◆ Revise swatch configuration to monitoring for SSH daemon attacks by scanning the log files hold the system the security situation has important implications.
Logs only through the use of the log information can we truly reflected. Trying to get a username on the system, the hacker can launch attacks "violence", which is a SSH service tests thousands of passwords to gain access to the remote system shell means of attack. This violent attack in systems (RedHat) log write record similar to the following: Jun613: 01: 56chimsshd (pam_unix) [17331]: authenticationfailure; logname = uid = 0euid = 0tty = NODEVsshruser = rhost = 192.168.1.199user = rreckJun613: 02: 01chimsshd [17331]: Failedpasswordforrreckfrom192.168.1.199port33181ss2Jun613: 02: 03chimsshd [17331]: Failedpasswordforrreckfrom192.168.1.199port33181ss2Jun613: 02: 03chimsshd (pam_unix) [17331]: 2moreauthenticationfailures; logname = uid = 0euid = 0tty = NODEVsshruser = rhost = 192.168.1.199user = rreck yourself as early as possible to learn these things happening is preventing this type of attack is the most effective strategy. In order to do this, you need to put a period following such a swatch configuration code is added to the system of swatchrc file: # Failedpasswordwatchfor/Failedpasswordfor/ecobellmail thereafter, when the swatch to cron schedule tasks or to the "tail" mode, if the log file was found in the characteristics of such attacks, you will be immediately emailed to you. The email alert is a signal of action. According to your specific situation, you may need to allow rreck user logon from multiple hosts. Edit/etc/ssh/sshd_config file, the following configuration code to explicitly reject rreck users from repeated tests have taken place passwords fail to log the activities of the host, but at the same time allow rreck from other host login: # Preventaccessforhackereveniftheyguessthepassword! DenyUsers rreck @ 192.168.1.99 AllowUsers rreck @ * next, to send a SIGHUP signal sshd or use the following command to restart it:/etc/rc.d/sshdrestart when you saw the sshd/var/log/messages files sent by this message, you can see how your changes have taken effect, the attacker's login attempts have already been rejected: Apr117 sshd: 42: 55linuxsshd [5864]: UserrrecknotallowedbecauselistedinDenyUsers this log message indicates that even guessed the correct password, the user also cannot rreck login. From hackers over, nothing can let him know that you have changed the configuration, they do not succeed. Summary: the author would like to tell everyone through this example, the information security work has no end; it requires a long-lasting efforts. Reduce or eliminate the risk of the best approach is to maintain the hard-working and vigilance. Be sure to keep a log, must continue to sum up the various normal activity on the system. Must be vigilant and careful interpretation of the meaning of the log message, only standing working tirelessly to ensure safety. The log monitoring can help you identify the problem and guide you to relevant configuration make targeted changes. When it comes to the conclusion that the best security measures is to take action. Happened before all possible measures which are thoughtful will in future produce great help, this will ensure that you are taking the action won't waste any time. Pre-position arrangements also helps to prevent incidents of emotional factors interfering reflections on your judgement and to ensure that your response to the event is within its most reasonable and effective. 【
No comments:
Post a Comment