记一次主机入侵攻防大战：firewalld防火墙指定的IP段的端口访问控制

一、背景

一大早来公司，登录那台暴露在外网的服务器，登录成功的时候，看到160000+次登录失败的记录，看到这个我和我的小伙伴们都惊呆了，是谁那么执着？小伙伴还开玩笑说是不是谁跟你有世仇啊，这么搞你！来活了，我的服务器我做主，搞起，who怕who？

二、具体操作

1、last看一下是否有异常ip及账户登录记录.

[root@DCGH ~]# last -100ivandu pts/0 139.130.99.123 Tue Apr 24 20:53 still logged in ivandu pts/0 139.129.0.194Tue Apr 24 19:13 - 19:35 (00:21) ivandu pts/1 139.129.0.194Tue Apr 24 18:02 - 19:35 (01:33) ivandu pts/1 139.129.0.194Tue Apr 24 11:30 - 14:24 (02:53) ivandu pts/0 139.129.0.194Tue Apr 24 11:11 - 14:24 (03:13) reboot system boot 3.10.0-693.17.1. Tue Apr 24 11:10 - 21:45 (10:34) ivandu pts/2 139.129.0.194Tue Apr 24 11:04 - 11:04 (00:00) ivandu pts/1 139.129.0.194Tue Apr 24 10:26 - 11:10 (00:44) rootpts/0 139.129.0.194Tue Apr 24 10:19 - down (00:51) reboot system boot 3.10.0-693.17.1. Tue Apr 24 10:18 - 11:10 (00:51).....省略一些

全是熟悉的IP，没有异常！很好！

2.创建新用户，用于切换到root来操作，也可以用命令visudo给该用户配置相关的sudo权限，本例中就直接用此账户su到root了(此处可以参见我之前的加固及sodu相关的文章)。

[root@CLDevOps ~]# useradd -M ivandu[root@CLDevOps ~]# passwd ivanduChanging password for user ivandu.New password: BAD PASSWORD: The password is shorter than 7 charactersRetype new password: passwd: all authentication tokens updated successfully.

3.禁止root账户通过ssh来远程登录，编辑/etc/ssh/sshd_config，禁止root用户登录。

[root@CLDevOps ~]# sed -i "/^PermitRootLogin/c\PermitRootLogin no" /etc/ssh/sshd_config[root@CLDevOps ~]# systemctl restart sshd

4.退出root登录，使用新建用户ivandu来登录。此处为了再次还原当时的处置过程新建的用户ivandu，本人一直有禁止root登录的习惯，希望大家也养成这样的习惯。

Could not chdir to home directory /home/ivandu: No such file or directory-bash-4.2$ su - rootPassword: Last login: Tue Apr 24 21:47:54 CST on pts/0Last failed login: Tue Apr 24 22:12:33 CST from 42.7.26.88 on ssh:nottyThere were 403 failed login attempts since the last successful login.

大家看一下，是不是非常疯狂!一会儿的功夫，又是几百次登录尝试。

5.开始防火墙设置，添加指定网段对ssh所用的端口访问权限。

[root@CLDevOps ~]# firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="139.130.99.0/24" port protocol="tcp" port="22" accept"success[root@CLDevOps ~]# firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="139.129.0.0/24" port protocol="tcp" port="22" accept"success

6.移除原来firewalld中ssh相关规则，重载firewalld。

[root@CLDevOps ~]# firewall-cmd --permanent --remove-service=sshsuccess[root@CLDevOps ~]# firewall-cmd --reloadsuccess

7.现在可以看一下，指定网段外的ip的22端口是否同，我找了另一台阿里云的机器试了一下，效果如下：

[root@heynick ~]# telnet 106.99.233.115 22Trying 106.99.233.115...telnet: connect to address 167.99.233.15: No route to host

8.继续看戏，看一下日志。

[root@CLDevOps ~]# journalctl -exApr 24 22:30:29 CLDevOps sshd[20475]: Failed password for root from 42.7.26.88 port 31228 ssh2Apr 24 22:30:30 CLDevOps unix_chkpwd[20516]: password check failed for user (root)Apr 24 22:30:30 CLDevOps sshd[20475]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"Apr 24 22:30:31 CLDevOps unix_chkpwd[20517]: password check failed for user (root)Apr 24 22:30:31 CLDevOps sshd[20479]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=58.218.198.159 user=rootApr 24 22:30:31 CLDevOps sshd[20479]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"Apr 24 22:30:32 CLDevOps sshd[20475]: Failed password for root from 42.7.26.88 port 31228 ssh2Apr 24 22:30:33 CLDevOps unix_chkpwd[20518]: password check failed for user (root)Apr 24 22:30:33 CLDevOps sshd[20475]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"Apr 24 22:30:33 CLDevOps sshd[20479]: Failed password for root from 58.218.198.159 port 26800 ssh2Apr 24 22:30:35 CLDevOps sshd[20475]: Failed password for root from 42.7.26.88 port 31228 ssh2Apr 24 22:30:35 CLDevOps sshd[20475]: error: maximum authentication attempts exceeded for root from 42.7.26.88 port 31228 ssh2 [preauth]Apr 24 22:30:35 CLDevOps sshd[20475]: Disconnecting: Too many authentication failures [preauth]Apr 24 22:30:35 CLDevOps sshd[20475]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=42.7.26.88 user=rootApr 24 22:30:35 CLDevOps sshd[20475]: PAM service(sshd) ignoring max retries; 6 > 3Apr 24 22:30:38 CLDevOps sshd[20479]: Received disconnect from 58.218.198.159 port 26800:11: [preauth]Apr 24 22:30:38 CLDevOps sshd[20479]: Disconnected from 58.218.198.159 port 26800 [preauth]

依然还是辣么疯狂！变着ip来搞我呢！早上还换着用户呢!哈哈！

当然我这台机器上的服务监听的其他端口我也是开放着的，那些就没必要怕了，遇到情况另当别论。

9.如果别人只用固定ip来攻击咱，我们单独封锁那个ip就行啦，命令这样的，下面我们来试一下封锁ip：58.218.198.159

[root@CLDevOps ~]# firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="58.218.198.159" port protocol="tcp" port="22" drop"success[root@CLDevOps ~]# firewall-cmd --reloadsuccess[root@CLDevOps ~]# firewall-cmd --list-rich-rulerule family="ipv4" source address="139.130.99.0/24" port port="22" protocol="tcp" acceptrule family="ipv4" source address="139.129.0.0/24" port port="22" protocol="tcp" acceptrule family="ipv4" source address="58.218.198.159" port port="22" protocol="tcp" drop

三、总结

1.要养成良好的习惯，不要干啥只会用root！

2.设置一个复杂度比较高的密码。

3.安全加固很有必要。

如果觉得《记一次主机入侵攻防大战：firewalld防火墙指定的IP段的端口访问控制》对你有帮助，请点赞、收藏，并留下你的观点哦！