Table of contents
View directly with the command
Disable ssh password login and enable secret key login
ip blacklist (not recommended for individual users)
Validation/some other commands
Query the last login time of the ip address
Query the start login time of the ip address
Query the most commonly used account name when malicious IP login fails
environment
- debian 11_64
- Pagoda panel
origin
I found a surprising point when I entered the backstage of the pagoda
My ssh port seems to have been blasted by someone with a weak password
Although the password design is very complex
But every time I see this thing, adding thousands of failures a day is not pleasing to the eye
view ssh log
Not sure why I installed online tutorials to do
when i type
cat /var/log/auth.log | grep "Failed password"
when it shows nothing, as if I didn't have this file originally
I saw some solutions to turn on the log, but I am too lazy to do it
View directly with the command
So I checked directly with the command
lastb | awk '{ print $3}' | sort | uniq -c | sort -n
109 113.140.8.194
109 45.95.147.218
113 185.224.128.141
118 185.217.1.246
121 170.210.208.108
127 141.98.11.110
134 89.39.246.21
144 167.99.89.165
193 101.42.25.236
209 222.138.252.23
283 104.248.123.223
516 113.195.227.183
518 113.57.92.188
558 157.245.42.2
649 64.227.176.74
682 170.64.150.41
682 170.64.163.254
682 170.64.172.227
682 170.64.188.86
1364 170.64.134.101
1364 170.64.162.66
1364 170.64.171.0
1601 170.64.163.255
1878 61.247.57.24
Take a look, good guy! ! ! Several ips have logged in 1000+ times
ip one search
still notorious
Solution
There are three solutions
Disable ssh password login and enable secret key login
In this column, open the ssh key and close the ssh password login
shortcoming
The disadvantage of doing this is that if you go to a new computer and you don't have a backup key, it will be more troublesome to log in.
Change the port (recommended)
Malicious IPs often scan port 22 of IPs in batches to determine whether to enable ssh login
If the ssh port is changed, under normal circumstances, the malicious IP will not spend so much time and cost to scan the open ports of the IP and then try each port one by one.
ip blacklist (not recommended for individual users)
Or you can blacklist the malicious ip, so that it can be banned from accessing our ip address
shortcoming
The malicious ip will change, so the ip address should be updated frequently
And because hackers can change the ip address, even if the ip blacklist is updated frequently, the probability of being hacked is still quite high
Validation/some other commands
Query the last login time of the ip address
lastb | grep ip地址 |tac
It can be used to judge whether the malicious IP has stopped attacking
Query the start login time of the ip address
lastb | grep ip地址
It can be used to query when the malicious IP starts to attack
Query the most commonly used account name when malicious IP login fails
lastb | awk '{ print $1}' | sort | uniq -c | sort -n
138 jenkins
146 dev
148 centos
150 deploy
150 sftp
154 node
155 user1
164 steam
169 ubnt
180 testuser
194 vagrant
222 dolphins
232 es
243 pi
266 hadoop
272 ftpuser
282 git
400 postgres
438 oracle
452 test
595 user
737 ubuntu
1186 admin
9292 root
You can see that the most used account names are root and admin
Therefore, after opening ssh, you must change the account and password in time.