Re: iptables и logwatch

Людмила Бандурина bigdogs.ru на gmail.com
Пн Сен 29 08:34:08 UTC 2014


Конфиг /etc/ssh/sshd_config

# Package generated configuration file
# See the sshd_config(5) manpage for details

# What ports, IPs and protocols we listen for
Port 22
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
#ListenAddress 0.0.0.0
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes

# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 768

# Logging
SyslogFacility AUTH
LogLevel INFO

# Authentication:
LoginGraceTime 120
PermitRootLogin yes
StrictModes yes

RSAAuthentication yes
PubkeyAuthentication yes
#AuthorizedKeysFile     %h/.ssh/authorized_keys

# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Uncomment if you don't trust ~/.ssh/known_hosts for
RhostsRSAAuthentication
#IgnoreUserKnownHosts yes

# To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords no

# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no

# Change to no to disable tunnelled clear text passwords
PasswordAuthentication no

# Kerberos options
#KerberosAuthentication no
#KerberosGetAFSToken no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes

X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
#UseLogin no

#MaxStartups 10:30:60
#Banner /etc/issue.net

# Allow client to pass locale environment variables
AcceptEnv LANG LC_*

Subsystem sftp /usr/lib/openssh/sftp-server

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes


29 сентября 2014 г., 12:29 пользователь Людмила Бандурина <
bigdogs.ru на gmail.com> написал:

> hosts.allow
>
> sendmail: all
> # /etc/hosts.allow: list of hosts that are allowed to access the system.
> #                   See the manual pages hosts_access(5) and
> hosts_options(5).
> #
> # Example:    ALL: LOCAL @some_netgroup
> #             ALL: .foobar.edu EXCEPT terminalserver.foobar.edu
> #
> # If you're going to protect the portmapper use the name "portmap" for the
> # daemon name. Remember that you can only use the keyword "ALL" and IP
> # addresses (NOT host or domain names) for the portmapper, as well as for
> # rpc.mountd (the NFS mount daemon). See portmap(8) and rpc.mountd(8)
> # for further information.
> #
>
> Письмо от logwatch
>
>
>  --------------------- SSHD Begin ------------------------
>
>
>  Illegal users from:
>     undef: 53 times
>     61.183.1.14: 11 times
>     122.225.109.116: 1 time
>     122.225.109.194: 1 time
>     122.225.109.195: 1 time
>     122.225.109.197: 1 time
>     193.238.157.34 (shadow.charon.at): 26 times
>     212.129.56.29 (212-129-56-29.rev.poneytelecom.eu): 12 times
>
>  Users logging in through sshd:
>     root:
>        83.220.237.97: 3 times
>        83.220.237.40: 2 times
>
>
>  Received disconnect:
>     11: Bye Bye [preauth] : 103 Time(s)
>     11: disconnected by user : 5 Time(s)
>     3: com.jcraft.jsch.JSchException: Auth fail [preauth] : 15 Time(s)
>
>  Refused incoming connections:
>        193.238.157.34 (193.238.157.34): 2 Time(s)
>        212.129.56.29 (212.129.56.29): 1 Time(s)
>        27.254.33.142 (27.254.33.142): 12 Time(s)
>        61.183.1.14 (61.183.1.14): 1 Time(s)
>
>  ---------------------- SSHD End -------------------------
>
> iptables -L -v
>
> Chain INPUT (policy ACCEPT 74600 packets, 48M bytes)
>  pkts bytes target     prot opt in     out     source
> destination
>     0     0 DROP       all  --  any    any     175.42.0.0/16
>  anywhere
>    15   600 DROP       all  --  any    any     122.225.0.0/16
> anywhere
>    12   480 DROP       all  --  any    any
> 0.0.174.61.dial.tz.zj.dynamic.163data.com.cn/16  anywhere
>   104  5268 DROP       all  --  any    any     222.77.0.0/16
>  anywhere
>     3   152 DROP       all  --  any    any
> 0.0.40.120.broad.fz.fj.dynamic.163data.com.cn/16  anywhere
>    26  1348 DROP       all  --  any    any
> 0.0.25.117.broad.fz.fj.dynamic.163data.com.cn/16  anywhere
>     0     0 DROP       all  --  any    any     110.80.0.0/16
>  anywhere
>     6   304 DROP       all  --  any    any
> 0.0.161.220.broad.zz.fj.dynamic.163data.com.cn/16  anywhere
>     0     0 DROP       all  --  any    any
> 0.0.207.121.broad.qz.fj.dynamic.163data.com.cn/16  anywhere
>     0     0 DROP       all  --  any    any
> 0.0.58.59.broad.np.fj.dynamic.163data.com.cn/16  anywhere
>     0     0 DROP       all  --  any    any     125.77.0.0/16
>  anywhere
>   107  5452 DROP       all  --  any    any
> 0.0.85.110.broad.qz.fj.dynamic.163data.com.cn/16  anywhere
>   114  5928 DROP       all  --  any    any
> 0.0.84.110.broad.xm.fj.dynamic.163data.com.cn/16  anywhere
>    57  2920 DROP       all  --  any    any
> 0.0.205.121.broad.qz.fj.dynamic.163data.com.cn/16  anywhere
>     3   152 DROP       all  --  any    any
> 0.0.76.222.broad.fz.fj.dynamic.163data.com.cn/16  anywhere
>    48  2496 DROP       all  --  any    any
> 0.0.87.110.broad.xm.fj.dynamic.163data.com.cn/16  anywhere
>    35  1804 DROP       all  --  any    any
> 0.0.78.125.broad.qz.fj.dynamic.163data.com.cn/16  anywhere
>    45  2340 DROP       all  --  any    any
> 0.0.32.120.broad.fz.fj.dynamic.163data.com.cn/16  anywhere
>    24  1216 DROP       all  --  any    any
> 0.0.83.110.broad.fz.fj.dynamic.163data.com.cn/16  anywhere
>   284 14312 DROP       all  --  any    any     27.150.0.0/16
>  anywhere
>     0     0 DROP       all  --  any    any
> 0.0.125.76.gs.dail.jqgt.dynamic.163data.com.cn/16  anywhere
>   185  9424 DROP       all  --  any    any     27.153.0.0/16
>  anywhere
>    93  4712 DROP       all  --  any    any
> 0.0.89.110.broad.pt.fj.dynamic.163data.com.cn/16  anywhere
>     6   304 DROP       all  --  any    any
> 0.0.204.121.board.fz.fj.dynamic.163data.com.cn/16  anywhere
>     0     0 DROP       all  --  any    any     120.36.0.0/16
>  anywhere
>    45  2280 DROP       all  --  any    any
> 0.0.33.120.broad.qz.fj.dynamic.163data.com.cn/16  anywhere
>     0     0 DROP       all  --  any    any     59.60.0.0/16
> anywhere
>    75  3800 DROP       all  --  any    any
> 0.0.26.117.broad.qz.fj.dynamic.163data.com.cn/16  anywhere
>     0     0 DROP       all  --  any    any
> 0.0.154.27.broad.xm.fj.dynamic.163data.com.cn/16  anywhere
>   243 12312 DROP       all  --  any    any
> 0.0.159.27.broad.xm.fj.dynamic.163data.com.cn/16  anywhere
>     0     0 DROP       all  --  any    any
> 0.82.30.117.broad.xm.fj.dynamic.163data.com.cn/24  anywhere
>     0     0 DROP       all  --  any    any
> 0.29.154.27.broad.xm.fj.dynamic.163data.com.cn/24  anywhere
>     0     0 DROP       all  --  any    any
> 0.125.79.222.broad.xm.fj.dynamic.163data.com.cn/24  anywhere
>     0     0 DROP       all  --  any    any
> 0.125.79.222.broad.xm.fj.dynamic.163data.com.cn/24  anywhere
>     0     0 DROP       all  --  any    any
> 87.125.79.222.broad.xm.fj.dynamic.163data.com.cn  anywhere
>
> Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
>  pkts bytes target     prot opt in     out     source
> destination
>
> Chain OUTPUT (policy ACCEPT 93209 packets, 124M bytes)
>  pkts bytes target     prot opt in     out     source
> destination
>
>
>
> --
> С уважением, Людмила
>
>
> 29 сентября 2014 г., 12:17 пользователь Alan Holt <berber.it на gmail.com>
> написал:
>
> Где то есть ошибка, прикрипите полный iptables и лог.
>> Так же при неправильной конфигурации демона ssh и чейнов файрвола такое
>> бывает.
>>
>> используйте так же /etc/hosts.allow
>>
>> 2014-09-29 11:04 GMT+03:00 Людмила Бандурина <bigdogs.ru на gmail.com>:
>>
>>> Добрый день,
>>>
>>> Нет, никаких разрешений в списке нет, только еще несколько таких же
>>> запретов на китайские подсети.
>>>
>>> 28 сентября 2014 г., 20:42 пользователь Dmitry Agafonov <
>>> agafonovdmitry на gmail.com> написал:
>>>
>>> Добрый день!
>>>>
>>>> Одно правило ни о чем не говорит. Посмотрите на каунтеры и нумерацию
>>>> (-v), может под правило вообще ничего не подходит и обрабатывается каким-то
>>>> разрешением выше по списку.
>>>>
>>>> 28 сентября 2014 г., 19:55 пользователь Людмила Бандурина <
>>>> bigdogs.ru на gmail.com> написал:
>>>>
>>>>> Здравствуйте всем!
>>>>>
>>>>> В iptables прописано:
>>>>> Chain INPUT (policy ACCEPT)
>>>>> target     prot opt source               destination
>>>>> DROP       all  --  122.225.0.0/16       anywhere
>>>>>
>>>>> Тем не менее в письме от logwatch вижу
>>>>>
>>>>> Illegal users from:
>>>>>     122.225.109.116: 1 time
>>>>>     122.225.109.194: 1 time
>>>>>     122.225.109.195: 1 time
>>>>>     122.225.109.197: 1 time
>>>>>
>>>>> Почему? Вроде бы если доступ закрыт файрволлом, эти попытки должны
>>>>> быть в секции Refused incoming connections, разве нет?
>>>>>
>>>>> --
>>>>> С уважением, Людмила
>>>>>
>>>>> --
>>>>> ubuntu-ru mailing list
>>>>> ubuntu-ru на lists.ubuntu.com
>>>>> https://lists.ubuntu.com/mailman/listinfo/ubuntu-ru
>>>>>
>>>>>
>>>>
>>>>
>>>> --
>>>> Dmitry Agafonov ~ http://agafonov.pp.ru/
>>>>
>>>> --
>>>> ubuntu-ru mailing list
>>>> ubuntu-ru на lists.ubuntu.com
>>>> https://lists.ubuntu.com/mailman/listinfo/ubuntu-ru
>>>>
>>>>
>>>
>>>
>>> --
>>> С уважением, Людмила
>>>
>>> --
>>> ubuntu-ru mailing list
>>> ubuntu-ru на lists.ubuntu.com
>>> https://lists.ubuntu.com/mailman/listinfo/ubuntu-ru
>>>
>>>
>>
>>
>> --
>> *בברכה, *
>> *אלכס ברבר*
>>
>> *+9 72 54 285 952 3*
>> *www.linuxspace.org* <http://www.linuxspace.org>
>> *--*
>> *Best regards.*
>> *Alex Berber*
>> *+9 72 54 285 952 3*
>> *www.linuxspace.org* <http://www.linuxspace.org/>
>>
>> --
>> ubuntu-ru mailing list
>> ubuntu-ru на lists.ubuntu.com
>> https://lists.ubuntu.com/mailman/listinfo/ubuntu-ru
>>
>>
>
>


-- 
С уважением, Людмила
----------- следущая часть -----------
Вложение в формате HTML было извлечено…
URL: <https://lists.ubuntu.com/archives/ubuntu-ru/attachments/20140929/0a5d8737/attachment-0001.html>


More information about the ubuntu-ru mailing list