Scene: Monday to work CentOS server SSH is unavailable, and applications such as Web and database are not responding. Fortunately, VNC can log in using the last command query, the login information before number 2nd has been emptied, and the sshd file was modified in Saturday, and the server was restarted remotely at 2 o'clock in the evening of Sunday ROOT     PTS/1 :1.0 Mon Jul 3 11:09 still logged in root pts/1 :1.0 mon jul 3 11:08 - 11:09 (00:01) root pts/0 :0.0 Mon Jul 3 10:54 still logged in root tty1 :0 mon jul 3 10:53 still logged in reboot system boot 2.6.32-696.3.2.e Mon Jul 3 10:46 - 11:11 (00:25) root pts/0 :0.0 mon jul 3 10:42 - down (00:01) root tty1 :0 Mon Jul 3 10:40 - down (00:03) reboot system boot 2.6.32-696.3.2.e sun jul 2 02:31 - 10:44 (1+08:12) reboot system boot 2.6.32-431.el6.x Sun Jul 2 02:27 - 02:27 (00:00) jul 2 03:11:20 oracledb rsyslogd: [origin software= "Rsyslogd" swversion= "5.8.10" x-pid= "1960" x-info= "Http://www.rsyslog.com"] rsyslogd was hupedjul 2 03:35:11 oracledb sshd[13864]: did not receive identification string from using the Less/var/log/messages command 2 points combined with the last command, judging after the 2-point restart ipatables effective, There are a lot of ssh brute force hack scan information, because the machine is a test environment, the above installed Oracle and squid, temporarily managed the iptables, reboot after iptables boot, should not be re-login again, but some files in the system and is modified Some of the information in the message file is as follows:103.207.37.86jul 2 03:35:12 oracledb sshd[13865]: error: bad prime description in line 186jul 2 03:35:12 oracledb sshd[13865]: error: bad PRIME DESCRIPTION IN LINE 187JUL  2 03:35:12 ORACLEDB SSHD[13865] : error: bad prime description in line 188jul 2 03:35:13 oracledb sshd[13865]: Failed password for illegal user support F103.207.37.86 PORT 58311 SSH2JUL  2 03:45:05 ORACLEDB SSHD[13887]: Illegal user support from 103.79.143.234 113.108.21.16Jul 2 05:10:37 oracledb sshd[14126]: illegal user support from 103.79.143.234jul 2 05:10:37 oracledb sshd[14126]: failed password for illegal user support from 103.79.143.234 port 57019 ssh2Jul 2 05:10:43 oracledb sshd[14128]: did not receive identification string from workaround 1. Modify the root user Password 2. byThe sshd file is modified, re-installed SSH, and set only the specified intranet IP can be accessed 3. Configure the iptables to make the iptables reload Sshd1.rpm-qa | grep SSH query installed package system installed package: Openssh-clients,openssh-server,openssh,openssh-askpass Remove these four packages, remove the CentOS hint when there is a dependency between the package, Follow the prompts to start removing from the innermost layer of the dependency, and delete it in the order Openssh-askpass OpenSSH openssh-server openssh-clients. 2. Installation using Yum installation, yum install Openssh-askpass * * InstallationOpenssh-serverWhen prompted:unpacking of archive failed on file/user/sbin/sshd Cpio:renameDelete file hint operation not permitted errorquerying the hidden properties of a filelsattr/usr/sbin/sshd- u---ia--e/usr/sbin/sshdI: The settings file cannot be deleted, renamed, linked, and cannot be written or added. The I parameter is useful for file system security settings. A is append, after setting this parameter, can only add data to the file, not delete, more for the server log file security, only root can set this propertyuse Chattr-ia /usr/sbin/sshd to modify the hidden properties of the file, remove the corresponding settings after the deletion succeeds
+ :在原有参数设定基础上,追加参数。- :在原有参数设定基础上,移除参数again yum install Openssh-server success3. Configure SSH Login control, set management IP, black and white listvi/etc/ssh/sshd_config #修改端口号Port 52111# only allow SSH2 mode of connection protocol * allow the root user to log in, because the following will be set to login IP, so here is allowed Permitrootlogin yes# Do not allow null password permitemptypasswords no #屏蔽来自所有的SSH连接请求vi/etc/hosts.denysshd:all #允许来自内网指定ip的SSH连接请求vi/etc/hosts.allowsshd: 192.168.0sshd:192.168.253.** configuration corresponding iptables set 1.iptables configuration Rule iptables [-t table name] [-a| i| d| R Link name] [-I NIC name] [-P protocol] [-s source IP] [-D Destination IP] [--dport destination port number] [-j action] Here is the filter table, the filter table has input,output,forward three rules chain, If the native service is more, the rule is more cumbersome, the more convenient way is to write shell script restart SSH Service # limit SSH connection ipiptables-a input-s 192.168.101.32-p TCP--dport 22-j Acceptiptables-a input-s 192.168.101.35-p TCP--dport 22-j ACCEPT
#SSH支持52111是修改后SSH端口iptables-A output-p TCP--sport 52111-j ACCEPT here is only for SSH to do a simple configuration, specific iptables configuration, see the iptables configuration article configuration Etc/rc.d/init.d/iptables save is saved and the configuration takes effect after service iptables restart restart services.
Once a Linux server hack post-processing
