Part1——ssh防护

让我们从经典的ssh防护开始,毕竟如果你的服务器如果还没被d就已经被扫狗给拿下ssh了,那后面的东西都是空谈不是233。当然如果你已经在用ssh key登录那就可以跳过这里,这边稍微写一下如果用密码登录的话怎么处理。

更换ssh默认端口

如果你在用默认的22端口+密码登录的话,使用以下命令就能看到扫狗的爆破记录:

journalctl _SYSTEMD_UNIT=ssh.service

为了防止默认端口被扫描和爆破,我们先来更换ssh的默认端口:

sudo nano /etc/ssh/sshd_config

寻找以下内容:

#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

取消注释#Port 22一行,将22端口更换成你想换的端口(这里假设为12345)后,保存退出nano

如果你目前安装和启用了任何的防火墙,无论是ufw/iptables/nftables,请事先确认新端口12345没有被防火墙阻拦,先放行该端口,然后重启ssh服务:

sudo systemctl restart sshd

已连接的终端是不会断开的,也不要手贱去先关掉它,不然如果12345连不上的话就只能用vnc救场了(假如有vnc的话),在你的终端上尝试使用12345端口建立新的ssh连接,如果成功连上的话,就可以关闭旧终端窗口,这个时候更换ssh端口的工作就算完成了。

安装Fail2Ban

安装fail2ban以及相关的依赖:

apt install fail2ban python3-systemd

nano /etc/fail2ban/fail2ban.local创建文件,开启ipv6支持:

# /etc/fail2ban/fail2ban.local

[DEFAULT]
allowipv6 = auto

nano /etc/fail2ban/jail.local创建fail2ban配置文件,有兴趣的可以丢给gpt看我不做解释的部分是干嘛的:

# /etc/fail2ban/jail.local

[DEFAULT]
# Debian 12 has no log files, just journalctl
backend = systemd
# 如果你有配置过mailx,那么可以将[email protected]替换成自己收告警邮件的邮箱
destemail = [email protected]
# 发件邮箱地址
sender    = [email protected]
# Default action. Will block user and send you an email with whois content and log lines.
action    = %(action_mwl)s
# ignoreip can be a list of IP addresses, CIDR masks, or DNs hosts. 
# Fail2ban will not ban a host which matches an address in this list.
# 可以考虑在这里加入你的白名单ip
ignoreip = 127.0.0.1/8 ::1/128

# configure nftables
banaction = nftables-multiport
chain     = input

# regular banning
bantime = 24h
findtime = 600
maxretry = 3

# "bantime.increment" allows to use database for searching of previously banned ip's to increase a
# default ban time using special formula, default it is banTime * 1, 2, 4, 8, 16, 32...
bantime.increment = true
# "bantime.rndtime" is the max number of seconds using for mixing with random time
# to prevent "clever" botnets calculate exact time IP can be unbanned again:
bantime.rndtime = 30m
# "bantime.maxtime" is the max number of seconds using the ban time can reach (don't grows further)
bantime.maxtime = 60d
# "bantime.factor" is a coefficient to calculate exponent growing of the formula or common multiplier,
# default value of factor is 1 and with default value of formula, the ban time
# grows by 1, 2, 4, 8, 16 ...
bantime.factor = 2

# purge database entries after
dbpurgeage = 30d

[sshd]
mode      = aggressive
enabled   = true
backend   = systemd
port      = 12345 # 记得将12345换成自己实际的ssh端口
maxretry  = 3

# 惯犯封禁,如果在fail2ban.log里发现同一个ip被封过2次就永ban
[recidive]
backend = auto
logpath  = /var/log/fail2ban.log
enabled = true
maxretry = 2
banaction = nftables-allports

保存文件,重启fail2ban服务应用新配置:

systemctl restart fail2ban
systemctl status fail2ban

测试,最好是找另外一台用不着的小鸡,在ssh里面执行:

ssh -p 12345 root@你配好fail2ban的小鸡ip

然后故意连续输错三次密码,看看是不是被ban了,如果是证明fail2ban正常运作。

额外检查,如果此时你的nftables已经是在工作的话(我们还没开始配),使用nft list ruleset查看生效规则,你会看到类似以下的reject规则:

table inet f2b-table {
	set addr-set-sshd {
		type ipv4_addr
		elements = { 被封禁的小鸡ip们 }
	}

	chain input {
		type filter hook input priority filter - 1; policy accept;
		tcp dport 12345 ip saddr @addr-set-sshd reject with icmp port-unreachable
	}
}

如何手动解封:

# 使用以下命令进入交互模式
fail2ban-client -i

# 在交互模式中
status sshd

# 会输出类似以下内容
Status for the jail: ssh
|- Filter
|  |- Currently failed: 0
|  |- Total failed: 6
|  `- File list:    /var/log/auth.log
`- Actions
   |- Currently banned: 1
   |- Total banned: 2
   `- Banned IP list:   1.2.3.4

# 输入解封命令
set sshd unbanip 1.2.3.4

# 退出交互模式
quit

页: 1 2 3 4 5