SSHD 보안

SSHD를 어쩔 수 없이 외부에 공개를 해야하는 경우, 반드시 보안처리를 해야한다. 예상하는 것보다 상당히 많은 해킹시도를 하기 때문이다. 최소한 아래 2가지 처리는 해주면 그나마 좀 낫지 않을까? 그러나, 가능하다면, SSHD 포트를 열어주지 말고, VPN을 이용하기 바란다.

• root 로그인 막기
  

  # vi /etc/ssh/sshd_config
  PermitRootLogin no
  # /etc/init.d/sshd restart

• DenyHosts
  • Official Site
  • Install (CentOS)
    

    # yum install denyhosts

  • 동작 확인 : 어떤 IP를 통해서 로그인 실패하였는지 확인, 사실, denyhosts는 /var/log/secure 로그를 확인하여 처리하지만, lastb 로 확인하여도 그다지 상관없을 것이다.
    

    # lastb -i
    root     ssh:notty    123.140.148.160  Mon Jul  4 06:49 - 06:49  (00:00)
    root     ssh:notty    123.140.148.160  Mon Jul  4 06:49 - 06:49  (00:00)
    root     ssh:notty    123.140.148.160  Mon Jul  4 06:49 - 06:49  (00:00)
    root     ssh:notty    123.140.148.160  Mon Jul  4 06:49 - 06:49  (00:00)
    root     ssh:notty    123.140.148.160  Mon Jul  4 06:49 - 06:49  (00:00)
    root     ssh:notty    178.18.19.114    Sun Jul  3 14:17 - 14:17  (00:00)
    root     ssh:notty    178.18.19.114    Sun Jul  3 14:17 - 14:17  (00:00)
    root     ssh:notty    178.18.19.114    Sun Jul  3 14:17 - 14:17  (00:00)
    root     ssh:notty    178.18.19.114    Sun Jul  3 14:16 - 14:16  (00:00)
    root     ssh:notty    178.18.19.114    Sun Jul  3 14:16 - 14:16  (00:00)
    root     ssh:notty    178.18.19.114    Sun Jul  3 14:16 - 14:16  (00:00)
    root     ssh:notty    211.214.218.118  Sun Jul  3 10:00 - 10:00  (00:00)
    root     ssh:notty    211.214.218.118  Sun Jul  3 10:00 - 10:00  (00:00)
    root     ssh:notty    193.253.228.193  Sun Jul  3 06:05 - 06:05  (00:00)
    root     ssh:notty    193.253.228.193  Sun Jul  3 06:04 - 06:04  (00:00)
    wcostiga ssh:notty    195.70.27.20     Sun Jul  3 01:14 - 01:14  (00:00)
    wcostiga ssh:notty    195.70.27.20     Sun Jul  3 01:14 - 01:14  (00:00)
    root     ssh:notty    221.10.252.53    Sun Jul  3 01:14 - 01:14  (00:00)
    jroyds   ssh:notty    195.70.27.20     Sun Jul  3 01:14 - 01:14  (00:00)
    jroyds   ssh:notty    195.70.27.20     Sun Jul  3 01:14 - 01:14  (00:00)
    root     ssh:notty    221.10.252.53    Sun Jul  3 01:14 - 01:14  (00:00)
    cdimasci ssh:notty    195.70.27.20     Sun Jul  3 01:14 - 01:14  (00:00)
    cdimasci ssh:notty    195.70.27.20     Sun Jul  3 01:14 - 01:14  (00:00)
    root     ssh:notty    221.10.252.53    Sun Jul  3 01:14 - 01:14  (00:00)
    goodrich ssh:notty    195.70.27.20     Sun Jul  3 01:14 - 01:14  (00:00)
    root     ssh:notty    221.10.252.53    Sun Jul  3 01:14 - 01:14  (00:00)
    goodrich ssh:notty    195.70.27.20     Sun Jul  3 01:14 - 01:14  (00:00)
    root     ssh:notty    221.10.252.53    Sun Jul  3 01:14 - 01:14  (00:00)
    
    btmp begins Sun Jul  3 01:14:34 2011

    차단 등록된 IP 확인

    # cat /etc/hosts.deny
    #
    # hosts.deny    This file describes the names of the hosts which are
    #               *not* allowed to use the local INET services, as decided
    #               by the '/usr/sbin/tcpd' server.
    #
    # The portmap line is redundant, but it is left to remind you that
    # the new secure portmap uses hosts.deny and hosts.allow.  In particular
    # you should know that NFS uses portmap!
    
    
    sshd: 221.10.252.53
    sshd: 195.70.27.20
    sshd: 193.253.228.193
    sshd: 211.214.218.118
    sshd: 178.18.19.114
    sshd: 123.140.148.160