SSH blast attack

[Email protected] ~]# Lastb-n 50

Help Ssh:notty 218.17.149.227 Sun Jan 24 16:28-16:28 (00:00)

HDFs ssh:notty 218.17.149.227 Sun Jan 24 15:16-15:16 (00:00)

Michael Ssh:notty 59-120-151-118.h Sun Jan 24 15:03-15:03 (00:00)

MFS ssh:notty 59-120-151-118.h Sun Jan 24 14:20-14:20 (00:00)

Hadoop ssh:notty 218.17.149.227 Sun Jan 24 14:03-14:03 (00:00)

Media ssh:notty 59-120-151-118.h Sun Jan 24 13:40-13:40 (00:00)

Guest Ssh:notty 218.17.149.227 Sun Jan 24 12:50-12:50 (00:00)

A ssh:notty ec2-54-165-101-6 Sun Jan 24 11:57-11:57 (00:00)

Grayson Ssh:notty 218.17.149.227 Sun Jan 24 11:37-11:37 (00:00)

Admin Ssh:notty 212-83-174-199.r Sun Jan 24 11:06-11:06 (00:00)

UBNT ssh:notty 212-83-174-199.R Sun Jan 24 11:06-11:06 (00:00)

。。。。

Tail-100/var/log/secure

Jan 14:41:41 sz-nginx02 sshd[5497]: fatal:read from socket failed:connection reset by peer [PreAuth]

Jan 14:41:42 sz-nginx02 sshd[5499]: fatal:read from socket failed:connection reset by peer [PreAuth]

Jan 14:41:43 sz-nginx02 sshd[5501]: fatal:read from socket failed:connection reset by peer [PreAuth]

Jan 14:41:44 sz-nginx02 sshd[5503]: fatal:read from socket failed:connection reset by peer [PreAuth]

Jan 14:41:45 sz-nginx02 sshd[5505]: fatal:read from socket failed:connection reset by peer [PreAuth]

Jan 14:41:46 sz-nginx02 sshd[5507]: fatal:read from socket failed:connection reset by peer [PreAuth]

Jan 14:41:46 sz-nginx02 sshd[5509]: fatal:read from socket failed:connection reset by peer [PreAuth]

Jan 14:41:47 sz-nginx02 sshd[5511]: fatal:read from socket failed:connection reset by peer [PreAuth]

Jan 14:42:39 sz-nginx02 sshd[5513]: fatal:read from socket failed:connection reset by peer [PreAuth]

Jan 14:42:40 sz-nginx02 sshd[5515]: fatal:read from socket failed:connection reset by peer [PreAuth]

Jan 14:43:20 sz-nginx02 sshd[5517]: fatal:read from socket failed:connection reset by peer [PreAuth]

Jan 14:43:21 sz-nginx02 sshd[5519]: fatal:read from socket failed:connection reset by peer [PreAuth]

。。。。

To prevent the SSH Blast attack mode:

Make key, Ssh-keygen

Use Denyhost to restrict other IP logins

Denyhost is a program written by Python that analyzes the log files of sshd and logs IP to/etc/hosts.deny files when duplicate attacks are found, thus enabling the ability to automatically block IP.

Install Now: Address: http://denyhosts.sourceforge.net official website download, corresponding to the system version.

Installation Tutorial: "Denyhost prevent ssh brute force hack, protect your Linux"

Http://www.myhack58.com/Article/48/66/2011/28833.htm

DenyHosts configuration file parsing: vi/etc/denyhosts.cfg

secure_log = /var/log/secure#ssh  log file, if the Redhat series is based on the/var/log/secure file to judge. #Mandrake and FreeBSD are judged on the basis of  /var/log/auth.log, while SuSE is judged by/var/log/messages. These are explained in detail in the configuration file. hosts_deny = /etc/hosts.deny# control the user log on the file purge_deny = 30m# too long after the purge has been forbidden, empty means permanent not clear #              ' m '  = minutes#              ' h '  = hours#              ' d '  = days#              ' W '  = weeks#              ' y '  = yearsblock_service = sshd# prohibited service names, of course denyhost not only for SSH services, but also for SMTP and so on. deny_threshold_invalid = 1# the number of times an invalid user is allowed to fail deny_threshold_valid = 5# the number of times a normal user fails to log on Deny_threshold _root = 3# allow the number of ROOT login failures hostname_lookup=no# whether to do domain name inversion admin_email =  #管理员邮件地址, it will send an email to the Administrator daemon_log = /var/log/denyhosts#denyhosts log file to store the path 

SSH blast attack