苯人有一台服务器,由于没有设置什么ssh ip过滤规则,经常被扫描,所以今天在此查看一下是哪些倒运鬼东西一直扫描的,把它们给屏蔽了。
以下是苯人服务器环境:
- Ubuntu 20.04 LTS
ssh认证的日志会记录在/var/log/auth.log中(在ubuntu 16.04之前似乎是/var/log/secure)
一般认证失败的日志有两种格式:
Apr 8 01:01:56 localhost sshd[1157060]: Failed password for lp from 80.94.92.67 port 60382 ssh2
Apr 8 22:21:12 localhost sshd[1659929]: Failed password for invalid user lhw from 80.94.92.65 port 60382 ssh2
上面是用户名对了密码不对,下面是用户名也不对。分别针对两种过滤:
$ cat /var/log/auth.log | grep 'Failed password for invalid user' | awk '{print $13}' | sort | uniq
104.236.122.69
139.59.64.241
159.192.147.237
192.241.148.203
193.32.162.19
67.207.90.138
68.178.164.198
80.94.92.63
80.94.92.64
80.94.92.65
80.94.92.66
80.94.92.67
80.94.92.68
92.118.39.16
92.118.39.28
92.118.39.36
92.118.39.37
$ cat /var/log/auth.log | grep 'Failed password for' | grep -v 'invalid user' | awk '{print $11}' | sort | uniq
104.236.122.69
139.59.64.241
159.192.147.237
192.241.148.203
193.32.162.19
67.207.90.138
80.94.92.63
80.94.92.64
80.94.92.65
80.94.92.67
80.94.92.68
92.118.39.16
92.118.39.36
92.118.39.37
这样就看到了所有试图爆破的IP地址
然后安全组规则屏蔽即可。