[分享] 這兩天被暴力掃描SSH致系統(tǒng)服務(wù)掛掉的解決辦法

dre5m

@yishunguang @jiahuajie @w17630
這兩天被惡意掃描SSH，導(dǎo)致磁盤IO負(fù)荷猛增，最終影響系統(tǒng)服務(wù)，比如httpd nginxd mysqld wdapached sshed這些服務(wù)宕掉，讓網(wǎng)站無法正常運(yùn)行。（起初似乎是在掃mysql？ 但今天發(fā)現(xiàn)是在暴力掃SSH）

部分系統(tǒng)安全日志：

1. Sep 11 17:00:56 MyServer sshd[27664]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.36.0.44  user=root
   
2. Sep 11 17:00:58 MyServer sshd[27664]: Failed password for root from 222.36.0.44 port 40348 ssh2
   
3. Sep 11 17:00:58 MyServer sshd[27665]: Received disconnect from 222.36.0.44: 11: Bye Bye
   
4. Sep 11 17:00:59 MyServer sshd[27666]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.36.0.44  user=root
   
5. Sep 11 17:01:01 MyServer sshd[27666]: Failed password for root from 222.36.0.44 port 43997 ssh2
   
6. Sep 11 17:01:01 MyServer sshd[27667]: Received disconnect from 222.36.0.44: 11: Bye Bye
   
7. Sep 11 17:01:02 MyServer sshd[27669]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.36.0.44  user=root
   
8. Sep 11 17:01:03 MyServer sshd[27669]: Failed password for root from 222.36.0.44 port 47379 ssh2
   
9. Sep 11 17:01:03 MyServer sshd[27680]: Received disconnect from 222.36.0.44: 11: Bye Bye
   
10. Sep 11 17:01:04 MyServer sshd[27681]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.36.0.44  user=root
    
11. Sep 11 17:01:06 MyServer sshd[27681]: Failed password for root from 222.36.0.44 port 50415 ssh2
    
12. Sep 11 17:01:06 MyServer sshd[27682]: Received disconnect from 222.36.0.44: 11: Bye Bye
    
13. Sep 11 17:01:07 MyServer sshd[27683]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.36.0.44  user=root
    
14. Sep 11 17:01:10 MyServer sshd[27683]: Failed password for root from 222.36.0.44 port 53824 ssh2
    
15. Sep 11 17:01:10 MyServer sshd[27684]: Received disconnect from 222.36.0.44: 11: Bye Bye
    
16. Sep 11 17:01:11 MyServer sshd[27685]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.36.0.44  user=root
    
17. Sep 11 17:01:13 MyServer sshd[27685]: Failed password for root from 222.36.0.44 port 58087 ssh2
    
18. Sep 11 17:01:13 MyServer sshd[27686]: Received disconnect from 222.36.0.44: 11: Bye Bye
    
19. Sep 11 17:01:14 MyServer sshd[27687]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.36.0.44  user=root
    
20. Sep 11 17:01:16 MyServer sshd[27687]: Failed password for root from 222.36.0.44 port 33608 ssh2
    
21. Sep 11 17:01:16 MyServer sshd[27688]: Received disconnect from 222.36.0.44: 11: Bye Bye
    
22. Sep 11 17:01:17 MyServer sshd[27689]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.36.0.44  user=root
    
23. Sep 11 17:01:19 MyServer sshd[27689]: Failed password for root from 222.36.0.44 port 37081 ssh2
    
24. Sep 11 17:01:19 MyServer sshd[27690]: Received disconnect from 222.36.0.44: 11: Bye Bye
    
25. Sep 11 17:01:20 MyServer sshd[27691]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.36.0.44  user=root
    
26. Sep 11 17:01:21 MyServer sshd[27691]: Failed password for root from 222.36.0.44 port 40586 ssh2

復(fù)制代碼

磁盤IO

下載 (23.71 KB)

2013-9-12 14:55

解決辦法是安裝一個(gè)自動屏蔽軟件denyhosts，并設(shè)為隨VPS啟動，我參考的是 http://itzzz.com/server/065248.html ，寫的很詳細(xì)，就不贅述了

denyhosts的日志，看這幾個(gè)哪個(gè)軟件掃來掃去的賤人在搞神馬啊。。：

1. 2013-09-12 14:13:03,125 - denyhosts   : INFO     Processing log file (/var/log/secure) from offset (0)
   
2. 2013-09-12 14:13:35,902 - denyhosts   : INFO     new denied hosts: ['103.31.80.46', '218.95.37.206', '211.139.127.228', '195.88.62.132', '61.164.110.115', '88.208.222.32', '60.165.167.2', '76.74.201.147', '123.103.12.34', '212.227.89.88', '137.175.46.104', '190.11.160.179', '60.173.11.253', '82.165.133.118', '222.36.0.44', '117.141.96.7', '210.21.90.38', '221.176.53.109', '61.164.118.195', '182.18.31.165', '123.103.12.35']
   
3. 2013-09-12 14:13:35,903 - denyhosts   : INFO     launching DenyHosts daemon (version 2.6)..

復(fù)制代碼

被攻擊以后可能你的服務(wù)都被關(guān)掉了，start一下即可
service httpd start
service mysqld start
service nginxd start
service wdapache start

admin

最簡單的辦法,修改下SSH的端口,而不是用默認(rèn)的22

w263756314

http://centoshelp.org/security/denyhosts/
有更簡單的安裝辦法