Re: iptables и logwatch
Alan Holt
berber.it на gmail.com
Пн Сен 29 09:38:43 UTC 2014
Все конифиги выглядят норм.
Кроме X11Forwarding yes, PermitRootLogin yes но это такое... я тоже редко
выключаю.
Настройте /etc/hosts.deny и /etc/hosts.allow на ваш вкус. Примеры я привел.
# vim /etc/hosts.deny
sshd : IP-Address
# vim /etc/hosts.deny
sshd : IP-Address1, IP-Address2, IP-Address3
# vim /etc/hosts.deny
sshd : 33.*.*.*
sshd : 66.66.*.*
# vim /etc/hosts.deny
sshd : ALL
тогда
В /etc/hosts.allow
sshd : Your IP-Address
Далее в /etc/ssh/sshd_config добавте:
...
MaxAuthTries 3
...
Потом в логе:
cat /var/log/syslog
SSH должен писать о попытках доступа, сдается мне что логвотч просто брешит.
Можно улучшить логгирование в апитейблс:
iptables -N SSHATTACK
iptables -A SSHATTACK -j LOG --log-prefix "Possible SSH attack! "
--log-level 7
iptables -A SSHATTACK -j DROP
iptables -A INPUT -i eth0 -p tcp -m state --dport 22 --state NEW -m recent
--set
iptables -A INPUT -i eth0 -p tcp -m state --dport 22 --state NEW -m recent
--update --seconds 400 --hitcount 3 --rttl -j SSHATTACK
И снова смотреть лог:
cat /var/log/syslog | grep -E 122.225.109.116
Если в auth.log, syslog, messages нету 122.225.109.116 то логвотч брешит
On Mon, Sep 29, 2014 at 11:34 AM, Людмила Бандурина <bigdogs.ru на gmail.com>
wrote:
> Конфиг /etc/ssh/sshd_config
>
> # Package generated configuration file
> # See the sshd_config(5) manpage for details
>
> # What ports, IPs and protocols we listen for
> Port 22
> # Use these options to restrict which interfaces/protocols sshd will bind
> to
> #ListenAddress ::
> #ListenAddress 0.0.0.0
> Protocol 2
> # HostKeys for protocol version 2
> HostKey /etc/ssh/ssh_host_rsa_key
> HostKey /etc/ssh/ssh_host_dsa_key
> HostKey /etc/ssh/ssh_host_ecdsa_key
> #Privilege Separation is turned on for security
> UsePrivilegeSeparation yes
>
> # Lifetime and size of ephemeral version 1 server key
> KeyRegenerationInterval 3600
> ServerKeyBits 768
>
> # Logging
> SyslogFacility AUTH
> LogLevel INFO
>
> # Authentication:
> LoginGraceTime 120
> PermitRootLogin yes
> StrictModes yes
>
> RSAAuthentication yes
> PubkeyAuthentication yes
> #AuthorizedKeysFile %h/.ssh/authorized_keys
>
> # Don't read the user's ~/.rhosts and ~/.shosts files
> IgnoreRhosts yes
> # For this to work you will also need host keys in /etc/ssh_known_hosts
> RhostsRSAAuthentication no
> # similar for protocol version 2
> HostbasedAuthentication no
> # Uncomment if you don't trust ~/.ssh/known_hosts for
> RhostsRSAAuthentication
> #IgnoreUserKnownHosts yes
>
> # To enable empty passwords, change to yes (NOT RECOMMENDED)
> PermitEmptyPasswords no
>
> # Change to yes to enable challenge-response passwords (beware issues with
> # some PAM modules and threads)
> ChallengeResponseAuthentication no
>
> # Change to no to disable tunnelled clear text passwords
> PasswordAuthentication no
>
> # Kerberos options
> #KerberosAuthentication no
> #KerberosGetAFSToken no
> #KerberosOrLocalPasswd yes
> #KerberosTicketCleanup yes
>
> # GSSAPI options
> #GSSAPIAuthentication no
> #GSSAPICleanupCredentials yes
>
> X11Forwarding yes
> X11DisplayOffset 10
> PrintMotd no
> PrintLastLog yes
> TCPKeepAlive yes
> #UseLogin no
>
> #MaxStartups 10:30:60
> #Banner /etc/issue.net
>
> # Allow client to pass locale environment variables
> AcceptEnv LANG LC_*
>
> Subsystem sftp /usr/lib/openssh/sftp-server
>
> # Set this to 'yes' to enable PAM authentication, account processing,
> # and session processing. If this is enabled, PAM authentication will
> # be allowed through the ChallengeResponseAuthentication and
> # PasswordAuthentication. Depending on your PAM configuration,
> # PAM authentication via ChallengeResponseAuthentication may bypass
> # the setting of "PermitRootLogin without-password".
> # If you just want the PAM account and session checks to run without
> # PAM authentication, then enable this but set PasswordAuthentication
> # and ChallengeResponseAuthentication to 'no'.
> UsePAM yes
>
>
> 29 сентября 2014 г., 12:29 пользователь Людмила Бандурина <
> bigdogs.ru на gmail.com> написал:
>
> hosts.allow
>>
>> sendmail: all
>> # /etc/hosts.allow: list of hosts that are allowed to access the system.
>> # See the manual pages hosts_access(5) and
>> hosts_options(5).
>> #
>> # Example: ALL: LOCAL @some_netgroup
>> # ALL: .foobar.edu EXCEPT terminalserver.foobar.edu
>> #
>> # If you're going to protect the portmapper use the name "portmap" for the
>> # daemon name. Remember that you can only use the keyword "ALL" and IP
>> # addresses (NOT host or domain names) for the portmapper, as well as for
>> # rpc.mountd (the NFS mount daemon). See portmap(8) and rpc.mountd(8)
>> # for further information.
>> #
>>
>> Письмо от logwatch
>>
>>
>> --------------------- SSHD Begin ------------------------
>>
>>
>> Illegal users from:
>> undef: 53 times
>> 61.183.1.14: 11 times
>> 122.225.109.116: 1 time
>> 122.225.109.194: 1 time
>> 122.225.109.195: 1 time
>> 122.225.109.197: 1 time
>> 193.238.157.34 (shadow.charon.at): 26 times
>> 212.129.56.29 (212-129-56-29.rev.poneytelecom.eu): 12 times
>>
>> Users logging in through sshd:
>> root:
>> 83.220.237.97: 3 times
>> 83.220.237.40: 2 times
>>
>>
>> Received disconnect:
>> 11: Bye Bye [preauth] : 103 Time(s)
>> 11: disconnected by user : 5 Time(s)
>> 3: com.jcraft.jsch.JSchException: Auth fail [preauth] : 15 Time(s)
>>
>> Refused incoming connections:
>> 193.238.157.34 (193.238.157.34): 2 Time(s)
>> 212.129.56.29 (212.129.56.29): 1 Time(s)
>> 27.254.33.142 (27.254.33.142): 12 Time(s)
>> 61.183.1.14 (61.183.1.14): 1 Time(s)
>>
>> ---------------------- SSHD End -------------------------
>>
>> iptables -L -v
>>
>> Chain INPUT (policy ACCEPT 74600 packets, 48M bytes)
>> pkts bytes target prot opt in out source
>> destination
>> 0 0 DROP all -- any any 175.42.0.0/16
>> anywhere
>> 15 600 DROP all -- any any 122.225.0.0/16
>> anywhere
>> 12 480 DROP all -- any any
>> 0.0.174.61.dial.tz.zj.dynamic.163data.com.cn/16 anywhere
>> 104 5268 DROP all -- any any 222.77.0.0/16
>> anywhere
>> 3 152 DROP all -- any any
>> 0.0.40.120.broad.fz.fj.dynamic.163data.com.cn/16 anywhere
>> 26 1348 DROP all -- any any
>> 0.0.25.117.broad.fz.fj.dynamic.163data.com.cn/16 anywhere
>> 0 0 DROP all -- any any 110.80.0.0/16
>> anywhere
>> 6 304 DROP all -- any any
>> 0.0.161.220.broad.zz.fj.dynamic.163data.com.cn/16 anywhere
>> 0 0 DROP all -- any any
>> 0.0.207.121.broad.qz.fj.dynamic.163data.com.cn/16 anywhere
>> 0 0 DROP all -- any any
>> 0.0.58.59.broad.np.fj.dynamic.163data.com.cn/16 anywhere
>> 0 0 DROP all -- any any 125.77.0.0/16
>> anywhere
>> 107 5452 DROP all -- any any
>> 0.0.85.110.broad.qz.fj.dynamic.163data.com.cn/16 anywhere
>> 114 5928 DROP all -- any any
>> 0.0.84.110.broad.xm.fj.dynamic.163data.com.cn/16 anywhere
>> 57 2920 DROP all -- any any
>> 0.0.205.121.broad.qz.fj.dynamic.163data.com.cn/16 anywhere
>> 3 152 DROP all -- any any
>> 0.0.76.222.broad.fz.fj.dynamic.163data.com.cn/16 anywhere
>> 48 2496 DROP all -- any any
>> 0.0.87.110.broad.xm.fj.dynamic.163data.com.cn/16 anywhere
>> 35 1804 DROP all -- any any
>> 0.0.78.125.broad.qz.fj.dynamic.163data.com.cn/16 anywhere
>> 45 2340 DROP all -- any any
>> 0.0.32.120.broad.fz.fj.dynamic.163data.com.cn/16 anywhere
>> 24 1216 DROP all -- any any
>> 0.0.83.110.broad.fz.fj.dynamic.163data.com.cn/16 anywhere
>> 284 14312 DROP all -- any any 27.150.0.0/16
>> anywhere
>> 0 0 DROP all -- any any
>> 0.0.125.76.gs.dail.jqgt.dynamic.163data.com.cn/16 anywhere
>> 185 9424 DROP all -- any any 27.153.0.0/16
>> anywhere
>> 93 4712 DROP all -- any any
>> 0.0.89.110.broad.pt.fj.dynamic.163data.com.cn/16 anywhere
>> 6 304 DROP all -- any any
>> 0.0.204.121.board.fz.fj.dynamic.163data.com.cn/16 anywhere
>> 0 0 DROP all -- any any 120.36.0.0/16
>> anywhere
>> 45 2280 DROP all -- any any
>> 0.0.33.120.broad.qz.fj.dynamic.163data.com.cn/16 anywhere
>> 0 0 DROP all -- any any 59.60.0.0/16
>> anywhere
>> 75 3800 DROP all -- any any
>> 0.0.26.117.broad.qz.fj.dynamic.163data.com.cn/16 anywhere
>> 0 0 DROP all -- any any
>> 0.0.154.27.broad.xm.fj.dynamic.163data.com.cn/16 anywhere
>> 243 12312 DROP all -- any any
>> 0.0.159.27.broad.xm.fj.dynamic.163data.com.cn/16 anywhere
>> 0 0 DROP all -- any any
>> 0.82.30.117.broad.xm.fj.dynamic.163data.com.cn/24 anywhere
>> 0 0 DROP all -- any any
>> 0.29.154.27.broad.xm.fj.dynamic.163data.com.cn/24 anywhere
>> 0 0 DROP all -- any any
>> 0.125.79.222.broad.xm.fj.dynamic.163data.com.cn/24 anywhere
>> 0 0 DROP all -- any any
>> 0.125.79.222.broad.xm.fj.dynamic.163data.com.cn/24 anywhere
>> 0 0 DROP all -- any any
>> 87.125.79.222.broad.xm.fj.dynamic.163data.com.cn anywhere
>>
>> Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
>> pkts bytes target prot opt in out source
>> destination
>>
>> Chain OUTPUT (policy ACCEPT 93209 packets, 124M bytes)
>> pkts bytes target prot opt in out source
>> destination
>>
>>
>>
>> --
>> С уважением, Людмила
>>
>>
>> 29 сентября 2014 г., 12:17 пользователь Alan Holt <berber.it на gmail.com>
>> написал:
>>
>> Где то есть ошибка, прикрипите полный iptables и лог.
>>> Так же при неправильной конфигурации демона ssh и чейнов файрвола такое
>>> бывает.
>>>
>>> используйте так же /etc/hosts.allow
>>>
>>> 2014-09-29 11:04 GMT+03:00 Людмила Бандурина <bigdogs.ru на gmail.com>:
>>>
>>>> Добрый день,
>>>>
>>>> Нет, никаких разрешений в списке нет, только еще несколько таких же
>>>> запретов на китайские подсети.
>>>>
>>>> 28 сентября 2014 г., 20:42 пользователь Dmitry Agafonov <
>>>> agafonovdmitry на gmail.com> написал:
>>>>
>>>> Добрый день!
>>>>>
>>>>> Одно правило ни о чем не говорит. Посмотрите на каунтеры и нумерацию
>>>>> (-v), может под правило вообще ничего не подходит и обрабатывается каким-то
>>>>> разрешением выше по списку.
>>>>>
>>>>> 28 сентября 2014 г., 19:55 пользователь Людмила Бандурина <
>>>>> bigdogs.ru на gmail.com> написал:
>>>>>
>>>>>> Здравствуйте всем!
>>>>>>
>>>>>> В iptables прописано:
>>>>>> Chain INPUT (policy ACCEPT)
>>>>>> target prot opt source destination
>>>>>> DROP all -- 122.225.0.0/16 anywhere
>>>>>>
>>>>>> Тем не менее в письме от logwatch вижу
>>>>>>
>>>>>> Illegal users from:
>>>>>> 122.225.109.116: 1 time
>>>>>> 122.225.109.194: 1 time
>>>>>> 122.225.109.195: 1 time
>>>>>> 122.225.109.197: 1 time
>>>>>>
>>>>>> Почему? Вроде бы если доступ закрыт файрволлом, эти попытки должны
>>>>>> быть в секции Refused incoming connections, разве нет?
>>>>>>
>>>>>> --
>>>>>> С уважением, Людмила
>>>>>>
>>>>>> --
>>>>>> ubuntu-ru mailing list
>>>>>> ubuntu-ru на lists.ubuntu.com
>>>>>> https://lists.ubuntu.com/mailman/listinfo/ubuntu-ru
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> Dmitry Agafonov ~ http://agafonov.pp.ru/
>>>>>
>>>>> --
>>>>> ubuntu-ru mailing list
>>>>> ubuntu-ru на lists.ubuntu.com
>>>>> https://lists.ubuntu.com/mailman/listinfo/ubuntu-ru
>>>>>
>>>>>
>>>>
>>>>
>>>> --
>>>> С уважением, Людмила
>>>>
>>>> --
>>>> ubuntu-ru mailing list
>>>> ubuntu-ru на lists.ubuntu.com
>>>> https://lists.ubuntu.com/mailman/listinfo/ubuntu-ru
>>>>
>>>>
>>>
>>>
>>> --
>>> *בברכה, *
>>> *אלכס ברבר*
>>>
>>> *+9 72 54 285 952 3*
>>> *www.linuxspace.org* <http://www.linuxspace.org>
>>> *--*
>>> *Best regards.*
>>> *Alex Berber*
>>> *+9 72 54 285 952 3*
>>> *www.linuxspace.org* <http://www.linuxspace.org/>
>>>
>>> --
>>> ubuntu-ru mailing list
>>> ubuntu-ru на lists.ubuntu.com
>>> https://lists.ubuntu.com/mailman/listinfo/ubuntu-ru
>>>
>>>
>>
>>
>
>
> --
> С уважением, Людмила
>
> --
> ubuntu-ru mailing list
> ubuntu-ru на lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/ubuntu-ru
>
>
--
*בברכה, *
*אלכס ברבר*
*+9 72 54 285 952 3*
*www.linuxspace.org* <http://www.linuxspace.org>
*--*
*Best regards.*
*Alex Berber*
*+9 72 54 285 952 3*
*www.linuxspace.org* <http://www.linuxspace.org/>
----------- следущая часть -----------
Вложение в формате HTML было извлечено…
URL: <https://lists.ubuntu.com/archives/ubuntu-ru/attachments/20140929/283f1497/attachment-0001.html>
More information about the ubuntu-ru
mailing list