리눅스를 백업서버로 쓸려고 세팅했더니 온갖 세계 각국에서 root 패스워드를 시도 하네요.
이거 근본적으로 막을 방법은 없나요?
우선 iptable 로 icmp drop 시켰고
주요 의심국가인 "중국", "러시아" IP 는 모두 iptable 로 차단했습니다.
-------- 참고 ------ 해킹 시도 예 -------- /var/log/secure 파일
Aug 12 03:42:30 localhost sshd[15742]: Failed password for root from 202.55.175.236 port 33828 ssh2 ID
Aug 12 03:42:30 localhost sshd[15742]: Received disconnect from 202.55.175.236 port 33828:11: Bye Bye [preauth]
Aug 12 03:42:30 localhost sshd[15742]: Disconnected from 202.55.175.236 port 33828 [preauth]
Aug 12 03:42:37 localhost sshd[15763]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=111.229.33.175 user=root
Aug 12 03:42:37 localhost sshd[15763]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
Aug 12 03:42:39 localhost sshd[15763]: Failed password for root from 111.229.33.175 port 50304 ssh2
Aug 12 03:42:39 localhost sshd[15763]: Received disconnect from 111.229.33.175 port 50304:11: Bye Bye [preauth] CN
Aug 12 03:42:39 localhost sshd[15763]: Disconnected from 111.229.33.175 port 50304 [preauth]
Aug 12 03:42:57 localhost sshd[15765]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=106.54.52.35 user=root
Aug 12 03:42:57 localhost sshd[15765]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
Aug 12 03:43:00 localhost sshd[15765]: Failed password for root from 106.54.52.35 port 40674 ssh2 CN
Aug 12 03:43:00 localhost sshd[15765]: Received disconnect from 106.54.52.35 port 40674:11: Bye Bye [preauth]
Aug 12 03:43:00 localhost sshd[15765]: Disconnected from 106.54.52.35 port 40674 [preauth]
Aug 12 03:43:00 localhost sshd[15767]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=151.80.173.36 user=root
Aug 12 03:43:00 localhost sshd[15767]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
Aug 14 09:16:50 localhost sshd[4369]: Disconnected from 222.99.52.216 port 19521 [preauth] 성남 KT
Aug 14 09:16:53 localhost sshd[4371]: reverse mapping checking getaddrinfo for h206-174-214-90.bigpipeinc.com [206.174.214.90] failed - POSSIBLE BREAK-IN ATTEMPT!
Aug 14 09:16:53 localhost sshd[4371]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=206.174.214.90 user=root
Aug 14 09:16:53 localhost sshd[4371]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
Aug 14 09:16:55 localhost sshd[4371]: Failed password for root from 206.174.214.90 port 42860 ssh2 CA
Aug 14 09:16:55 localhost sshd[4371]: Received disconnect from 206.174.214.90 port 42860:11: Bye Bye [preauth]
Aug 14 09:16:55 localhost sshd[4371]: Disconnected from 206.174.214.90 port 42860 [preauth]
Aug 14 09:16:56 localhost sshd[4373]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.239.28.177 user=root
Aug 14 09:16:56 localhost sshd[4373]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
Aug 14 09:16:58 localhost sshd[4373]: Failed password for root from 222.239.28.177 port 33462 ssh2 중구 SK브로드밴드
Aug 14 09:16:58 localhost sshd[4373]: Received disconnect from 222.239.28.177 port 33462:11: Bye Bye [preauth]
Aug 14 09:16:58 localhost sshd[4373]: Disconnected from 222.239.28.177 port 33462 [preauth]
Aug 14 09:17:05 localhost sshd[4377]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=51.ip-51-255-160.eu user=root
Aug 14 09:17:05 localhost sshd[4377]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
Aug 14 09:17:07 localhost sshd[4375]: Accepted password for root from 192.168.0.13 port 59086 ssh2
Aug 14 09:17:07 localhost sshd[4375]: pam_unix(sshd:session): session opened for user root by (uid=0)
Aug 14 09:17:07 localhost sshd[4377]: Failed password for root from 51.255.160.51 port 42922 ssh2 FR
Aug 14 09:17:08 localhost sshd[4377]: Received disconnect from 51.255.160.51 port 42922:11: Bye Bye [preauth]
Aug 14 09:17:08 localhost sshd[4377]: Disconnected from 51.255.160.51 port 42922 [preauth]
Aug 14 09:17:17 localhost sshd[4437]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=n058153174086.netvigator.com user=root
Aug 14 09:17:17 localhost sshd[4437]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
Aug 14 09:17:19 localhost sshd[4437]: Failed password for root from 58.153.174.86 port 49844 ssh2 HK
Aug 14 09:17:19 localhost sshd[4437]: Received disconnect from 58.153.174.86 port 49844:11: Bye Bye [preauth]
Aug 14 09:17:19 localhost sshd[4437]: Disconnected from 58.153.174.86 port 49844 [preauth]
----------------- ip table setting ------
root@localhost:/etc/rc.d# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
DROP all -- anywhere anywhere state INVALID
ACCEPT tcp -- anywhere anywhere state RELATED,ESTABLISHED
DROP tcp -- 58.75.202.88 anywhere tcp dpt:http state NEW,ESTABLISHED
DROP tcp -- 116.38.215.160 anywhere tcp dpt:http state NEW,ESTABLISHED
DROP tcp -- 203.227.217.158 anywhere tcp dpt:http state NEW,ESTABLISHED
DROP all -- 175.127.42.0/24 anywhere
DROP all -- 175.127.41.0/24 anywhere
DROP all -- 175.127.40.0/24 anywhere
DROP all -- 175.127.39.0/24 anywhere
DROP all -- 203.142.81.0/24 anywhere
ACCEPT tcp -- gateway anywhere tcp dpt:ftp state NEW,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh state NEW,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:http state NEW,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:ftp state NEW,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:ftp state NEW,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:netbios-ssn state NEW,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:microsoft-ds state NEW,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:3306 state NEW,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:svn state NEW,ESTABLISHED
DROP tcp -- anywhere anywhere tcp dpt:smtp state NEW,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:afs3-fileserver state NEW,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:afs3-callback state NEW,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:irdmi state NEW,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:vcom-tunnel state NEW,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:cslistener state NEW,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:etlservicemgr state NEW,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:ndmp state NEW,ESTABLISHED
DROP tcp -- anywhere anywhere
DROP icmp -- anywhere anywhere
DROP all -- anywhere anywhere source IP range 1.0.1.0-1.0.3.255
DROP all -- anywhere anywhere source IP range 1.0.8.0-1.0.15.255
DROP all -- anywhere anywhere source IP range 1.0.32.0-1.0.63.255
DROP all -- anywhere anywhere source IP range 1.1.0.0-1.1.0.255
DROP all -- anywhere anywhere source IP range 1.1.2.0-1.1.63.255
DROP all -- anywhere anywhere source IP range 1.2.0.0-1.2.2.255
DROP all -- anywhere anywhere source IP range 1.2.4.0-1.2.127.255
DROP all -- anywhere anywhere source IP range 1.3.0.0-1.3.255.255
DROP all -- anywhere anywhere source IP range 1.4.1.0-1.4.127.255
DROP all -- anywhere anywhere source IP range 1.8.0.0-1.8.255.255
DROP all -- anywhere anywhere source IP range 1.10.0.0-1.10.9.255
DROP all -- anywhere anywhere source IP range 1.10.11.0-1.10.127.255
DROP all -- anywhere anywhere source IP range 1.12.0.0-1.15.255.255
DROP all -- anywhere anywhere source IP range 1.24.0.0-1.31.255.255
DROP all -- anywhere anywhere source IP range 1.45.0.0-1.45.255.255
방화벽을 구축해도 뚫릴때는 뚫리기에 계속 돈들여서 방화벽 프로그램을 업데이트 해줘야 합니다..
그 외 보조수단으로 서버의 IP를 가끔씩 바꿔 보는 방법도 있습니다..
root 계정명 바꿔 버리세요
경비실(?)서버를 만들어서 인증후 통하시거니..
그런게 개인으로써 최선이죠머.. 방화벽도 업데이트와 유료비용생각하면요..
그 서버를 통해서면 해당 본서버를 접속가능하고... 방화벽같은거죠
개인이 방화벽이나 그런거 해놓고 관리하기뭐하니;
서버를 접속할 문지기서버를 두고.. 해당 서버랑은 직접연결시켜놓고 해당 문지기서버만 과부화 받는거죠머;
그냥서버 하나더 만드는개념입니다.. 연결은 서버끼리 연결하시면됩니다..
간단합니다
첫째 Ssh 접속 포트를 바꾸세요
예를들면 8291 이런식으로
둘째
내부 ip와 접속하는 특정 ip 에서만 ssh 접속가능하게 합니다
보통 22를 먼저 긁으니, 22로 접속해서 이상한 시도를 하면 방화벽에 block ip 1주일 짜리로 등록해줍니다.
가끔 제가 실수해서, 폰의 lte를 켜긴 합니다만 포트만 바꾸어도 로그가 쾌청하니까요.
저도 공인ip받아쓰는데 ssh포트만 변경했더니 확쭐어서 그러려니 했는데..
포트도 랜덤으로 치고 들어오나보군요
대단합니다 ㄷㄷ
전세계 모든 ipv4 공용IP에 대해서 포트스캐닝 하는겁니다.
대상이 특정된 것도 아니고 그냥 뭐든 하나 얻어걸리라고 돌리는 겁니다.
ssh 개방을 lan 대상으로만 하고 VPN 연결해서 접속하세요.
VPN 쓰는게 제일 효율적입니다.