通过Auth.log查看服务器ssh暴力破解记录
Linux下/var/中有很多系统日志信息,例如auth.log
The Authorization Log tracks usage of authorization systems, the mechanisms for authorizing users which prompt for user passwords, such as the Pluggable Authentication Module (PAM) system, the sudo command, remote logins to sshd and so on. The Authorization Log file may be accessed at /var/log/auth.log. This log is useful for learning about user logins and usage of the sudo command.
- 查看用密码登陆成功的IP地址及次数 :grep "Accepted password for root" /var/log/auth.log | awk '{print $11}' | sort | uniq -c | sort -nr | more
- 查看用密码登陆失败的IP地址及次数 : grep "Failed password for root" /var/log/auth.log | awk '{print $11}' | sort | uniq -c | sort -nr | more
- 更改端口使用以下命令 : sed -i "s/Port .*/Port 你的端口/g" /etc/ssh/sshd_config
如果失败登录的IP地址和次数过多,需要考虑更换SSH端口和密码,并使用密钥登录。