- 요 몇일 서버에 안들어갔다가 들어가니, 총 5800건의 시도중 root 계정으로 접속 시도가 800건이나 있었음
last -f /var/log/btmp | tac
=====================================================================
root ssh:notty 118.220.172.125 Fri Sep 6 11:08 - 11:09 (00:01)
root ssh:notty 118.220.172.125 Fri Sep 6 11:09 - 11:10 (00:01)
erp ssh:notty 118.220.172.125 Fri Sep 6 11:10 - 11:10 (00:00)
erp ssh:notty 118.220.172.125 Fri Sep 6 11:10 - 11:12 (00:01)
sonar ssh:notty 118.220.172.125 Fri Sep 6 11:12 - 11:12 (00:00)
sonar ssh:notty 118.220.172.125 Fri Sep 6 11:12 - 11:13 (00:01)
zy ssh:notty 118.220.172.125 Fri Sep 6 11:13 - 11:13 (00:00)
=====================================================================
cat /var/log/fail2ban.log
=====================================================================
2024-09-06 11:05:31,588 fail2ban.actions [5842]: WARNING [sshd] 118.220.172.125 already banned
2024-09-06 11:06:48,036 fail2ban.filter [5842]: INFO [sshd] Found 118.220.172.125 - 2024-09-06 11:06:47
2024-09-06 11:06:50,035 fail2ban.filter [5842]: INFO [sshd] Found 118.220.172.125 - 2024-09-06 11:06:49
2024-09-06 11:08:10,152 fail2ban.filter [5842]: INFO [sshd] Found 118.220.172.125 - 2024-09-06 11:08:09
2024-09-06 11:09:33,786 fail2ban.filter [5842]: INFO [sshd] Found 118.220.172.125 - 2024-09-06 11:09:33
2024-09-06 11:10:52,786 fail2ban.filter [5842]: INFO [sshd] Found 118.220.172.125 - 2024-09-06 11:10:52
2024-09-06 11:10:53,257 fail2ban.actions [5842]: WARNING [sshd] 118.220.172.125 already banned
2024-09-06 11:10:54,536 fail2ban.filter [5842]: INFO [sshd] Found 118.220.172.125 - 2024-09-06 11:10:54
2024-09-06 11:12:11,036 fail2ban.filter [5842]: INFO [sshd] Found 118.220.172.125 - 2024-09-06 11:12:10
2024-09-06 11:12:12,786 fail2ban.filter [5842]: INFO [sshd] Found 118.220.172.125 - 2024-09-06 11:12:12
2024-09-06 11:13:28,932 fail2ban.filter [5842]: INFO [sshd] Found 118.220.172.125 - 2024-09-06 11:13:28
2024-09-06 11:13:31,241 fail2ban.filter [5842]: INFO [sshd] Found 118.220.172.125 - 2024-09-06 11:13:30
2024-09-06 11:13:31,491 fail2ban.actions [5842]: WARNING [sshd] 118.220.172.125 already banned
2024-09-06 11:23:31,155 fail2ban.actions [5842]: NOTICE [sshd] Unban 118.220.172.125
=====================================================================
systemctl status firewalld
※ 중지중이라면
=====================================================================
systemctl start firewalld
systemctl enable firewalld
=====================================================================
firewall-cmd --permanent --add-rich-rule="rule family='ipv4' source address='아이피.여기다.넣으면.됨' reject"
ex) firewall-cmd --permanent --add-rich-rule="rule family='ipv4' source address='118.220.172.125' reject"
firewall-cmd --list-all
=====================================================================
[root@localhost ~]## firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: enp1s0
sources:
services: cockpit dhcpv6-client http https ssh
ports: ********비공개*******************
protocols:
forward: no
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
rule family="ipv4" source address="118.220.172.125" reject
rule source NOT ipset="whitelist" log prefix="DROPPED: " level="warning" limit value="5/m" drop
=====================================================================
firewall-cmd --permanent --remove-rich-rule="rule family='ipv4' source address='아이피.여기다.넣으면.됨' reject"
ex) firewall-cmd --permanent --remove-rich-rule="rule family='ipv4' source address='118.220.172.125' reject"