리눅스를 백업서버로 쓸려고 세팅했더니 온갖 세계 각국에서 root 패스워드를 시도 하네요.
이거 근본적으로 막을 방법은 없나요?
우선 iptable 로 icmp drop 시켰고
주요 의심국가인 "중국", "러시아" IP 는 모두 iptable 로 차단했습니다.
-------- 참고 ------ 해킹 시도 예 -------- /var/log/secure 파일
Aug 12 03:42:30 localhost sshd[15742]: Failed password for root from 202.55.175.236 port 33828 ssh2 ID
Aug 12 03:42:30 localhost sshd[15742]: Received disconnect from 202.55.175.236 port 33828:11: Bye Bye [preauth]
Aug 12 03:42:30 localhost sshd[15742]: Disconnected from 202.55.175.236 port 33828 [preauth]
Aug 12 03:42:37 localhost sshd[15763]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=111.229.33.175 user=root
Aug 12 03:42:37 localhost sshd[15763]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
Aug 12 03:42:39 localhost sshd[15763]: Failed password for root from 111.229.33.175 port 50304 ssh2
Aug 12 03:42:39 localhost sshd[15763]: Received disconnect from 111.229.33.175 port 50304:11: Bye Bye [preauth] CN
Aug 12 03:42:39 localhost sshd[15763]: Disconnected from 111.229.33.175 port 50304 [preauth]
Aug 12 03:42:57 localhost sshd[15765]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=106.54.52.35 user=root
Aug 12 03:42:57 localhost sshd[15765]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
Aug 12 03:43:00 localhost sshd[15765]: Failed password for root from 106.54.52.35 port 40674 ssh2 CN
Aug 12 03:43:00 localhost sshd[15765]: Received disconnect from 106.54.52.35 port 40674:11: Bye Bye [preauth]
Aug 12 03:43:00 localhost sshd[15765]: Disconnected from 106.54.52.35 port 40674 [preauth]
Aug 12 03:43:00 localhost sshd[15767]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=151.80.173.36 user=root
Aug 12 03:43:00 localhost sshd[15767]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
Aug 14 09:16:50 localhost sshd[4369]: Disconnected from 222.99.52.216 port 19521 [preauth] 성남 KT
Aug 14 09:16:53 localhost sshd[4371]: reverse mapping checking getaddrinfo for h206-174-214-90.bigpipeinc.com [206.174.214.90] failed - POSSIBLE BREAK-IN ATTEMPT!
Aug 14 09:16:53 localhost sshd[4371]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=206.174.214.90 user=root
Aug 14 09:16:53 localhost sshd[4371]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
Aug 14 09:16:55 localhost sshd[4371]: Failed password for root from 206.174.214.90 port 42860 ssh2 CA
Aug 14 09:16:55 localhost sshd[4371]: Received disconnect from 206.174.214.90 port 42860:11: Bye Bye [preauth]
Aug 14 09:16:55 localhost sshd[4371]: Disconnected from 206.174.214.90 port 42860 [preauth]
Aug 14 09:16:56 localhost sshd[4373]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.239.28.177 user=root
Aug 14 09:16:56 localhost sshd[4373]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
Aug 14 09:16:58 localhost sshd[4373]: Failed password for root from 222.239.28.177 port 33462 ssh2 중구 SK브로드밴드
Aug 14 09:16:58 localhost sshd[4373]: Received disconnect from 222.239.28.177 port 33462:11: Bye Bye [preauth]
Aug 14 09:16:58 localhost sshd[4373]: Disconnected from 222.239.28.177 port 33462 [preauth]
Aug 14 09:17:05 localhost sshd[4377]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=51.ip-51-255-160.eu user=root
Aug 14 09:17:05 localhost sshd[4377]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
Aug 14 09:17:07 localhost sshd[4375]: Accepted password for root from 192.168.0.13 port 59086 ssh2
Aug 14 09:17:07 localhost sshd[4375]: pam_unix(sshd:session): session opened for user root by (uid=0)
Aug 14 09:17:07 localhost sshd[4377]: Failed password for root from 51.255.160.51 port 42922 ssh2 FR
Aug 14 09:17:08 localhost sshd[4377]: Received disconnect from 51.255.160.51 port 42922:11: Bye Bye [preauth]
Aug 14 09:17:08 localhost sshd[4377]: Disconnected from 51.255.160.51 port 42922 [preauth]
Aug 14 09:17:17 localhost sshd[4437]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=n058153174086.netvigator.com user=root
Aug 14 09:17:17 localhost sshd[4437]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
Aug 14 09:17:19 localhost sshd[4437]: Failed password for root from 58.153.174.86 port 49844 ssh2 HK
Aug 14 09:17:19 localhost sshd[4437]: Received disconnect from 58.153.174.86 port 49844:11: Bye Bye [preauth]
Aug 14 09:17:19 localhost sshd[4437]: Disconnected from 58.153.174.86 port 49844 [preauth]
----------------- ip table setting ------
root@localhost:/etc/rc.d# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
DROP all -- anywhere anywhere state INVALID
ACCEPT tcp -- anywhere anywhere state RELATED,ESTABLISHED
DROP tcp -- 58.75.202.88 anywhere tcp dpt:http state NEW,ESTABLISHED
DROP tcp -- 116.38.215.160 anywhere tcp dpt:http state NEW,ESTABLISHED
DROP tcp -- 203.227.217.158 anywhere tcp dpt:http state NEW,ESTABLISHED
DROP all -- 175.127.42.0/24 anywhere
DROP all -- 175.127.41.0/24 anywhere
DROP all -- 175.127.40.0/24 anywhere
DROP all -- 175.127.39.0/24 anywhere
DROP all -- 203.142.81.0/24 anywhere
ACCEPT tcp -- gateway anywhere tcp dpt:ftp state NEW,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh state NEW,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:http state NEW,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:ftp state NEW,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:ftp state NEW,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:netbios-ssn state NEW,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:microsoft-ds state NEW,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:3306 state NEW,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:svn state NEW,ESTABLISHED
DROP tcp -- anywhere anywhere tcp dpt:smtp state NEW,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:afs3-fileserver state NEW,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:afs3-callback state NEW,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:irdmi state NEW,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:vcom-tunnel state NEW,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:cslistener state NEW,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:etlservicemgr state NEW,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:ndmp state NEW,ESTABLISHED
DROP tcp -- anywhere anywhere
DROP icmp -- anywhere anywhere
DROP all -- anywhere anywhere source IP range 1.0.1.0-1.0.3.255
DROP all -- anywhere anywhere source IP range 1.0.8.0-1.0.15.255
DROP all -- anywhere anywhere source IP range 1.0.32.0-1.0.63.255
DROP all -- anywhere anywhere source IP range 1.1.0.0-1.1.0.255
DROP all -- anywhere anywhere source IP range 1.1.2.0-1.1.63.255
DROP all -- anywhere anywhere source IP range 1.2.0.0-1.2.2.255
DROP all -- anywhere anywhere source IP range 1.2.4.0-1.2.127.255
DROP all -- anywhere anywhere source IP range 1.3.0.0-1.3.255.255
DROP all -- anywhere anywhere source IP range 1.4.1.0-1.4.127.255
DROP all -- anywhere anywhere source IP range 1.8.0.0-1.8.255.255
DROP all -- anywhere anywhere source IP range 1.10.0.0-1.10.9.255
DROP all -- anywhere anywhere source IP range 1.10.11.0-1.10.127.255
DROP all -- anywhere anywhere source IP range 1.12.0.0-1.15.255.255
DROP all -- anywhere anywhere source IP range 1.24.0.0-1.31.255.255
DROP all -- anywhere anywhere source IP range 1.45.0.0-1.45.255.255
¹æȺ®À» ±¸ÃàÇصµ ¶Õ¸±¶§´Â ¶Õ¸®±â¿¡ °è¼Ó µ·µé¿©¼ ¹æȺ® ÇÁ·Î±×·¥À» ¾÷µ¥ÀÌÆ® ÇØÁà¾ß ÇÕ´Ï´Ù..
±× ¿Ü º¸Á¶¼ö´ÜÀ¸·Î ¼¹öÀÇ IP¸¦ °¡²û¾¿ ¹Ù²ã º¸´Â ¹æ¹ýµµ ÀÖ½À´Ï´Ù..
root °èÁ¤¸í ¹Ù²ã ¹ö¸®¼¼¿ä
°æºñ½Ç(?)¼¹ö¸¦ ¸¸µé¾î¼ ÀÎÁõÈÄ ÅëÇϽðŴÏ..
±×·±°Ô °³ÀÎÀ¸·Î½á ÃÖ¼±ÀÌÁÒ¸Ó.. ¹æȺ®µµ ¾÷µ¥ÀÌÆ®¿Í À¯·áºñ¿ë»ý°¢Çϸé¿ä..
±× ¼¹ö¸¦ ÅëÇؼ¸é ÇØ´ç º»¼¹ö¸¦ Á¢¼Ó°¡´ÉÇÏ°í... ¹æȺ®°°Àº°ÅÁÒ
°³ÀÎÀÌ ¹æȺ®À̳ª ±×·±°Å Çسõ°í °ü¸®Çϱ⹹ÇÏ´Ï;
¼¹ö¸¦ Á¢¼ÓÇÒ ¹®Áö±â¼¹ö¸¦ µÎ°í.. ÇØ´ç ¼¹ö¶ûÀº Á÷Á¢¿¬°á½ÃÄѳõ°í ÇØ´ç ¹®Áö±â¼¹ö¸¸ °úºÎÈ ¹Þ´Â°ÅÁÒ¸Ó;
±×³É¼¹ö Çϳª´õ ¸¸µå´Â°³³äÀÔ´Ï´Ù.. ¿¬°áÀº ¼¹ö³¢¸® ¿¬°áÇϽøéµË´Ï´Ù..
°£´ÜÇÕ´Ï´Ù
ù° Ssh Á¢¼Ó Æ÷Æ®¸¦ ¹Ù²Ù¼¼¿ä
¿¹¸¦µé¸é 8291 ÀÌ·±½ÄÀ¸·Î
µÑ°
³»ºÎ ip¿Í Á¢¼ÓÇϴ ƯÁ¤ ip ¿¡¼¸¸ ssh Á¢¼Ó°¡´ÉÇÏ°Ô ÇÕ´Ï´Ù
º¸Åë 22¸¦ ¸ÕÀú ±ÜÀ¸´Ï, 22·Î Á¢¼ÓÇؼ ÀÌ»óÇÑ ½Ãµµ¸¦ ÇÏ¸é ¹æȺ®¿¡ block ip 1ÁÖÀÏ Â¥¸®·Î µî·ÏÇØÁÝ´Ï´Ù.
°¡²û Á¦°¡ ½Ç¼öÇؼ, ÆùÀÇ lte¸¦ Äѱä ÇÕ´Ï´Ù¸¸ Æ÷Æ®¸¸ ¹Ù²Ù¾îµµ ·Î±×°¡ ÄèûÇϴϱî¿ä.
Àúµµ °øÀÎip¹Þ¾Æ¾²´Âµ¥ sshÆ÷Æ®¸¸ º¯°æÇß´õ´Ï È®Âá¾î¼ ±×·¯·Á´Ï Çߴµ¥..
Æ÷Æ®µµ ·£´ýÀ¸·Î Ä¡°í µé¾î¿À³ªº¸±º¿ä
´ë´ÜÇÕ´Ï´Ù ¤§¤§
Àü¼¼°è ¸ðµç ipv4 °ø¿ëIP¿¡ ´ëÇؼ Æ÷Æ®½ºÄ³´× Çϴ°̴ϴÙ.
´ë»óÀÌ Æ¯Á¤µÈ °Íµµ ¾Æ´Ï°í ±×³É ¹¹µç Çϳª ¾ò¾î°É¸®¶ó°í µ¹¸®´Â °Ì´Ï´Ù.
ssh °³¹æÀ» lan ´ë»óÀ¸·Î¸¸ ÇÏ°í VPN ¿¬°áÇؼ Á¢¼ÓÇϼ¼¿ä.
VPN ¾²´Â°Ô Á¦ÀÏ È¿À²ÀûÀÔ´Ï´Ù.