查看: 4663|回复: 21
OpenWrt老被人攻击，怎么办？
本帖最后由 micro.duke 于
12:36 编辑
刷的别人的fw,已经关了root密码登录了，这小子，这几天天天想登录，不知道他想干嘛啊，广西南宁的，部分日志如下：
Wed Jul 30 12:12:22 2014 authpriv.warn dropbear[3744]: Login attempt for nonexistent user from 116.10.191.183:3526
Wed Jul 30 12:12:22
dropbear[3744]: Exit before auth: Max auth tries reached - user 'is invalid' from 116.10.191.183:3526
Wed Jul 30 12:12:22
dropbear[3747]: Child connection from 116.10.191.183:3977
Wed Jul 30 12:12:24
dropbear[3745]: Exit before auth (user 'root', 10 fails): Max auth tries reached - user 'root' from 116.10.191.183:3610
Wed Jul 30 12:12:24
dropbear[3748]: Child connection from 116.10.191.183:4073
Wed Jul 30 12:12:25 2014 authpriv.warn dropbear[3747]: Login attempt for nonexistent user from 116.10.191.183:3977
Wed Jul 30 12:12:25 2014 authpriv.warn dropbear[3747]: Login attempt for nonexistent user from 116.10.191.183:3977
Wed Jul 30 12:12:25
dropbear[3746]: Exit before auth (user 'root', 10 fails): Max auth tries reached - user 'root' from 116.10.191.183:3784
Wed Jul 30 12:12:25
dropbear[3749]: Child connection from 116.10.191.183:4179
Wed Jul 30 12:12:26 2014 authpriv.warn dropbear[3747]: Login attempt for nonexistent user from 116.10.191.183:3977
Wed Jul 30 12:12:26 2014 authpriv.warn dropbear[3747]: Login attempt for nonexistent user from 116.10.191.183:3977
Wed Jul 30 12:12:26 2014 authpriv.warn dropbear[3747]: Login attempt for nonexistent user from 116.10.191.183:3977
Wed Jul 30 12:12:27 2014 authpriv.warn dropbear[3747]: Login attempt for nonexistent user from 116.10.191.183:3977
Wed Jul 30 12:12:27 2014 authpriv.warn dropbear[3747]: Login attempt for nonexistent user from 116.10.191.183:3977
Wed Jul 30 12:12:27 2014 authpriv.warn dropbear[3747]: Login attempt for nonexistent user from 116.10.191.183:3977
Wed Jul 30 12:12:27 2014 authpriv.warn dropbear[3747]: Login attempt for nonexistent user from 116.10.191.183:3977
Wed Jul 30 12:12:28 2014 authpriv.warn dropbear[3747]: Login attempt for nonexistent user from 116.10.191.183:3977
Wed Jul 30 12:12:28 2014 authpriv.warn dropbear[3747]: Login attempt for nonexistent user from 116.10.191.183:3977
Wed Jul 30 12:12:28
dropbear[3747]: Exit before auth: Max auth tries reached - user 'is invalid' from 116.10.191.183:3977
Wed Jul 30 12:12:28
dropbear[3750]: Child connection from 116.10.191.183:4375
Wed Jul 30 12:12:31 2014 authpriv.warn dropbear[3750]: Login attempt for nonexistent user from 116.10.191.183:4375
Wed Jul 30 12:12:31 2014 authpriv.warn dropbear[3750]: Login attempt for nonexistent user from 116.10.191.183:4375
Wed Jul 30 12:12:31
dropbear[3748]: Exit before auth (user 'root', 10 fails): Max auth tries reached - user 'root' from 116.10.191.183:4073
Wed Jul 30 12:12:31 2014 authpriv.warn dropbear[3750]: Login attempt for nonexistent user from 116.10.191.183:4375
Wed Jul 30 12:12:31
dropbear[3751]: Child connection from 116.10.191.183:4537
Wed Jul 30 12:12:32 2014 authpriv.warn dropbear[3750]: Login attempt for nonexistent user from 116.10.191.183:4375
Wed Jul 30 12:12:32 2014 authpriv.warn dropbear[3750]: Login attempt for nonexistent user from 116.10.191.183:4375
Wed Jul 30 12:12:32
dropbear[3749]: Exit before auth (user 'root', 10 fails): Max auth tries reached - user 'root' from 116.10.191.183:4179
Wed Jul 30 12:12:32 2014 authpriv.warn dropbear[3750]: Login attempt for nonexistent user from 116.10.191.183:4375
Wed Jul 30 12:12:32
dropbear[3752]: Child connection from 116.10.191.183:4607
Wed Jul 30 12:12:33 2014 authpriv.warn dropbear[3750]: Login attempt for nonexistent user from 116.10.191.183:4375
Wed Jul 30 12:12:33 2014 authpriv.warn dropbear[3750]: Login attempt for nonexistent user from 116.10.191.183:4375
Wed Jul 30 12:12:33 2014 authpriv.warn dropbear[3750]: Login attempt for nonexistent user from 116.10.191.183:4375
Wed Jul 30 12:12:34 2014 authpriv.warn dropbear[3750]: Login attempt for nonexistent user from 116.10.191.183:4375
Wed Jul 30 12:12:34 2014 authpriv.warn dropbear[3750]: Login attempt for nonexistent user from 116.10.191.183:4375
Wed Jul 30 12:12:34
dropbear[3750]: Exit before auth: Max auth tries reached - user 'is invalid' from 116.10.191.183:4375
Wed Jul 30 12:12:34
dropbear[3753]: Child connection from 116.10.191.183:4730
Wed Jul 30 12:12:38 2014 authpriv.warn dropbear[3753]: Login attempt for nonexistent user from 116.10.191.183:4730
Wed Jul 30 12:12:38 2014 authpriv.warn dropbear[3753]: Login attempt for nonexistent user from 116.10.191.183:4730
Wed Jul 30 12:12:38
dropbear[3751]: Exit before auth (user 'root', 10 fails): Max auth tries reached - user 'root' from 116.10.191.183:4537
Wed Jul 30 12:12:38
dropbear[3754]: Child connection from 116.10.191.183:4914
Wed Jul 30 12:12:38 2014 authpriv.warn dropbear[3753]: Login attempt for nonexistent user from 116.10.191.183:4730
Wed Jul 30 12:12:38 2014 authpriv.warn dropbear[3753]: Login attempt for nonexistent user from 116.10.191.183:4730
Wed Jul 30 12:12:39 2014 authpriv.warn dropbear[3753]: Login attempt for nonexistent user from 116.10.191.183:4730
Wed Jul 30 12:12:39 2014 authpriv.warn dropbear[3753]: Login attempt for nonexistent user from 116.10.191.183:4730
Wed Jul 30 12:12:39 2014 authpriv.warn dropbear[3753]: Login attempt for nonexistent user from 116.10.191.183:4730
Wed Jul 30 12:12:40 2014 authpriv.warn dropbear[3753]: Login attempt for nonexistent user from 116.10.191.183:4730
Wed Jul 30 12:12:40 2014 authpriv.warn dropbear[3753]: Login attempt for nonexistent user from 116.10.191.183:4730
Wed Jul 30 12:12:40
dropbear[3752]: Exit before auth (user 'root', 10 fails): Max auth tries reached - user 'root' from 116.10.191.183:4607
Wed Jul 30 12:12:40
dropbear[3725]: Exit before auth: Error reading: Connection reset by peer
Wed Jul 30 12:12:40
dropbear[3754]: Exit before auth: Error reading: Connection reset by peer
Wed Jul 30 12:12:40
dropbear[3753]: Exit before auth: Error writing
Wed Jul 30 12:13:40
dropbear[3759]: Exit before auth (user 'root', 1 fails): Exited normally
Wed Jul 30 12:18:00
dropbear[2189]: Exit (root): Exited normally
Wed Jul 30 12:18:17
dropbear[2381]: Exit (root): Exited normally
Wed Jul 30 12:20:16
dropbear[2887]: Exit (root): Error writing
Wed Jul 30 12:21:35
dropbear[3894]: Exit (root): Error writing复制代码
这个时候你需要自动ban IP的脚本
#!/bin/sh
#
# dropBrute.sh by robzr
#
# minimalist OpenWRT/dropbear ssh brute force attack banning script
#
# Installation steps:
#
# 1) Optionally edit the variables in the header of this script to customise
#& & for your environment
#
# 2) Insert a reference for this rule in your firewall script before you
#& & accept ssh, something like:
#
#& & iptables -N dropBrute
#& & iptables -I input_rule -i br-wan -p tcp --dport 22 -j dropBrute
#& & iptables -I input_rule -i br-wan -p tcp --dport 22 -m state --state NEW -m limit --limit 6/min --limit-burst 6 -j ACCEPT
#
# 3) Run the script periodically out of cron:
#
#& & echo '*/10 * * * * /usr/sbin/dropBrute.sh 2&&1 && /tmp/dropBrute.log' && /etc/crontabs/root
#
# 4) If cron is not enabled, you'll also need to run the following:
#
#& & /etc/init.d/cron enable && /etc/init.d/cron start
#
#
# To whitelist hosts or networks, simply add a manual entry to the lease
# file with a leasetime of -1.&&This can be done with the following syntax:
#
#& & echo -1 192.168.1.0/24 && /tmp/dropBrute.leases
#
# A static, or non-expiring blacklist of a host or network can also be
# added, just use a lease time of 0.&&This can be done with the following syntax:
#
#& & echo 0 1.2.3.0/24 && /tmp/dropBrute.leases
# How many bad attempts before banning. Only the log entries from the
# current day are checked.
allowedAttempts=10
# How long IPs are banned for after the current day ends.
# default is 7 days
secondsToBan=$((7*60*60*24))
# the &lease& file - defaults to /tmp which does not persist across reboots
leaseFile=/tmp/dropBrute.leases
# This is the iptables chain that drop commands will go into.
# you will need to put a reference in your firewall rules for this
iptChain=dropBrute
# the IP Tables drop rule
iptDropRule='-j DROP'
# the IP Tables whitelist rule
iptWhiteRule='-j RETURN'
# You can put default leasefile entries in the following space.
# Syntax is simply &leasetime _space_ IP_or_network&.&&A leasetime of -1 is a
# whitelist entry, and a leastime of 0 is a permanent blacklist entry.
[ -f $leaseFile ] || cat &&__EOF__&&$leaseFile
-1 192.168.1.0/24
__EOF__
# End of user customizable variables (unless you know better :) )
ipt='/usr/sbin/iptables'
[ `date +'%s'` -lt
] && echo System date not set, aborting. && exit -1
$ipt -N $iptChain &&/dev/null
today=`date +'%b %d'`
now=`date +'%s'`
nowPlus=$((now + secondsToBan))
echo Running dropBrute on `date` \($now\)
if [ `$ipt -S $iptChain|fgrep &$iptChain&|wc -l` -lt 1 ] ; then
&&$ipt -N $iptChain
fi
if [ `$ipt -S input_wan_rule|fgrep &$iptChain&|wc -l` -lt 1 ] ; then
&&$ipt -I input_wan_rule -p tcp --dport 22 -j $iptChain
fi
# find new badIPs
for badIP in `logread|awk -F 'from |:' /dropbear.*attempt.*from/'{print $(NF-1)}'|sort -u` ; do
&&found=`logread|awk -F 'from |:' /dropbear.*attempt.*from/'{print $(NF-1)}'|fgrep $badIP|wc -l`
&&if [ $found -gt $allowedAttempts ] ; then
& & if [ `egrep \ $badIP\$ $leaseFile|wc -l` -gt 0 ] ; then
& && & [ `egrep \ $badIP\$ $leaseFile|cut -f1 -d\ ` -gt 0 ] && sed -i 's/^.* '$badIP\$/$nowPlus\ $badIP\/ $leaseFile
& & else
& && & echo $nowPlus $badIP && $leaseFile
& & fi
&&fi
done
# now parse the leaseFile
do
&&leaseTime=`echo $lease|cut -f1 -d\ `
&&leaseIP=`echo $lease|cut -f2 -d\ `
&&if [ $leaseTime -lt 0 ] ; then
& & if [ `$ipt -S $iptChain|egrep \ $leaseIP/32\ \|\ $leaseIP\ |fgrep -- &$iptWhiteRule&| wc -l` -lt 1 ] ; then
& && &echo Adding new whitelist rule for $leaseIP
& && &$ipt -I $iptChain -s $leaseIP $iptWhiteRule
& & fi
&&elif [ $leaseTime -ge 1 -a $now -gt $leaseTime ] ; then
& & echo Expiring lease for $leaseIP
& & $ipt -D $iptChain -s $leaseIP $iptDropRule
& & sed -i /$leaseIP/d $leaseFile
&&elif [ $leaseTime -ge 0 -a `$ipt -S $iptChain|egrep \ $leaseIP/32\ \|\ $leaseIP\ |wc -l` -lt 1 ] ; then
& & echo Adding new rule for $leaseIP
& & $ipt -A $iptChain -s $leaseIP $iptDropRule
&&fi
done & $leaseFile
复制代码
将以上代码保存为/etc/dropBrute.sh
计划任务中添加
*/10 * * * * /etc/dropBrute.sh 2&&1 && /tmp/dropBrute.log
每隔10分钟检查系统日志，将密码错误或者用户名错误的IP屏蔽掉
会无端增加CPU负载，空间够的话，我比较看中knockd这个。&
没必要的话SSH干脆对外关了吧。不然的话IPTABLES里限制源IP试试。具体做法可百度
我开ssh ,主要是公司对网络限制。我主要用来做ssh tunnel,做代理。而用普通的socks代理，也被公司限制了。&
iptables防ssh攻击
把22端口对外网关掉，然后映射个别的端口到22
我开ssh ,主要是公司对网络限制。我主要用来做ssh tunnel,做代理。而用普通的socks代理，也被公司限制了。&
对的，我搞了个类似树莓派的开发板做为入口代理&
本帖最后由 fkpwolf 于
13:50 编辑
把22端口对外网关掉，然后映射个别的端口到22
对的，我搞了个类似树莓派的开发板做为总入口。路由器CPU我觉得不大适合SSH，加密解密太耗CPU了
我开ssh ,主要是公司对网络限制。我主要用来做ssh tunnel,做代理。而用普通的socks代理，也被公司限制了。
fail2ban& &不知道有没有openwrt版本
不要在22端口上开SSH 换个大号的端口即可
&&现在天天有人在网上扫描22端口，都是用肉鸡扫的，刷得日志里全是错误记录看着非常烦人
使用 knockd：
这个功能好。牛B
谢谢，我学习下。&
我也遇到过相同的问题，在防火墙里做一下策略就可以了，禁止外部访问即可。
我之前是在单位测试，所以访问IP是固定的，那你现在已经解决这个问题了吧？&
不行，我自己要非固定IP的访问。&
使用 knockd：
&&http://linux.vbird.org/linux_security/knockd.php
&&http://wiki.openwrt.org/doc/how ...
这个功能好。牛B
学习了哈哈哈就
我也遇到过相同的问题，在防火墙里做一下策略就可以了，禁止外部访问即可。
我之前是在单位测试，所以访问IP是固定的，那你现在已经解决这个问题了吧？
这个好。值得收藏。
Powered by