Re: iptables и logwatch
Людмила Бандурина
bigdogs.ru на gmail.com
Пн Сен 29 08:34:08 UTC 2014
Конфиг /etc/ssh/sshd_config
# Package generated configuration file
# See the sshd_config(5) manpage for details
# What ports, IPs and protocols we listen for
Port 22
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
#ListenAddress 0.0.0.0
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes
# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 768
# Logging
SyslogFacility AUTH
LogLevel INFO
# Authentication:
LoginGraceTime 120
PermitRootLogin yes
StrictModes yes
RSAAuthentication yes
PubkeyAuthentication yes
#AuthorizedKeysFile %h/.ssh/authorized_keys
# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Uncomment if you don't trust ~/.ssh/known_hosts for
RhostsRSAAuthentication
#IgnoreUserKnownHosts yes
# To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords no
# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no
# Change to no to disable tunnelled clear text passwords
PasswordAuthentication no
# Kerberos options
#KerberosAuthentication no
#KerberosGetAFSToken no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
#UseLogin no
#MaxStartups 10:30:60
#Banner /etc/issue.net
# Allow client to pass locale environment variables
AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-server
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes
29 сентября 2014 г., 12:29 пользователь Людмила Бандурина <
bigdogs.ru на gmail.com> написал:
> hosts.allow
>
> sendmail: all
> # /etc/hosts.allow: list of hosts that are allowed to access the system.
> # See the manual pages hosts_access(5) and
> hosts_options(5).
> #
> # Example: ALL: LOCAL @some_netgroup
> # ALL: .foobar.edu EXCEPT terminalserver.foobar.edu
> #
> # If you're going to protect the portmapper use the name "portmap" for the
> # daemon name. Remember that you can only use the keyword "ALL" and IP
> # addresses (NOT host or domain names) for the portmapper, as well as for
> # rpc.mountd (the NFS mount daemon). See portmap(8) and rpc.mountd(8)
> # for further information.
> #
>
> Письмо от logwatch
>
>
> --------------------- SSHD Begin ------------------------
>
>
> Illegal users from:
> undef: 53 times
> 61.183.1.14: 11 times
> 122.225.109.116: 1 time
> 122.225.109.194: 1 time
> 122.225.109.195: 1 time
> 122.225.109.197: 1 time
> 193.238.157.34 (shadow.charon.at): 26 times
> 212.129.56.29 (212-129-56-29.rev.poneytelecom.eu): 12 times
>
> Users logging in through sshd:
> root:
> 83.220.237.97: 3 times
> 83.220.237.40: 2 times
>
>
> Received disconnect:
> 11: Bye Bye [preauth] : 103 Time(s)
> 11: disconnected by user : 5 Time(s)
> 3: com.jcraft.jsch.JSchException: Auth fail [preauth] : 15 Time(s)
>
> Refused incoming connections:
> 193.238.157.34 (193.238.157.34): 2 Time(s)
> 212.129.56.29 (212.129.56.29): 1 Time(s)
> 27.254.33.142 (27.254.33.142): 12 Time(s)
> 61.183.1.14 (61.183.1.14): 1 Time(s)
>
> ---------------------- SSHD End -------------------------
>
> iptables -L -v
>
> Chain INPUT (policy ACCEPT 74600 packets, 48M bytes)
> pkts bytes target prot opt in out source
> destination
> 0 0 DROP all -- any any 175.42.0.0/16
> anywhere
> 15 600 DROP all -- any any 122.225.0.0/16
> anywhere
> 12 480 DROP all -- any any
> 0.0.174.61.dial.tz.zj.dynamic.163data.com.cn/16 anywhere
> 104 5268 DROP all -- any any 222.77.0.0/16
> anywhere
> 3 152 DROP all -- any any
> 0.0.40.120.broad.fz.fj.dynamic.163data.com.cn/16 anywhere
> 26 1348 DROP all -- any any
> 0.0.25.117.broad.fz.fj.dynamic.163data.com.cn/16 anywhere
> 0 0 DROP all -- any any 110.80.0.0/16
> anywhere
> 6 304 DROP all -- any any
> 0.0.161.220.broad.zz.fj.dynamic.163data.com.cn/16 anywhere
> 0 0 DROP all -- any any
> 0.0.207.121.broad.qz.fj.dynamic.163data.com.cn/16 anywhere
> 0 0 DROP all -- any any
> 0.0.58.59.broad.np.fj.dynamic.163data.com.cn/16 anywhere
> 0 0 DROP all -- any any 125.77.0.0/16
> anywhere
> 107 5452 DROP all -- any any
> 0.0.85.110.broad.qz.fj.dynamic.163data.com.cn/16 anywhere
> 114 5928 DROP all -- any any
> 0.0.84.110.broad.xm.fj.dynamic.163data.com.cn/16 anywhere
> 57 2920 DROP all -- any any
> 0.0.205.121.broad.qz.fj.dynamic.163data.com.cn/16 anywhere
> 3 152 DROP all -- any any
> 0.0.76.222.broad.fz.fj.dynamic.163data.com.cn/16 anywhere
> 48 2496 DROP all -- any any
> 0.0.87.110.broad.xm.fj.dynamic.163data.com.cn/16 anywhere
> 35 1804 DROP all -- any any
> 0.0.78.125.broad.qz.fj.dynamic.163data.com.cn/16 anywhere
> 45 2340 DROP all -- any any
> 0.0.32.120.broad.fz.fj.dynamic.163data.com.cn/16 anywhere
> 24 1216 DROP all -- any any
> 0.0.83.110.broad.fz.fj.dynamic.163data.com.cn/16 anywhere
> 284 14312 DROP all -- any any 27.150.0.0/16
> anywhere
> 0 0 DROP all -- any any
> 0.0.125.76.gs.dail.jqgt.dynamic.163data.com.cn/16 anywhere
> 185 9424 DROP all -- any any 27.153.0.0/16
> anywhere
> 93 4712 DROP all -- any any
> 0.0.89.110.broad.pt.fj.dynamic.163data.com.cn/16 anywhere
> 6 304 DROP all -- any any
> 0.0.204.121.board.fz.fj.dynamic.163data.com.cn/16 anywhere
> 0 0 DROP all -- any any 120.36.0.0/16
> anywhere
> 45 2280 DROP all -- any any
> 0.0.33.120.broad.qz.fj.dynamic.163data.com.cn/16 anywhere
> 0 0 DROP all -- any any 59.60.0.0/16
> anywhere
> 75 3800 DROP all -- any any
> 0.0.26.117.broad.qz.fj.dynamic.163data.com.cn/16 anywhere
> 0 0 DROP all -- any any
> 0.0.154.27.broad.xm.fj.dynamic.163data.com.cn/16 anywhere
> 243 12312 DROP all -- any any
> 0.0.159.27.broad.xm.fj.dynamic.163data.com.cn/16 anywhere
> 0 0 DROP all -- any any
> 0.82.30.117.broad.xm.fj.dynamic.163data.com.cn/24 anywhere
> 0 0 DROP all -- any any
> 0.29.154.27.broad.xm.fj.dynamic.163data.com.cn/24 anywhere
> 0 0 DROP all -- any any
> 0.125.79.222.broad.xm.fj.dynamic.163data.com.cn/24 anywhere
> 0 0 DROP all -- any any
> 0.125.79.222.broad.xm.fj.dynamic.163data.com.cn/24 anywhere
> 0 0 DROP all -- any any
> 87.125.79.222.broad.xm.fj.dynamic.163data.com.cn anywhere
>
> Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
> pkts bytes target prot opt in out source
> destination
>
> Chain OUTPUT (policy ACCEPT 93209 packets, 124M bytes)
> pkts bytes target prot opt in out source
> destination
>
>
>
> --
> С уважением, Людмила
>
>
> 29 сентября 2014 г., 12:17 пользователь Alan Holt <berber.it на gmail.com>
> написал:
>
> Где то есть ошибка, прикрипите полный iptables и лог.
>> Так же при неправильной конфигурации демона ssh и чейнов файрвола такое
>> бывает.
>>
>> используйте так же /etc/hosts.allow
>>
>> 2014-09-29 11:04 GMT+03:00 Людмила Бандурина <bigdogs.ru на gmail.com>:
>>
>>> Добрый день,
>>>
>>> Нет, никаких разрешений в списке нет, только еще несколько таких же
>>> запретов на китайские подсети.
>>>
>>> 28 сентября 2014 г., 20:42 пользователь Dmitry Agafonov <
>>> agafonovdmitry на gmail.com> написал:
>>>
>>> Добрый день!
>>>>
>>>> Одно правило ни о чем не говорит. Посмотрите на каунтеры и нумерацию
>>>> (-v), может под правило вообще ничего не подходит и обрабатывается каким-то
>>>> разрешением выше по списку.
>>>>
>>>> 28 сентября 2014 г., 19:55 пользователь Людмила Бандурина <
>>>> bigdogs.ru на gmail.com> написал:
>>>>
>>>>> Здравствуйте всем!
>>>>>
>>>>> В iptables прописано:
>>>>> Chain INPUT (policy ACCEPT)
>>>>> target prot opt source destination
>>>>> DROP all -- 122.225.0.0/16 anywhere
>>>>>
>>>>> Тем не менее в письме от logwatch вижу
>>>>>
>>>>> Illegal users from:
>>>>> 122.225.109.116: 1 time
>>>>> 122.225.109.194: 1 time
>>>>> 122.225.109.195: 1 time
>>>>> 122.225.109.197: 1 time
>>>>>
>>>>> Почему? Вроде бы если доступ закрыт файрволлом, эти попытки должны
>>>>> быть в секции Refused incoming connections, разве нет?
>>>>>
>>>>> --
>>>>> С уважением, Людмила
>>>>>
>>>>> --
>>>>> ubuntu-ru mailing list
>>>>> ubuntu-ru на lists.ubuntu.com
>>>>> https://lists.ubuntu.com/mailman/listinfo/ubuntu-ru
>>>>>
>>>>>
>>>>
>>>>
>>>> --
>>>> Dmitry Agafonov ~ http://agafonov.pp.ru/
>>>>
>>>> --
>>>> ubuntu-ru mailing list
>>>> ubuntu-ru на lists.ubuntu.com
>>>> https://lists.ubuntu.com/mailman/listinfo/ubuntu-ru
>>>>
>>>>
>>>
>>>
>>> --
>>> С уважением, Людмила
>>>
>>> --
>>> ubuntu-ru mailing list
>>> ubuntu-ru на lists.ubuntu.com
>>> https://lists.ubuntu.com/mailman/listinfo/ubuntu-ru
>>>
>>>
>>
>>
>> --
>> *בברכה, *
>> *אלכס ברבר*
>>
>> *+9 72 54 285 952 3*
>> *www.linuxspace.org* <http://www.linuxspace.org>
>> *--*
>> *Best regards.*
>> *Alex Berber*
>> *+9 72 54 285 952 3*
>> *www.linuxspace.org* <http://www.linuxspace.org/>
>>
>> --
>> ubuntu-ru mailing list
>> ubuntu-ru на lists.ubuntu.com
>> https://lists.ubuntu.com/mailman/listinfo/ubuntu-ru
>>
>>
>
>
--
С уважением, Людмила
----------- следущая часть -----------
Вложение в формате HTML было извлечено…
URL: <https://lists.ubuntu.com/archives/ubuntu-ru/attachments/20140929/0a5d8737/attachment-0001.html>
More information about the ubuntu-ru
mailing list