SSH へのブルートフォースアタックのログの確認

[bash] [root@localhost ~]# cat /var/log/secure | grep "Invalid user" Nov 5 04:00:12 localhost sshd[27467]: Invalid user admin from 103.207.37.115 Nov 5 04:00:16 localhost sshd[27469]: Invalid user admin from 103.207.37.115 Nov 5 04:00:23 localhost sshd[27477]: Invalid user pi from 103.207.37.115 Nov 5 04:00:31 localhost sshd[27492]: Invalid user test from 103.207.37.115 Nov 5 04:00:33 localhost sshd[27498]: Invalid user admin from 103.207.37.115 Nov 5 04:00:37 localhost sshd[27500]: Invalid user user from 103.207.37.115 Nov 5 04:00:40 localhost sshd[27502]: Invalid user info from 103.207.37.115 Nov 5 04:00:42 localhost sshd[27504]: Invalid user guest from 103.207.37.115 Nov 5 04:00:45 localhost sshd[27506]: Invalid user git from 103.207.37.115 Nov 5 04:00:52 localhost sshd[27514]: Invalid user ubnt from 103.207.37.115

（以下略）

[/bash]

以下のコマンドでも確認可能。

[bash] cat /var/log/secure | grep "Failed password" [/bash]

[bash] cat /var/log/messages | grep "failure" [/bash]

うまくいかなかった方法

1.「/etc/ssh/」ディレクトリに移動

[bash] [root@localhost ~]# cd /etc/ssh/ [/bash]

2.ファイル一覧を表示

[bash] [root@localhost ssh]# ls [/bash] [bash] moduli ssh_host_ecdsa_key.pub ssh_host_rsa_key ssh_config ssh_host_ed25519_key ssh_host_rsa_key.pub ssh_host_ecdsa_key ssh_host_ed25519_key.pub sshd_config [/bash]

3.バックアップをとる

[bash] [root@localhost ssh]# cp sshd_config sshd_config.old [/bash]

4.バックアップされているか確認

[bash] [root@localhost ssh]# ls [/bash] [bash] moduli ssh_host_ed25519_key sshd_config ssh_config ssh_host_ed25519_key.pub sshd_config.old ssh_host_ecdsa_key ssh_host_rsa_key ssh_host_ecdsa_key.pub ssh_host_rsa_key.pub [/bash]

5.vi で「sshd_config」ファイルを開く

以下の「Port」の行を修正。

変更前 [bash]

If you want to change the port on a SELinux system, you have to tell

SELinux about this change.

semanage port -a -t ssh_port_t -p tcp #PORTNUMBER

#

Port 22

AddressFamily any

ListenAddress 0.0.0.0

ListenAddress ::

[/bash]

変更後 [bash]

If you want to change the port on a SELinux system, you have to tell

SELinux about this change.

semanage port -a -t ssh_port_t -p tcp #PORTNUMBER

# Port 22222

AddressFamily any

ListenAddress 0.0.0.0

ListenAddress ::

[/bash]

「:wq」でファイルを保存する。

6.以下のコマンドを実行

[bash] [root@localhost ssh]# semanage port -a -t ssh_port_t -p tcp 22222 [/bash] [bash] -bash: semanage: コマンドが見つかりません [/bash]

7.以下のコマンドで policycoreutils-python をインストール

[bash] [root@localhost ssh]# yum -y install policycoreutils-python [/bash]

うまくインストールできていない。

8.再度コマンドを実行

[bash] [root@localhost ssh]# semanage port -a -t ssh_port_t -p tcp 22222 [/bash]

変わらず。

9.firewall で新しいポートを許可

[bash] [root@localhost ssh]# firewall-cmd --permanent --zone=public --add-port=22222/tcp [/bash] [bash] success [/bash]

10.firewall を再起動

[bash] [root@localhost ssh]# firewall-cmd --reload [/bash] [bash] success [/bash]

11.sshd を再起動

[bash] [root@localhost ssh]# systemctl restart sshd.service [/bash]

12.新しいポートで運用されているか確認

[bash] [root@localhost ssh]# ss -tnlp | grep ssh [/bash] [bash] LISTEN 0 128 :22222 : users:*1 LISTEN 0 128 :::22222 ::: users:*2 [/bash]

ここまでやったができず。 この時点でログアウトすると SSH でログインできなくなる可能性があるので絶対にログアウトしない。

うまくいった方法

1. firewalld の設定確認

[bash] [root@localhost ssh]# firewall-cmd --list-all [/bash] [bash] dmz (active) target: default icmp-block-inversion: no interfaces: em1 sources: services: ftp samba ssh ports: 4000-4005/tcp 25565/tcp protocols: masquerade: no forward-ports: sourceports: icmp-blocks: rich rules: [/bash]

2. firewalld の設定から SSH を削除

[bash] [root@localhost ssh]# firewall-cmd --permanent --remove-service=ssh [/bash] [bash] success [/bash]

3. firewalld の設定に ssh-2222 を追加

ssh.xml をコピーして ssh-2222.xml を作成

[bash] [root@localhost ssh]# cp /usr/lib/firewalld/services/ssh.xml /etc/firewalld/services/ssh-22222.xml [/bash]

ssh-2222.xml を開いてポート番号を 22 から 22222 に変更。

[bash] [root@localhost ssh]# vi /etc/firewalld/services/ssh-22222.xml [/bash]

変更前 [bash] <?xml version="1.0" encoding="utf-8"?> <service> <short>SSH</short> <description>Secure Shell (SSH) is a protocol for logging into and executing commands on remote machines. It provides secure encrypted communications. If you plan on accessing your machine remotely via SSH over a firewalled interface, enable this option. You need the openssh-server package installed for this option to be useful.</description> <port protocol="tcp" port="22"/> </service> [/bash]

変更後 [bash] <?xml version="1.0" encoding="utf-8"?> <service> <short>SSH</short> <description>Secure Shell (SSH) is a protocol for logging into and executing commands on remote machines. It provides secure encrypted communications. If you plan on accessing your machine remotely via SSH over a firewalled interface, enable this option. You need the openssh-server package installed for this option to be useful.</description> <port protocol="tcp" port="22222"/> </service> [/bash]

4. firewalld に 22222 を追加

[bash] [root@localhost services]# firewall-cmd --permanent --add-service=ssh-22222 [/bash] [bash] success [/bash]

5. firewalld をリロード

[bash] [root@localhost services]# firewall-cmd --reload [/bash] [bash] success [/bash]

6. 変更後の状態を確認

[bash] [root@localhost services]# firewall-cmd --list-all [/bash] [bash] dmz (active) target: default icmp-block-inversion: no interfaces: em1 sources: services: ftp samba ssh-22222 ports: 4000-4005/tcp 25565/tcp protocols: masquerade: no forward-ports: sourceports: icmp-blocks: rich rules: [/bash]