web-dev-qa-db-ja.com

logwatchからこのログでシステムを侵害しようとする試みは何千回もありますか?

メールでレポートを送信するようにシステムを設定しています。 1つのログレポートを投稿しています(以下を参照)。このログは、何千もの侵入が試みられていることを示しています。

質問:

  1. denyhostsfail2banをインストールしましたが、IPをブロックしないのはなぜですか?
  2. このようにログに表示されるIPを禁止/ブラックリストに登録する方法はありますか?

  3. このような攻撃に対してどのような手順を実行できますか?

    注:sshdがログに記録され、何千回ものログイン試行が行われるIPアドレスがあることに注意してください。

  4. 「最大再試行を無視する」と表示されるのはなぜですか。「最大再試行」を無視しないように設定できますか?

注:私のシステムはFedora20です

サンプルログ

################### Logwatch 7.4.0 (03/01/11) ####################
        Processing Initiated: Tue Sep 16 03:35:07 2014
        Date Range Processed: yesterday
                              ( 2014-Sep-15 )
                              Period is day.
        Detail Level of Output: 0
        Type of Output/Format: mail / text
        Logfiles for Host: Hostname
 ##################################################################

 --------------------- Kernel Begin ------------------------

 WARNING:  Segmentation Faults in these executables
    polkitd :  2 Time(s)

 WARNING:  General Protection Faults in these executables
    traps: polkitd :  6 Time(s)

 WARNING:  Kernel Errors Present
    INFO: recovery required on readonly filesyste ...:  1 Time(s)
    ata2.00: failed to IDENTIFY (I/O error, err_mask=0x100) ...:  14 Time(s)
    ata2.00: failed to IDENTIFY (I/O error, err_mask=0x4) ...:  8 Time(s)
    ata2.00: irq_stat 0x08000000, interface fatal error ...:  10 Time(s)
    ata2: SError: { CommWake DevE ...:  52 Time(s)
    ata2: SError: { LinkSeq } ...:  8 Time(s)
    ata2: SError: { UnrecovData L ...:  2 Time(s)
    res 50/00:03:00:08:00/00:00:00:00:00/a0 Emask 0x10 (ATA bus error) ...:  5 Time(s)

 ---------------------- Kernel End -------------------------


 --------------------- pam_unix Begin ------------------------

 sshd:
    Authentication Failures:
       root (219.138.135.64): 3850 Time(s)
       root (122.225.103.125): 1016 Time(s)
       root (122.225.109.106): 256 Time(s)
       root (122.225.109.205): 194 Time(s)
       root (122.225.109.208): 183 Time(s)
       root (122.225.109.216): 178 Time(s)
       unknown (122.225.109.208): 63 Time(s)
       unknown (122.225.109.106): 57 Time(s)
       unknown (122.225.109.216): 54 Time(s)
       unknown (122.225.109.205): 22 Time(s)
       unknown (113.106.88.235): 14 Time(s)
       bin (113.106.88.235): 1 Time(s)
       nagios (113.106.88.235): 1 Time(s)
       Tomcat (113.106.88.235): 1 Time(s)
    Invalid Users:
       Unknown Account: 210 Time(s)
    Unknown Entries:
       service(sshd) ignoring max retries; 6 > 3: 945 Time(s)
       service(sshd) ignoring max retries; 5 > 3: 29 Time(s)
       service(sshd) ignoring max retries; 4 > 3: 6 Time(s)

 su:
    Authentication Failures:
       UserName(1000) -> root: 1 Time(s)
    Sessions Opened:
       UserName -> root: 6 Time(s)

 systemd-user:
    Unknown Entries:
       session opened for user UserName by (uid=0): 1 Time(s)


 ---------------------- pam_unix End -------------------------


 --------------------- Connections (secure-log) Begin ------------------------


 **Unmatched Entries**
    polkitd: <no filename>:0: uncaught exception: Terminating runaway script: 1 Time(s)
    polkitd: Acquired the name org.freedesktop.PolicyKit1 on the system bus: 3 Time(s)
    polkitd: Error evaluating authorization rules: 1 Time(s)
    polkitd: Finished loading, compiling and executing 6 rules: 3 Time(s)
    polkitd: Loading rules from directory /etc/polkit-1/rules.d: 3 Time(s)
    polkitd: Loading rules from directory /usr/share/polkit-1/rules.d: 3 Time(s)
    polkitd: Operator of unix-session:1 successfully authenticated as unix-user:root to gain TEMPORARY authorization for action org.freedesktop.problems.getall for system-bus-name::1.66 [/usr/bin/abrt-applet] (owned by unix-user:UserName): 2 Time(s)
    polkitd: Registered Authentication Agent for unix-session:1 (system bus name :1.70 [/usr/libexec/kde4/polkit-kde-authentication-agent-1], object path /org/kde/PolicyKit1/AuthenticationAgent, locale en_GB.UTF-8): 2 Time(s)
    polkitd: Registered Authentication Agent for unix-session:13 (system bus name :1.92 [/usr/libexec/kde4/polkit-kde-authentication-agent-1], object path /org/kde/PolicyKit1/AuthenticationAgent, locale en_GB.UTF-8): 2 Time(s)
    polkitd: Terminating runaway script: 1 Time(s)

 ---------------------- Connections (secure-log) End -------------------------


 --------------------- SSHD Begin ------------------------


 Disconnecting after too many authentication failures for user:
    admin : 30 Time(s)
    root : 937 Time(s)

 Failed logins from:
    113.106.88.235: 2 times
    122.225.103.125: 1016 times
    122.225.109.106: 256 times
    122.225.109.205: 194 times
    122.225.109.208: 183 times
    122.225.109.216: 178 times
    219.138.135.64: 3850 times

 Illegal users from:
    undef: 14 times
    113.106.88.235: 15 times
    122.225.109.106: 57 times
    122.225.109.205: 22 times
    122.225.109.208: 63 times
    122.225.109.216: 54 times

 Login attempted when Shell does not exist:
    Tomcat : 1 Time(s)


 Received disconnect:
    11: Bye Bye [preauth] : 16 Time(s)

 **Unmatched Entries**
 PAM service(sshd) ignoring max retries; 6 > 3 : 945 time(s)
 ecryptfs: pam_sm_authenticate: pam_ecryptfs: Error getting passwd info for user; rc = [0] : 210 time(s)
 PAM service(sshd) ignoring max retries; 4 > 3 : 6 time(s)
 pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "nagios" : 1 time(s)
 PAM service(sshd) ignoring max retries; 5 > 3 : 29 time(s)
 pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "bin" : 1 time(s)
 pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root" : 5677 time(s)
 fatal: Write failed: Connection reset by peer [preauth] : 17 time(s)
 pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "Tomcat" : 1 time(s)

 ---------------------- SSHD End -------------------------


 --------------------- Sudo (secure-log) Begin ------------------------


 UserName => root
 ----------------
 /bin/yum                       -   2 Time(s).

 ---------------------- Sudo (secure-log) End -------------------------


 --------------------- yum Begin ------------------------


 Packages Installed:
    binutils-2.23.88.0.1-13.fc20.x86_64
    libgomp-4.8.3-1.fc20.x86_64
    Perl-Sys-CPU-0.54-5.fc20.x86_64
    VirtualBox-4.3.16-1.fc20.x86_64
    1:make-3.82-19.fc20.x86_64
    glibc-devel-2.18-14.fc20.x86_64
    logwatch-7.4.0-33.20140704svn198.fc20.noarch
    kernel-headers-3.16.2-200.fc20.x86_64
    glibc-headers-2.18-14.fc20.x86_64
    epylog-1.0.7-6.fc20.noarch
    Perl-Sys-MemInfo-0.91-8.fc20.x86_64
    akmod-VirtualBox-4.3.16-1.fc20.x86_64
    gcc-4.8.3-1.fc20.x86_64
    dkms-2.2.0.3-25.fc20.noarch
    libgomp-4.8.3-1.fc20.i686
    patch-2.7.1-7.fc20.x86_64

 Packages Erased:
    kmod-VirtualBox-3.15.10-200.fc20.x86_64-4.3.14-1.fc20.6.x86_64
    kmod-VirtualBox-3.16.2-200.fc20.x86_64-4.3.16-1.fc20.x86_64
    kmod-VirtualBox-3.15.10-201.fc20.x86_64-4.3.14-1.fc20.7.x86_64

 ---------------------- yum End -------------------------


 --------------------- Disk Space Begin ------------------------

 Filesystem                                             Size  Used Avail Use% Mounted on
 /dev/mapper/luks-                                      59G   55G  1.3G  98% /
 devtmpfs                                               5.8G     0  5.8G   0% /dev
 /dev/sda2                                              477M  131M  317M  30% /boot
 /dev/sda1                                              200M  9.5M  191M   5% /boot/efi
 /dev/mapper/Fedora_Hostname-home                        395G  236G  156G  61% /home

 /dev/mapper/luks- => 98% Used. Warning. Disk Filling up.

 ---------------------- Disk Space End -------------------------


 --------------------- Fortune Begin ------------------------

 One man's brain plus one other will produce one half as many ideas as one
 man would have produced alone.  These two plus two more will produce half
 again as many ideas.  These four plus four more begin to represent a
 creative meeting, and the ratio changes to one quarter as many ...
                -- Anthony Chevins


 ---------------------- Fortune End -------------------------


 --------------------- lm_sensors output Begin ------------------------

 coretemp-isa-0000
 Adapter: ISA adapter
 Physical id 0:  +52.0 C  (high = +100.0 C, crit = +100.0 C)
 Core 0:         +52.0 C  (high = +100.0 C, crit = +100.0 C)
 Core 1:         +51.0 C  (high = +100.0 C, crit = +100.0 C)


 ---------------------- lm_sensors output End -------------------------


 ###################### Logwatch End #########################

編集#1

どうやらfail2banが実行されていなかったようですが、インストール時に自動的に設定されるdenyhostsと同じだと思いました。

fail2ban-clientの出力は次のとおりです。

root ~ # fail2ban-client status
ERROR  Unable to contact server. Is it running?
root ~ # systemctl start fail2ban
root ~ # fail2ban-client status sshd
ERROR  NOK: ('sshd',)
Sorry but the jail 'sshd' does not exist
root ~ # fail2ban-client status
Status
|- Number of jail:      0
`- Jail list:
securitylogsfail2ban
3
somethingSomething

質問1と2に答えるfail2banの構成部分が見つかったように見えるので、ここで質問3に具体的に答えようとします。SSHのセキュリティを強化したい場合は、次のことをお勧めします。

  1. Strictモードがtrueに設定されていることを確認してください
  2. Rootログインを無効にする
  3. SSHポートを変更します
  4. パスワードログインを無効にする
  5. ポートノッキングを使用する

編集に答えるには、/ etc/fail2ban/filter.d /ssh.confにsshconfigを作成し、以下を貼り付ける必要があります...

[ssh]

enabled  = true
port     = ssh
filter   = sshd
logpath  = /var/log/auth.log
maxretry = 6

私が提案したようにすでにポートを変更している場合は、ここでポート番号を設定できます。 fail2banを再起動してテストします。

3
cherrysoft