[Linux-Biella] CentOS 7.5 ssh access hardening

ioan maxim ioan.maxim78 a gmail.com
Mer 23 Maggio 2018 23:59:28 CEST
Previous message (by thread): [Linux-Biella] CentOS 7.5 ssh access hardening
Next message (by thread): [Linux-Biella] CentOS 7.5 ssh access hardening
Messaggi ordinati per: [ Data ] [ Thread ] [ Oggetto ] [ Autore ]
2018-05-23 20:54 GMT+02:00 <vallini.daniele a bilug.it>:

>
> Ti passo un piccolo eseguibile che ti offre un servizio base di firewall
> anche per la porta 22.
>
> Ad ogni modifica riavvii questo eseguibile e tutto riparte riveduto e
> corretto.
>
> Dopo un po' puoi togliere i vecchi IP droppati perche' in genere non
> tornano.
>
> Mi insegno' e me lo imposto' il buon Luca Savio che purtroppo ora vediamo
> raramente.


sembra funzioni :)
Ho inserito 3 IP nelle regole iptables
iptables -I INPUT -s 58.218.198.168  -j DROP # blocco IP 58.218.198.168
iptables -I INPUT -s 197.52.232.4  -j DROP # blocco IP 197.52.232.4
iptables -I INPUT -s 124.127.156.238  -j DROP # blocco IP 124.127.156.238


Prima di fare con il tuo script ho dovuto tribolare un po'...ho dovuto fare
rebuild di tutto il VPS..
stasera quando ero tornato a casa ho trovato con lsof -i:

sshd    3773   root    3u  IPv4  66980      0t0  TCP MYVPS.COM:ssh->
58.218.198.168:18476 (ESTABLISHED)
sshd    3774   sshd    3u  IPv4  66980      0t0  TCP MYVPS.COM:ssh->
58.218.198.168:18476 (ESTABLISHED)
sshd    3775   root    3u  IPv4  67002      0t0  TCP MYVPS.COM:ssh->
58.218.198.168:18464 (ESTABLISHED)
sshd    3776   sshd    3u  IPv4  67002      0t0  TCP MYVPS.COM:ssh->
58.218.198.168:18464 (ESTABLISHED)

Era riuscito ad entrare in qualche modo, non so come.
Adesso ho disabilitato il login con pass, vado solo con la sshkey e non
come root.


Adesso sembra più tranquilla la situazione...
C'è qualcuno che riesce a spiegarmi cosa mi dice il fail2ban.log?

2018-05-23 21:33:11,873 fail2ban.server         [1478]: INFO    Stopping
all jails
2018-05-23 21:33:12,228 fail2ban.actions        [1478]: NOTICE  [sshd]
Unban 58.218.198.168
2018-05-23 21:33:12,333 fail2ban.action         [1478]: ERROR   iptables -w
-n -L INPUT | grep -q 'f2b-sshd[ \t]' -- stdout: ''
2018-05-23 21:33:12,333 fail2ban.action         [1478]: ERROR   iptables -w
-n -L INPUT | grep -q 'f2b-sshd[ \t]' -- stderr: ''
2018-05-23 21:33:12,333 fail2ban.action         [1478]: ERROR   iptables -w
-n -L INPUT | grep -q 'f2b-sshd[ \t]' -- returned 1
2018-05-23 21:33:12,333 fail2ban.CommandAction  [1478]: ERROR   Invariant
check failed. Trying to restore a sane environment
2018-05-23 21:33:12,651 fail2ban.action         [1478]: ERROR   iptables -w
-D f2b-sshd -s 58.218.198.168 -j REJECT --reject-with icmp-port-unreachable
-- stdout: ''
2018-05-23 21:33:12,651 fail2ban.action         [1478]: ERROR   iptables -w
-D f2b-sshd -s 58.218.198.168 -j REJECT --reject-with icmp-port-unreachable
-- stderr: 'iptables: No chain/target/match by that name.\n'
2018-05-23 21:33:12,651 fail2ban.action         [1478]: ERROR   iptables -w
-D f2b-sshd -s 58.218.198.168 -j REJECT --reject-with icmp-port-unreachable
-- returned 1
2018-05-23 21:33:12,651 fail2ban.actions        [1478]: ERROR   Failed to
execute unban jail 'sshd' action 'iptables-multiport' info '{'matches':
'2018-05-23T20:49:30.795682vps59025 sshd[2543]: pam_unix(sshd:auth):
authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
rhost=58.218.198.168  user=root2018-05-23T20:49:30.965821vps59025
sshd[2541]: pam_unix(sshd:auth): authentication failure; logname= uid=0
euid=0 tty=ssh ruser= rhost=58.218.198.168
user=root2018-05-23T20:49:32.642905vps59025 sshd[2543]: Failed password for
root from 58.218.198.168 port 54503 ssh22018-05-23T20:49:32.813045vps59025
sshd[2541]: Failed password for root from 58.218.198.168 port 54491
ssh22018-05-23T20:49:34.726678vps59025 sshd[2543]: Failed password for root
from 58.218.198.168 port 54503 ssh22018-05-23T20:49:35.371472vps59025
sshd[2541]: Failed password for root from 58.218.198.168 port 54491
ssh22018-05-23T20:49:36.557326vps59025 sshd[2543]: Failed password for root
from 58.218.198.168 port 54503 ssh22018-05-23T20:49:37.199796vps59025
sshd[2541]: Failed password for root from 58.218.198.168 port 54491
ssh22018-05-23T20:49:59.264486vps59025 sshd[2549]: pam_unix(sshd:auth):
authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
rhost=58.218.198.168  user=root2018-05-23T20:49:59.270134vps59025
sshd[2547]: pam_unix(sshd:auth): authentication failure; logname= uid=0
euid=0 tty=ssh ruser= rhost=58.218.198.168
user=root2018-05-23T20:50:01.427663vps59025 sshd[2549]: Failed password for
root from 58.218.198.168 port 30919 ssh22018-05-23T20:50:01.433254vps59025
sshd[2547]: Failed password for root from 58.218.198.168 port 30853
ssh22018-05-23T20:50:03.840734vps59025 sshd[2547]: Failed password for root
from 58.218.198.168 port 30853 ssh22018-05-23T20:50:03.841797vps59025
sshd[2549]: Failed password for root from 58.218.198.168 port 30919
ssh22018-05-23T20:50:06.651850vps59025 sshd[2547]: Failed password for root
from 58.218.198.168 port 30853 ssh22018-05-23T20:50:06.658040vps59025
sshd[2549]: Failed password for root from 58.218.198.168 port 30919 ssh2',
'ip': '58.218.198.168', 'time': 1527110911.789388, 'failures': 16}': Error
unbanning 58.218.198.168
2018-05-23 21:33:12,829 fail2ban.jail           [1478]: INFO    Jail 'sshd'
stopped
2018-05-23 21:33:12,837 fail2ban.server         [1478]: INFO    Stopping
all jails
2018-05-23 21:33:12,838 fail2ban.server         [1478]: INFO    Exiting
Fail2ban
2018-05-23 21:33:13,013 fail2ban.server         [1582]: INFO    Changed
logging target to /var/log/fail2ban.log for Fail2ban v0.9.7
2018-05-23 21:33:13,013 fail2ban.database       [1582]: INFO    Connected
to fail2ban persistent database '/var/lib/fail2ban/fail2ban.sqlite3'
2018-05-23 21:33:13,015 fail2ban.jail           [1582]: INFO    Creating
new jail 'sshd'
2018-05-23 21:33:13,027 fail2ban.jail           [1582]: INFO    Jail 'sshd'
uses systemd {}
2018-05-23 21:33:13,040 fail2ban.jail           [1582]: INFO    Initiated
'systemd' backend
2018-05-23 21:33:13,041 fail2ban.filter         [1582]: INFO    Set
maxRetry = 2
2018-05-23 21:33:13,042 fail2ban.filter         [1582]: INFO    Set jail
log file encoding to UTF-8
2018-05-23 21:33:13,042 fail2ban.actions        [1582]: INFO    Set banTime
= 21600
2018-05-23 21:33:13,042 fail2ban.filter         [1582]: INFO    Set
findtime = 600
2018-05-23 21:33:13,043 fail2ban.filter         [1582]: INFO    Set
maxlines = 10
2018-05-23 21:33:13,097 fail2ban.filtersystemd  [1582]: INFO    Added
journal match for: '_SYSTEMD_UNIT=sshd.service + _COMM=sshd'
2018-05-23 21:33:13,107 fail2ban.filter         [1582]: INFO    [sshd]
Found 124.127.156.238
2018-05-23 21:33:13,109 fail2ban.filter         [1582]: INFO    [sshd]
Found 197.52.232.4
2018-05-23 21:33:13,115 fail2ban.jail           [1582]: INFO    Jail 'sshd'
started
2018-05-23 21:33:13,231 fail2ban.actions        [1582]: NOTICE  [sshd] Ban
58.218.198.168
(END)
-------------- parte successiva --------------
Un allegato HTML è stato rimosso...
URL: <http://list.bilug.it/pipermail/linux/attachments/20180523/873d1252/attachment.html>
Previous message (by thread): [Linux-Biella] CentOS 7.5 ssh access hardening
Next message (by thread): [Linux-Biella] CentOS 7.5 ssh access hardening
Messaggi ordinati per: [ Data ] [ Thread ] [ Oggetto ] [ Autore ]
Maggiori informazioni sulla lista Linux