服务器 SSH 端口被不断试探登录，怎么防护？

V2EX = way to explore

V2EX 是一个关于分享和探索的地方

For Existing Member Sign In

This topic created in 2197 days ago, the information mentioned may be changed or developed.

每隔几秒就有这样的记录，而且 ip 地址又是变化的，怎么防护啊？

优先层级日志日期 & 时间用户事件
Warning 连接 2020/05/04 11:21:10 SYSTEM User [winpc] from [36.67.106.109] failed to log in via [SSH] due to authorization failure.
Warning 连接 2020/05/04 11:20:44 SYSTEM User [jack] from [27.115.62.134] failed to log in via [SSH] due to authorization failure.
Warning 连接 2020/05/04 11:20:39 SYSTEM User [root] from [35.200.185.127] failed to log in via [SSH] due to authorization failure.
Warning 连接 2020/05/04 11:20:34 SYSTEM User [internat] from [186.179.103.118] failed to log in via [SSH] due to authorization failure.
Warning 连接 2020/05/04 11:20:32 SYSTEM User [root] from [203.245.41.96] failed to log in via [SSH] due to authorization failure.
Warning 连接 2020/05/04 11:20:28 SYSTEM User [root] from [195.231.4.203] failed to log in via [SSH] due to authorization failure.
Warning 连接 2020/05/04 11:20:25 SYSTEM User [chantal] from [207.154.206.212] failed to log in via [SSH] due to authorization failure.
Warning 连接 2020/05/04 11:20:16 SYSTEM User [root] from [112.5.172.26] failed to log in via [SSH] due to authorization failure.
Warning 连接 2020/05/04 11:20:11 SYSTEM User [testuser] from [122.225.230.10] failed to log in via [SSH] due to authorization failure.
Warning 连接 2020/05/04 11:20:10 SYSTEM User [root] from [62.210.119.215] failed to log in via [SSH] due to authorization failure.
Warning 连接 2020/05/04 11:20:02 SYSTEM User [temp] from [106.12.100.73] failed to log in via [SSH] due to authorization failure.

31 replies • 2020-05-05 16:41:39 +08:00

godall

May 4, 2020

补充一下，ssh 端口已经改成其他端口了。

RiESA

May 4, 2020

用 fail2ban

marcushbs

May 4, 2020

把密码加长到 30 位以上，10 年内不用愁.....

wangxiaoaer

May 4, 2020

密码登陆不能关掉吗？

Acoffice

May 4, 2020 via Android

同二楼,或者限制指定用户登录.

gamesbain

May 4, 2020

用 key 登录。把密码登录关了。万事大吉。

Rehtt

May 4, 2020 via Android

密码登录关掉用证书

Navee

May 4, 2020

禁止 root 登陆
fail2ban

godall

May 4, 2020

关闭密码登录后，还是有一堆 TIME_WAIT

(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
tcp 0 0 0.0.0.0:25072 0.0.0.0:* LISTEN -
tcp 0 0 192.168.1.32:2022 120.53.1.97:47342 TIME_WAIT -
tcp 0 0 192.168.1.32:2022 106.12.100.73:41270 TIME_WAIT -
tcp 0 96 192.168.1.32:2022 192.168.1.161:58356 ESTABLISHED -
tcp 0 0 192.168.1.32:2022 139.199.98.175:41298 TIME_WAIT -
tcp 0 0 192.168.1.32:2022 167.172.49.241:44890 TIME_WAIT -
tcp 0 0 192.168.1.32:2022 202.111.14.122:54199 TIME_WAIT -
tcp 0 0 192.168.1.32:2022 58.212.220.210:54120 TIME_WAIT -
tcp 0 0 192.168.1.32:2022 122.114.249.199:58938 TIME_WAIT -
tcp6 0 0 :::2022 :::* LISTEN -

twl007

May 4, 2020 via iPhone

fail2ban 可解我已经 ban 了 20w+的 ip 了

lithiumii

May 4, 2020 via Android

换端口，禁 root 登录，fail2ban，禁密码登录……我一般只做前三

akira

May 4, 2020

这些都是批量扫的。
服务器拿到手，第一步就是换端口 + 密钥

vigack

May 4, 2020

密码够强的话不用在意吧，强迫症患者的话可以 IP 白名单+跳板机登陆。

ieric

May 4, 2020 via iPhone

真是无聊
root
root 123456
...
能中的机率比买彩票高点吧？

flynaj

May 4, 2020 via Android

在改端口，改高一点。要不就是安装 knockd

Xusually

May 4, 2020

禁止密码登陆吧

tankren

May 4, 2020

改端口关闭密码登录用 key 登录 fail2ban

GG668v26Fd55CP5W

May 4, 2020 via iPhone

我最近用 v2ray，发现新一个方法，根本不暴露 ssh 端口到外网，服务器安装 v2ray 服务，wss 443 伪装网站访问，然后本地用 v2ray 连接到服务器后，ssh 客户端使用 v2ray 代理端口作代理连接服务器，这时服务器的地址是 127.0.0.1

ZZSZZSZZS

May 4, 2020 via iPhone

禁止密码登录，只让用 key 登录

DonaidTrump

May 4, 2020

@marcushbs 正确的姿势不是应该禁止密码登陆么

marcushbs

May 4, 2020

@tulongtou 的确如此，但第一有些公司有条件限制，要求必须用密码；第二，key 文件可以近似看作 length 3000 的 password....

sampeng

May 4, 2020 via iPhone

@marcushbs 限制必须用密码的都是傻子型公司。第二，你家 key 文件像 passowrd 要传到远端去的？还近似…完全是两个不同原理的认证方式

vocaloidchina

May 4, 2020

最简单的办法就是改端口，也不用证书啥的，就可以让每月尝试登陆数量降至 1-10 次

marcushbs

May 4, 2020

@sampeng

Initial IV client to server: HASH(K || H || "A" || session_id)
Initial IV server to client: HASH(K || H || "B" || session_id)
Encryption key client to server: HASH(K || H || "C" || session_id)
Encryption key server to client: HASH(K || H || "D" || session_id)
Integrity key client to server: HASH(K || H || "E" || session_id)
Integrity key server to client: HASH(K || H || "F" || session_id)

假设穷举一个 3000bytes 的 id_rsa 文件，所以说“近似”，参见：

https://gravitational.com/blog/ssh-handshake-explained/

ps1aniuge

May 4, 2020

分享 Linux 中执行的 powershell 脚本：ssh-deny-host
https://www.v2ex.com/t/612075
好吃得话，请给铜板。

ytmsdy

May 4, 2020

证书登录就行了。

niubee1

May 4, 2020

证书登录、关闭密码登录、fail2ban 基本上能防住 99%的攻击

wangyuescr

May 4, 2020 via Android

@ieric 曾经学生腾讯云主机还真是这个密码后来被上了一课

nijux

May 4, 2020

https://www.sshguard.net/
推荐

isnullstring

May 4, 2020

换端口，key 登录

ps1aniuge

May 5, 2020

服务器 SSH 端口被不断试探登录，怎么防护？
答：
我 at 所有看帖人，我用 powershell 写了一个工具《弹性 sshd 端口》，
入 qq 群，183173532，，1 元辛苦费找我购买。
写作目的：
1 富强。
2 防止黑客从端口穷举密码。

脚本特性：
1 弹性 sshd 端口，随机 n 分钟，更换端口。
2 用 powershell 在客户机输出弹性端口，你就可以用 plink 连接此端口。

系统需求：
1 支持 opensshd，支持 dropbear 。支持 linux，支持 win，但你需要告诉我你的 sshd_config 的位置。
2 必须在服务端，客户端安装 powershell 。对于 win 服务端，客户端，这不是问题。因为系统已经集成 powershell 了。