Простая защита ssh во FreeBSD от подбора ботами

Добавить комментарий

Итак, если в логах (мне эти оповещени приходят на e-mail) вы видите:
…Jul 30 23:57:12 bsd sshd[12924]: Invalid user plcmspip from 206.104.0.206…
то ваш сервер пытаются взломать, посредством подбора пароля, в моём случае это скорее всего был бот, так как было по несколько десятков попыток подбора пароля каждую ночь, т.е. медленный брутфорс.
В логи валится:
Jul 30 23:57:10 bsd sshd[12922]: Invalid user PlcmSpIp from 206.104.0.206
Jul 30 23:57:12 bsd sshd[12924]: Invalid user plcmspip from 206.104.0.206
Jul 30 23:57:14 bsd sshd[12926]: Invalid user plcmspip from 206.104.0.206
Jul 30 23:57:16 bsd sshd[12928]: Invalid user db2inst1 from 206.104.0.206
Jul 30 23:57:18 bsd sshd[12930]: Invalid user dasusr1 from 206.104.0.206
Jul 30 23:57:20 bsd sshd[12932]: Invalid user ts from 206.104.0.206
Jul 30 23:57:22 bsd sshd[12934]: Invalid user TeamSpeak from 206.104.0.206
Jul 30 23:57:24 bsd sshd[12936]: Invalid user ts from 206.104.0.206
Jul 30 23:57:25 bsd sshd[12938]: Invalid user teamspeak from 206.104.0.206
Jul 30 23:57:27 bsd sshd[12940]: Invalid user TeamSpeak from 206.104.0.206
Jul 30 23:57:29 bsd sshd[12942]: Invalid user hlds1 from 206.104.0.206
Jul 30 23:57:31 bsd sshd[12944]: Invalid user hlds1 from 206.104.0.206
Jul 30 23:57:33 bsd sshd[12946]: Invalid user hlds1 from 206.104.0.206
Jul 30 23:57:35 bsd sshd[12948]: Invalid user hlds1 from 206.104.0.206
Jul 30 23:57:36 bsd sshd[12950]: Invalid user hlds1 from 206.104.0.206
Jul 30 23:57:38 bsd sshd[12952]: Invalid user bsoft from 206.104.0.206
Jul 30 23:57:40 bsd sshd[12954]: Invalid user ssn from 206.104.0.206
Jul 30 23:57:42 bsd sshd[12956]: Invalid user dtedrick from 206.104.0.206
Jul 30 23:57:44 bsd sshd[12958]: Invalid user Br0nw3n from 206.104.0.206
Jul 30 23:57:46 bsd sshd[12960]: Invalid user cyrus from 206.104.0.206
Jul 30 23:57:48 bsd sshd[12962]: Invalid user cyrus from 206.104.0.206
Jul 30 23:57:49 bsd sshd[12964]: Invalid user cyrus from 206.104.0.206
Jul 30 23:57:51 bsd sshd[12966]: Invalid user cyrus from 206.104.0.206
Jul 30 23:57:53 bsd sshd[12968]: Invalid user cyrus from 206.104.0.206
Jul 30 23:57:55 bsd sshd[12970]: Invalid user cyrus from 206.104.0.206
Jul 30 23:57:57 bsd sshd[12972]: Invalid user cyrus from 206.104.0.206
Jul 30 23:57:59 bsd sshd[12974]: Invalid user cyrus from 206.104.0.206
Jul 30 23:58:01 bsd sshd[12976]: Invalid user cyrus from 206.104.0.206
Jul 30 23:58:02 bsd sshd[12978]: Invalid user cyrus from 206.104.0.206
Jul 30 23:58:04 bsd sshd[12980]: Invalid user cyrus from 206.104.0.206
Jul 30 23:58:06 bsd sshd[12982]: Invalid user cyrus from 206.104.0.206
Jul 30 23:58:08 bsd sshd[12984]: Invalid user cyrus from 206.104.0.206
Jul 30 23:58:10 bsd sshd[12986]: Invalid user cvs from 206.104.0.206
Jul 30 23:58:12 bsd sshd[12988]: Invalid user cvs from 206.104.0.206
Jul 30 23:58:14 bsd sshd[12990]: Invalid user cvs from 206.104.0.206
Jul 30 23:58:15 bsd sshd[12992]: Invalid user cvs from 206.104.0.206
Jul 30 23:58:17 bsd sshd[12994]: Invalid user cvs from 206.104.0.206
Jul 30 23:58:19 bsd sshd[12996]: Invalid user cvs from 206.104.0.206
Jul 30 23:58:21 bsd sshd[12998]: Invalid user majordom from 206.104.0.206
Jul 30 23:58:23 bsd sshd[13000]: Invalid user temp from 206.104.0.206
Jul 30 23:58:25 bsd sshd[13002]: Invalid user temp from 206.104.0.206
Jul 30 23:58:27 bsd sshd[13004]: Invalid user temp from 206.104.0.206
Jul 30 23:58:28 bsd sshd[13006]: Invalid user temp from 206.104.0.206
Jul 30 23:58:30 bsd sshd[13008]: Invalid user temp from 206.104.0.206
Jul 30 23:58:32 bsd sshd[13010]: Invalid user temp from 206.104.0.206
Jul 30 23:58:34 bsd sshd[13012]: Invalid user temp from 206.104.0.206
Jul 30 23:58:36 bsd sshd[13014]: Invalid user temp from 206.104.0.206
Jul 30 23:58:38 bsd sshd[13016]: Invalid user temp from 206.104.0.206
Jul 30 23:58:40 bsd sshd[13018]: Invalid user temp from 206.104.0.206
Jul 30 23:58:42 bsd sshd[13020]: Invalid user temp from 206.104.0.206
Jul 30 23:58:43 bsd sshd[13022]: Invalid user temp from 206.104.0.206
Jul 30 23:58:45 bsd sshd[13024]: Invalid user temp from 206.104.0.206
Jul 30 23:58:47 bsd sshd[13026]: Invalid user temp from 206.104.0.206
Jul 30 23:58:49 bsd sshd[13028]: Invalid user temp from 206.104.0.206
Jul 30 23:58:51 bsd sshd[13030]: Invalid user temp from 206.104.0.206
Jul 30 23:58:53 bsd sshd[13032]: Invalid user temp from 206.104.0.206
Jul 30 23:58:55 bsd sshd[13034]: Invalid user temp from 206.104.0.206
Jul 30 23:58:56 bsd sshd[13036]: Invalid user temp from 206.104.0.206
Jul 30 23:58:58 bsd sshd[13038]: Invalid user temp from 206.104.0.206
Jul 30 23:59:00 bsd sshd[13040]: Invalid user temp from 206.104.0.206
Jul 30 23:59:02 bsd sshd[13042]: Invalid user temp from 206.104.0.206
Jul 30 23:59:04 bsd sshd[13044]: Invalid user temp from 206.104.0.206
Jul 30 23:59:06 bsd sshd[13046]: Invalid user temp from 206.104.0.206
Jul 30 23:59:08 bsd sshd[13048]: Invalid user install from 206.104.0.206
Jul 30 23:59:10 bsd sshd[13050]: Invalid user install from 206.104.0.206
Jul 30 23:59:11 bsd sshd[13052]: Invalid user install from 206.104.0.206
Jul 30 23:59:13 bsd sshd[13054]: Invalid user install from 206.104.0.206
Jul 30 23:59:15 bsd sshd[13056]: Invalid user install from 206.104.0.206
Jul 30 23:59:17 bsd sshd[13058]: Invalid user install from 206.104.0.206
Jul 30 23:59:19 bsd sshd[13060]: Invalid user install from 206.104.0.206
Jul 30 23:59:21 bsd sshd[13062]: Invalid user install from 206.104.0.206
Jul 30 23:59:22 bsd sshd[13064]: Invalid user install from 206.104.0.206
Jul 30 23:59:24 bsd sshd[13066]: Invalid user install from 206.104.0.206
Jul 30 23:59:26 bsd sshd[13068]: Invalid user install from 206.104.0.206
Jul 30 23:59:28 bsd sshd[13070]: Invalid user install from 206.104.0.206
Jul 30 23:59:30 bsd sshd[13072]: Invalid user install from 206.104.0.206
Jul 30 23:59:32 bsd sshd[13074]: Invalid user install from 206.104.0.206
Jul 30 23:59:34 bsd sshd[13076]: Invalid user install from 206.104.0.206
Jul 30 23:59:35 bsd sshd[13078]: Invalid user install from 206.104.0.206
Jul 30 23:59:37 bsd sshd[13080]: Invalid user install from 206.104.0.206
Jul 30 23:59:39 bsd sshd[13082]: Invalid user install from 206.104.0.206
Jul 30 23:59:41 bsd sshd[13084]: Invalid user install from 206.104.0.206
Jul 30 23:59:43 bsd sshd[13086]: Invalid user install from 206.104.0.206
Jul 30 23:59:45 bsd sshd[13088]: Invalid user install from 206.104.0.206
Jul 30 23:59:47 bsd sshd[13090]: Invalid user install from 206.104.0.206
Jul 30 23:59:49 bsd sshd[13092]: Invalid user install from 206.104.0.206
Jul 30 23:59:50 bsd sshd[13094]: Invalid user install from 206.104.0.206
Jul 30 23:59:52 bsd sshd[13096]: Invalid user ts from 206.104.0.206
Jul 30 23:59:54 bsd sshd[13098]: Invalid user ts from 206.104.0.206
Jul 30 23:59:56 bsd sshd[13100]: Invalid user ts from 206.104.0.206
Jul 30 23:59:59 bsd sshd[13102]: Invalid user ts from 206.104.0.206
...
Чинить будем банально сменой порта ssh (просто, но помогает).
Рассмотрим 2-а варианта запуска ssh.

1) через /etc/inetd.conf -для этого в /etc/rc.conf нужно написать inetd_enable=»YES»
В /etc/services заменяем строчки:
ssh 22/tcp #Secure Shell Login
ssh 22/udp #Secure Shell Login
на строчки (это лишь пример, можете написать любой неиспользуемый порт):
ssh 1234/tcp #Secure Shell Login
ssh 1234/udp #Secure Shell Login
Теперь надо рестартовать inetd:
killall -HUP inetd

2) ssh запущен демоном, т.е. в /etc/rc.conf написано sshd_enable=»YES»
В этом случае в /etc/ssh/sshd_config нужно вписать строчку:
Port 1234
И перезапускаем демона:
/etc/init.d/sshd restart
только учтите что после рестарта через sshd restart, отвалятся все ативные сессии ssh. Нужно будет переподключится, но уже на новый порт, на 1234-ый.
Это самый простой способ избавится от бота, но против nmap’а или другого умного сканера портов оно вероятно не поможет, но ведь для этого есть другие тулзочки в портах 😉

Добавить комментарий