Все конифиги выглядят норм. Кроме X11Forwarding yes, PermitRootLogin yes но это такое... я тоже редко выключаю.
Настройте /etc/hosts.deny и /etc/hosts.allow на ваш вкус. Примеры я привел. # vim /etc/hosts.deny sshd : IP-Address # vim /etc/hosts.deny sshd : IP-Address1, IP-Address2, IP-Address3 # vim /etc/hosts.deny sshd : 33.*.*.* sshd : 66.66.*.* # vim /etc/hosts.deny sshd : ALL тогда В /etc/hosts.allow sshd : Your IP-Address Далее в /etc/ssh/sshd_config добавте: ... MaxAuthTries 3 ... Потом в логе: cat /var/log/syslog SSH должен писать о попытках доступа, сдается мне что логвотч просто брешит. Можно улучшить логгирование в апитейблс: iptables -N SSHATTACK iptables -A SSHATTACK -j LOG --log-prefix "Possible SSH attack! " --log-level 7 iptables -A SSHATTACK -j DROP iptables -A INPUT -i eth0 -p tcp -m state --dport 22 --state NEW -m recent --set iptables -A INPUT -i eth0 -p tcp -m state --dport 22 --state NEW -m recent --update --seconds 400 --hitcount 3 --rttl -j SSHATTACK И снова смотреть лог: cat /var/log/syslog | grep -E 122.225.109.116 Если в auth.log, syslog, messages нету 122.225.109.116 то логвотч брешит On Mon, Sep 29, 2014 at 11:34 AM, Людмила Бандурина <bigdogs...@gmail.com> wrote: > Конфиг /etc/ssh/sshd_config > > # Package generated configuration file > # See the sshd_config(5) manpage for details > > # What ports, IPs and protocols we listen for > Port 22 > # Use these options to restrict which interfaces/protocols sshd will bind > to > #ListenAddress :: > #ListenAddress 0.0.0.0 > Protocol 2 > # HostKeys for protocol version 2 > HostKey /etc/ssh/ssh_host_rsa_key > HostKey /etc/ssh/ssh_host_dsa_key > HostKey /etc/ssh/ssh_host_ecdsa_key > #Privilege Separation is turned on for security > UsePrivilegeSeparation yes > > # Lifetime and size of ephemeral version 1 server key > KeyRegenerationInterval 3600 > ServerKeyBits 768 > > # Logging > SyslogFacility AUTH > LogLevel INFO > > # Authentication: > LoginGraceTime 120 > PermitRootLogin yes > StrictModes yes > > RSAAuthentication yes > PubkeyAuthentication yes > #AuthorizedKeysFile %h/.ssh/authorized_keys > > # Don't read the user's ~/.rhosts and ~/.shosts files > IgnoreRhosts yes > # For this to work you will also need host keys in /etc/ssh_known_hosts > RhostsRSAAuthentication no > # similar for protocol version 2 > HostbasedAuthentication no > # Uncomment if you don't trust ~/.ssh/known_hosts for > RhostsRSAAuthentication > #IgnoreUserKnownHosts yes > > # To enable empty passwords, change to yes (NOT RECOMMENDED) > PermitEmptyPasswords no > > # Change to yes to enable challenge-response passwords (beware issues with > # some PAM modules and threads) > ChallengeResponseAuthentication no > > # Change to no to disable tunnelled clear text passwords > PasswordAuthentication no > > # Kerberos options > #KerberosAuthentication no > #KerberosGetAFSToken no > #KerberosOrLocalPasswd yes > #KerberosTicketCleanup yes > > # GSSAPI options > #GSSAPIAuthentication no > #GSSAPICleanupCredentials yes > > X11Forwarding yes > X11DisplayOffset 10 > PrintMotd no > PrintLastLog yes > TCPKeepAlive yes > #UseLogin no > > #MaxStartups 10:30:60 > #Banner /etc/issue.net > > # Allow client to pass locale environment variables > AcceptEnv LANG LC_* > > Subsystem sftp /usr/lib/openssh/sftp-server > > # Set this to 'yes' to enable PAM authentication, account processing, > # and session processing. If this is enabled, PAM authentication will > # be allowed through the ChallengeResponseAuthentication and > # PasswordAuthentication. Depending on your PAM configuration, > # PAM authentication via ChallengeResponseAuthentication may bypass > # the setting of "PermitRootLogin without-password". > # If you just want the PAM account and session checks to run without > # PAM authentication, then enable this but set PasswordAuthentication > # and ChallengeResponseAuthentication to 'no'. > UsePAM yes > > > 29 сентября 2014 г., 12:29 пользователь Людмила Бандурина < > bigdogs...@gmail.com> написал: > > hosts.allow >> >> sendmail: all >> # /etc/hosts.allow: list of hosts that are allowed to access the system. >> # See the manual pages hosts_access(5) and >> hosts_options(5). >> # >> # Example: ALL: LOCAL @some_netgroup >> # ALL: .foobar.edu EXCEPT terminalserver.foobar.edu >> # >> # If you're going to protect the portmapper use the name "portmap" for the >> # daemon name. Remember that you can only use the keyword "ALL" and IP >> # addresses (NOT host or domain names) for the portmapper, as well as for >> # rpc.mountd (the NFS mount daemon). See portmap(8) and rpc.mountd(8) >> # for further information. >> # >> >> Письмо от logwatch >> >> >> --------------------- SSHD Begin ------------------------ >> >> >> Illegal users from: >> undef: 53 times >> 61.183.1.14: 11 times >> 122.225.109.116: 1 time >> 122.225.109.194: 1 time >> 122.225.109.195: 1 time >> 122.225.109.197: 1 time >> 193.238.157.34 (shadow.charon.at): 26 times >> 212.129.56.29 (212-129-56-29.rev.poneytelecom.eu): 12 times >> >> Users logging in through sshd: >> root: >> 83.220.237.97: 3 times >> 83.220.237.40: 2 times >> >> >> Received disconnect: >> 11: Bye Bye [preauth] : 103 Time(s) >> 11: disconnected by user : 5 Time(s) >> 3: com.jcraft.jsch.JSchException: Auth fail [preauth] : 15 Time(s) >> >> Refused incoming connections: >> 193.238.157.34 (193.238.157.34): 2 Time(s) >> 212.129.56.29 (212.129.56.29): 1 Time(s) >> 27.254.33.142 (27.254.33.142): 12 Time(s) >> 61.183.1.14 (61.183.1.14): 1 Time(s) >> >> ---------------------- SSHD End ------------------------- >> >> iptables -L -v >> >> Chain INPUT (policy ACCEPT 74600 packets, 48M bytes) >> pkts bytes target prot opt in out source >> destination >> 0 0 DROP all -- any any 175.42.0.0/16 >> anywhere >> 15 600 DROP all -- any any 122.225.0.0/16 >> anywhere >> 12 480 DROP all -- any any >> 0.0.174.61.dial.tz.zj.dynamic.163data.com.cn/16 anywhere >> 104 5268 DROP all -- any any 222.77.0.0/16 >> anywhere >> 3 152 DROP all -- any any >> 0.0.40.120.broad.fz.fj.dynamic.163data.com.cn/16 anywhere >> 26 1348 DROP all -- any any >> 0.0.25.117.broad.fz.fj.dynamic.163data.com.cn/16 anywhere >> 0 0 DROP all -- any any 110.80.0.0/16 >> anywhere >> 6 304 DROP all -- any any >> 0.0.161.220.broad.zz.fj.dynamic.163data.com.cn/16 anywhere >> 0 0 DROP all -- any any >> 0.0.207.121.broad.qz.fj.dynamic.163data.com.cn/16 anywhere >> 0 0 DROP all -- any any >> 0.0.58.59.broad.np.fj.dynamic.163data.com.cn/16 anywhere >> 0 0 DROP all -- any any 125.77.0.0/16 >> anywhere >> 107 5452 DROP all -- any any >> 0.0.85.110.broad.qz.fj.dynamic.163data.com.cn/16 anywhere >> 114 5928 DROP all -- any any >> 0.0.84.110.broad.xm.fj.dynamic.163data.com.cn/16 anywhere >> 57 2920 DROP all -- any any >> 0.0.205.121.broad.qz.fj.dynamic.163data.com.cn/16 anywhere >> 3 152 DROP all -- any any >> 0.0.76.222.broad.fz.fj.dynamic.163data.com.cn/16 anywhere >> 48 2496 DROP all -- any any >> 0.0.87.110.broad.xm.fj.dynamic.163data.com.cn/16 anywhere >> 35 1804 DROP all -- any any >> 0.0.78.125.broad.qz.fj.dynamic.163data.com.cn/16 anywhere >> 45 2340 DROP all -- any any >> 0.0.32.120.broad.fz.fj.dynamic.163data.com.cn/16 anywhere >> 24 1216 DROP all -- any any >> 0.0.83.110.broad.fz.fj.dynamic.163data.com.cn/16 anywhere >> 284 14312 DROP all -- any any 27.150.0.0/16 >> anywhere >> 0 0 DROP all -- any any >> 0.0.125.76.gs.dail.jqgt.dynamic.163data.com.cn/16 anywhere >> 185 9424 DROP all -- any any 27.153.0.0/16 >> anywhere >> 93 4712 DROP all -- any any >> 0.0.89.110.broad.pt.fj.dynamic.163data.com.cn/16 anywhere >> 6 304 DROP all -- any any >> 0.0.204.121.board.fz.fj.dynamic.163data.com.cn/16 anywhere >> 0 0 DROP all -- any any 120.36.0.0/16 >> anywhere >> 45 2280 DROP all -- any any >> 0.0.33.120.broad.qz.fj.dynamic.163data.com.cn/16 anywhere >> 0 0 DROP all -- any any 59.60.0.0/16 >> anywhere >> 75 3800 DROP all -- any any >> 0.0.26.117.broad.qz.fj.dynamic.163data.com.cn/16 anywhere >> 0 0 DROP all -- any any >> 0.0.154.27.broad.xm.fj.dynamic.163data.com.cn/16 anywhere >> 243 12312 DROP all -- any any >> 0.0.159.27.broad.xm.fj.dynamic.163data.com.cn/16 anywhere >> 0 0 DROP all -- any any >> 0.82.30.117.broad.xm.fj.dynamic.163data.com.cn/24 anywhere >> 0 0 DROP all -- any any >> 0.29.154.27.broad.xm.fj.dynamic.163data.com.cn/24 anywhere >> 0 0 DROP all -- any any >> 0.125.79.222.broad.xm.fj.dynamic.163data.com.cn/24 anywhere >> 0 0 DROP all -- any any >> 0.125.79.222.broad.xm.fj.dynamic.163data.com.cn/24 anywhere >> 0 0 DROP all -- any any >> 87.125.79.222.broad.xm.fj.dynamic.163data.com.cn anywhere >> >> Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) >> pkts bytes target prot opt in out source >> destination >> >> Chain OUTPUT (policy ACCEPT 93209 packets, 124M bytes) >> pkts bytes target prot opt in out source >> destination >> >> >> >> -- >> С уважением, Людмила >> >> >> 29 сентября 2014 г., 12:17 пользователь Alan Holt <berber...@gmail.com> >> написал: >> >> Где то есть ошибка, прикрипите полный iptables и лог. >>> Так же при неправильной конфигурации демона ssh и чейнов файрвола такое >>> бывает. >>> >>> используйте так же /etc/hosts.allow >>> >>> 2014-09-29 11:04 GMT+03:00 Людмила Бандурина <bigdogs...@gmail.com>: >>> >>>> Добрый день, >>>> >>>> Нет, никаких разрешений в списке нет, только еще несколько таких же >>>> запретов на китайские подсети. >>>> >>>> 28 сентября 2014 г., 20:42 пользователь Dmitry Agafonov < >>>> agafonovdmi...@gmail.com> написал: >>>> >>>> Добрый день! >>>>> >>>>> Одно правило ни о чем не говорит. Посмотрите на каунтеры и нумерацию >>>>> (-v), может под правило вообще ничего не подходит и обрабатывается >>>>> каким-то >>>>> разрешением выше по списку. >>>>> >>>>> 28 сентября 2014 г., 19:55 пользователь Людмила Бандурина < >>>>> bigdogs...@gmail.com> написал: >>>>> >>>>>> Здравствуйте всем! >>>>>> >>>>>> В iptables прописано: >>>>>> Chain INPUT (policy ACCEPT) >>>>>> target prot opt source destination >>>>>> DROP all -- 122.225.0.0/16 anywhere >>>>>> >>>>>> Тем не менее в письме от logwatch вижу >>>>>> >>>>>> Illegal users from: >>>>>> 122.225.109.116: 1 time >>>>>> 122.225.109.194: 1 time >>>>>> 122.225.109.195: 1 time >>>>>> 122.225.109.197: 1 time >>>>>> >>>>>> Почему? Вроде бы если доступ закрыт файрволлом, эти попытки должны >>>>>> быть в секции Refused incoming connections, разве нет? >>>>>> >>>>>> -- >>>>>> С уважением, Людмила >>>>>> >>>>>> -- >>>>>> ubuntu-ru mailing list >>>>>> ubuntu-ru@lists.ubuntu.com >>>>>> https://lists.ubuntu.com/mailman/listinfo/ubuntu-ru >>>>>> >>>>>> >>>>> >>>>> >>>>> -- >>>>> Dmitry Agafonov ~ http://agafonov.pp.ru/ >>>>> >>>>> -- >>>>> ubuntu-ru mailing list >>>>> ubuntu-ru@lists.ubuntu.com >>>>> https://lists.ubuntu.com/mailman/listinfo/ubuntu-ru >>>>> >>>>> >>>> >>>> >>>> -- >>>> С уважением, Людмила >>>> >>>> -- >>>> ubuntu-ru mailing list >>>> ubuntu-ru@lists.ubuntu.com >>>> https://lists.ubuntu.com/mailman/listinfo/ubuntu-ru >>>> >>>> >>> >>> >>> -- >>> *בברכה, * >>> *אלכס ברבר* >>> >>> *+9 72 54 285 952 3* >>> *www.linuxspace.org* <http://www.linuxspace.org> >>> *--* >>> *Best regards.* >>> *Alex Berber* >>> *+9 72 54 285 952 3* >>> *www.linuxspace.org* <http://www.linuxspace.org/> >>> >>> -- >>> ubuntu-ru mailing list >>> ubuntu-ru@lists.ubuntu.com >>> https://lists.ubuntu.com/mailman/listinfo/ubuntu-ru >>> >>> >> >> > > > -- > С уважением, Людмила > > -- > ubuntu-ru mailing list > ubuntu-ru@lists.ubuntu.com > https://lists.ubuntu.com/mailman/listinfo/ubuntu-ru > > -- *בברכה, * *אלכס ברבר* *+9 72 54 285 952 3* *www.linuxspace.org* <http://www.linuxspace.org> *--* *Best regards.* *Alex Berber* *+9 72 54 285 952 3* *www.linuxspace.org* <http://www.linuxspace.org/>
-- ubuntu-ru mailing list ubuntu-ru@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-ru
