Linux用root强制踢掉已登陆用户；用fail2ban阻止ssh暴力破解root密码

时间 2021-08-13

标签 centos bash less ssh socket ide 工具日志 dns 栏目 Linux 繁體版

原文原文链接

首先使用w命令查看全部在线用户：centos

[root@VM_152_184_centos /]# w
 20:50:14 up 9 days,  5:58,  3 users,  load average: 0.21, 0.05, 0.02
USER     TTY      FROM              LOGIN@   IDLE   JCPU   PCPU WHAT
root     pts/0    101.45.224.253   20:48    0.00s  0.00s  0.00s w
root     pts/1    101.45.224.253   20:49   17.00s  0.00s  0.00s -bash
hmj      pts/2    101.45.224.253   20:50    2.00s  0.00s  0.00s -bash

执行命令：bash

pkill -kill -t TTY值

例：踢掉已登陆用户hmjless

pkill -kill -t pts/2

再用w命令查看是否已经强制踢掉：ssh

[root@VM_152_184_centos /]# w
 20:55:10 up 9 days,  6:03,  2 users,  load average: 0.03, 0.03, 0.00
USER     TTY      FROM              LOGIN@   IDLE   JCPU   PCPU WHAT
root     pts/0    101.45.224.253   20:48    0.00s  0.00s  0.00s w
root     pts/1    101.45.224.253   20:49    5:13   0.00s  0.00s -bash

用fail2ban阻止ssh暴力破解root密码

安装fail2ban工具来实现防暴力破解，防止恶意***，锁定恶意***IP。

一、若是是centos系统，先yum安装fail2bansocket

[root@VM_152_184_centos /]# yum -y install fail2ban

二、为了更好的看到有哪些IP在尝试暴利破解，先定义好日志文件路径ide

[root@VM_152_184_centos /]# cat /etc/fail2ban/fail2ban.conf |grep -v ^#
 
[Definition]
 
loglevel = 3
 
logtarget = SYSLOG　　//这里是日志路径，能够自定义，好比：/var/log/fail2ban.log
 
socket = /var/run/fail2ban/fail2ban.sock
 
pidfile = /var/run/fail2ban/fail2ban.pid

三、自定义主配置文件（固然，也能够不修改，保持默认配置）工具

[root@VM_152_184_centos /]# cat /etc/fail2ban/jail.conf |grep -v ^# |less
 
[DEFAULT]
 
ignoreip = 127.0.0.1/8
 
bantime  = 600　　//屏蔽、锁定时间，单位：s
 
findtime  = 600　　//600s内尝试登录失败超过规定次数将被锁定
 
maxretry = 3　　//最大登录失败次数
 
backend = auto
 
usedns = warn

四、最后，启动fail2ban，使其配置生效日志

[root@VM_152_184_centos /]# service fail2ban start

最后，再查看一下fail2ban日志文件，能够看到已经屏蔽的IP列表（Ban ip是屏蔽/锁定的IP，Unban ip是自动解锁的IP）dns

[root@VM_152_184_centos /]# cat /var/log/fail2ban.log | grep "ban"
2014-04-15 21:12:18,053 fail2ban.actions: WARNING [ssh-iptables] Ban 198.104.137.151
2014-04-15 21:42:19,037 fail2ban.actions: WARNING [ssh-iptables] Unban 198.104.137.151
2014-04-15 22:12:16,001 fail2ban.actions: WARNING [ssh-iptables] Ban 116.10.191.218
2014-04-15 22:42:16,305 fail2ban.actions: WARNING [ssh-iptables] Unban 116.10.191.218
2014-04-15 23:02:02,609 fail2ban.actions: WARNING [ssh-iptables] Ban 117.34.91.170
2014-04-15 23:26:10,651 fail2ban.actions: WARNING [ssh-iptables] Ban 116.10.191.172
2014-04-15 23:28:02,391 fail2ban.actions: WARNING [ssh-iptables] Ban 198.104.137.151
2014-04-15 23:32:03,428 fail2ban.actions: WARNING [ssh-iptables] Unban 117.34.91.170
2014-04-15 23:46:07,364 fail2ban.actions: WARNING [ssh-iptables] Ban 116.10.191.205
2014-04-15 23:56:10,893 fail2ban.actions: WARNING [ssh-iptables] Unban 116.10.191.172

首先使用w命令查看全部在线用户：ip

[root@VM_152_184_centos /]# w
 20:50:14 up 9 days,  5:58,  3 users,  load average: 0.21, 0.05, 0.02
USER     TTY      FROM              LOGIN@   IDLE   JCPU   PCPU WHAT
root     pts/0    101.45.224.253   20:48    0.00s  0.00s  0.00s w
root     pts/1    101.45.224.253   20:49   17.00s  0.00s  0.00s -bash
hmj      pts/2    101.45.224.253   20:50    2.00s  0.00s  0.00s -bash

执行命令：

pkill -kill -t TTY值

例：踢掉已登陆用户hmj

pkill -kill -t pts/2

再用w命令查看是否已经强制踢掉：

[root@VM_152_184_centos /]# w
 20:55:10 up 9 days,  6:03,  2 users,  load average: 0.03, 0.03, 0.00
USER     TTY      FROM              LOGIN@   IDLE   JCPU   PCPU WHAT
root     pts/0    101.45.224.253   20:48    0.00s  0.00s  0.00s w
root     pts/1    101.45.224.253   20:49    5:13   0.00s  0.00s -bash

用fail2ban阻止ssh暴力破解root密码

安装fail2ban工具来实现防暴力破解，防止恶意***，锁定恶意***IP。

一、若是是centos系统，先yum安装fail2ban

[root@VM_152_184_centos /]# yum -y install fail2ban

二、为了更好的看到有哪些IP在尝试暴利破解，先定义好日志文件路径

[root@VM_152_184_centos /]# cat /etc/fail2ban/fail2ban.conf |grep -v ^#
 
[Definition]
 
loglevel = 3
 
logtarget = SYSLOG　　//这里是日志路径，能够自定义，好比：/var/log/fail2ban.log
 
socket = /var/run/fail2ban/fail2ban.sock
 
pidfile = /var/run/fail2ban/fail2ban.pid

三、自定义主配置文件（固然，也能够不修改，保持默认配置）

[root@VM_152_184_centos /]# cat /etc/fail2ban/jail.conf |grep -v ^# |less
 
[DEFAULT]
 
ignoreip = 127.0.0.1/8
 
bantime  = 600　　//屏蔽、锁定时间，单位：s
 
findtime  = 600　　//600s内尝试登录失败超过规定次数将被锁定
 
maxretry = 3　　//最大登录失败次数
 
backend = auto
 
usedns = warn

四、最后，启动fail2ban，使其配置生效

[root@VM_152_184_centos /]# service fail2ban start

最后，再查看一下fail2ban日志文件，能够看到已经屏蔽的IP列表（Ban ip是屏蔽/锁定的IP，Unban ip是自动解锁的IP）

[root@VM_152_184_centos /]# cat /var/log/fail2ban.log | grep "ban"
2014-04-15 21:12:18,053 fail2ban.actions: WARNING [ssh-iptables] Ban 198.104.137.151
2014-04-15 21:42:19,037 fail2ban.actions: WARNING [ssh-iptables] Unban 198.104.137.151
2014-04-15 22:12:16,001 fail2ban.actions: WARNING [ssh-iptables] Ban 116.10.191.218
2014-04-15 22:42:16,305 fail2ban.actions: WARNING [ssh-iptables] Unban 116.10.191.218
2014-04-15 23:02:02,609 fail2ban.actions: WARNING [ssh-iptables] Ban 117.34.91.170
2014-04-15 23:26:10,651 fail2ban.actions: WARNING [ssh-iptables] Ban 116.10.191.172
2014-04-15 23:28:02,391 fail2ban.actions: WARNING [ssh-iptables] Ban 198.104.137.151
2014-04-15 23:32:03,428 fail2ban.actions: WARNING [ssh-iptables] Unban 117.34.91.170
2014-04-15 23:46:07,364 fail2ban.actions: WARNING [ssh-iptables] Ban 116.10.191.205
2014-04-15 23:56:10,893 fail2ban.actions: WARNING [ssh-iptables] Unban 116.10.191.172

安装fail2ban工具来实现防暴力破解，防止恶意***，锁定恶意***IP。

一、若是是centos系统，先yum安装fail2ban

[root@VM_152_184_centos /]# yum -y install fail2ban

二、为了更好的看到有哪些IP在尝试暴利破解，先定义好日志文件路径

[root@VM_152_184_centos /]# cat /etc/fail2ban/fail2ban.conf |grep -v ^#
 
[Definition]
 
loglevel = 3
 
logtarget = SYSLOG　　//这里是日志路径，能够自定义，好比：/var/log/fail2ban.log
 
socket = /var/run/fail2ban/fail2ban.sock
 
pidfile = /var/run/fail2ban/fail2ban.pid

三、自定义主配置文件（固然，也能够不修改，保持默认配置）

[root@VM_152_184_centos /]# cat /etc/fail2ban/jail.conf |grep -v ^# |less
 
[DEFAULT]
 
ignoreip = 127.0.0.1/8
 
bantime  = 600　　//屏蔽、锁定时间，单位：s
 
findtime  = 600　　//600s内尝试登录失败超过规定次数将被锁定
 
maxretry = 3　　//最大登录失败次数
 
backend = auto
 
usedns = warn

四、最后，启动fail2ban，使其配置生效

[root@VM_152_184_centos /]# service fail2ban start

最后，再查看一下fail2ban日志文件，能够看到已经屏蔽的IP列表（Ban ip是屏蔽/锁定的IP，Unban ip是自动解锁的IP）

[root@VM_152_184_centos /]# cat /var/log/fail2ban.log | grep "ban"
2014-04-15 21:12:18,053 fail2ban.actions: WARNING [ssh-iptables] Ban 198.104.137.151
2014-04-15 21:42:19,037 fail2ban.actions: WARNING [ssh-iptables] Unban 198.104.137.151
2014-04-15 22:12:16,001 fail2ban.actions: WARNING [ssh-iptables] Ban 116.10.191.218
2014-04-15 22:42:16,305 fail2ban.actions: WARNING [ssh-iptables] Unban 116.10.191.218
2014-04-15 23:02:02,609 fail2ban.actions: WARNING [ssh-iptables] Ban 117.34.91.170
2014-04-15 23:26:10,651 fail2ban.actions: WARNING [ssh-iptables] Ban 116.10.191.172
2014-04-15 23:28:02,391 fail2ban.actions: WARNING [ssh-iptables] Ban 198.104.137.151
2014-04-15 23:32:03,428 fail2ban.actions: WARNING [ssh-iptables] Unban 117.34.91.170
2014-04-15 23:46:07,364 fail2ban.actions: WARNING [ssh-iptables] Ban 116.10.191.205
2014-04-15 23:56:10,893 fail2ban.actions: WARNING [ssh-iptables] Unban 116.10.191.172