300 # in 5 minutes within a specified number of times to implement the action, the default time unit: Seconds

maxretry= 3 # Password verification Failure maximum value is 3, exceeding implementation action

Bantime= 3600 # More than 3 times, disable this user IP access to the host for 1 hours

The configuration of the e-Mail can set the administrator's mailbox. The end of this configuration, open a new terminal, deliberately wrong 3 times, and then login to see the forbidden prompt: Ssh:connect to host192.168.1.63 Port 22:connection refused

This article is from the "Liemer_lius blog" blog, make sure to keep this source http://liemerlius.blog.51cto.com/10409683/1711917

Linux anti-SSH remote brute force hack method and configuration application of Fail2ban software