【さくらのVPS】あまりにブルートフォース攻撃がひどいのでDenyHostsを利用して防いでみた

 iTunes Store(Japan)
この記事の所要時間: 289

さくらのVPSのサーバにiptablesを利用してファイアーウォールを構築しましたが、SSHへのアクセス(適当なユーザ名・パスワードを使って侵入を試みるブルートフォース攻撃)が多いため、ほぼ毎日レポートに以下のような記録があります。

--------------------- pam_unix Begin ------------------------ 

sshd:
   Authentication Failures:
      root (www2161ub.sakura.ne.jp): 1189 Time(s)
      root (www2340ub.sakura.ne.jp): 160 Time(s)
      unknown (www2340ub.sakura.ne.jp): 100 Time(s)
   Invalid Users:
      Unknown Account: 100 Time(s)


---------------------- pam_unix End ------------------------- 


--------------------- SSHD Begin ------------------------ 


Failed logins from:
   49.212.28.199 (www2161ub.sakura.ne.jp): 1189 times
   49.212.29.134 (www2340ub.sakura.ne.jp): 160 times

Illegal users from:
   49.212.29.134 (www2340ub.sakura.ne.jp): 100 times


Received disconnect:
   11: Bye Bye : 1448 Time(s)

**Unmatched Entries**
pam_succeed_if(sshd:auth): error retrieving information about user ryan : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user stephanie : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user mike : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user johnson : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user music : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user adam : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user ina : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user alex : 4 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user test : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user webmaster : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user oracle : 9 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user angie : 2 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user nagios : 12 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user visitor : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user ice : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user shoutcast : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user demo : 3 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user media : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user michael : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user bill : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user user1 : 3 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user jacob : 3 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user web : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user lala : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user mythtv : 2 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user build : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user testftp : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user svn : 2 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user fax : 2 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user corrine : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user tv : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user ftp1 : 5 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user ttt : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user zabbix : 2 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user mysql : 2 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user max : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user user : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user jim : 2 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user weblogic : 2 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user contact : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user public : 2 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user postgres : 3 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user aaa : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user amanda : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user usuario : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user ts : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user master : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user office : 2 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user gnax : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user deploy : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user upload : 6 time(s)

---------------------- SSHD End ------------------------- 

そこで、DenyHostsというツールを利用してこのような不正アクセスを防ぐようにしました。

ちなみに、DenyHostsとは不正な攻撃を察知して防御するツールで、設定した回数、不成功ログインが繰り返された場合、そのアクセス元のIPアドレスを /etc/hosts.deny に記録し、接続を拒否します。

手順

  1. DenyHostsは Python で書かれているので、 Python 関連のパッケージが既にインストールされているかどうか確認します。
  2.  # yum list installed | grep python
     audit-libs-python.x86_64                 1.7.18-2.el5                  installed
     dbus-python.x86_64                       0.70-9.el5_4                  installed
     gamin-python.x86_64                      0.1.7-8.el5                   installed
     gnome-python2.x86_64                     2.16.0-1.fc6                  installed
     gnome-python2-bonobo.x86_64              2.16.0-1.fc6                  installed
     gnome-python2-gconf.x86_64               2.16.0-1.fc6                  installed
     gnome-python2-gnomevfs.x86_64            2.16.0-1.fc6                  installed
     libselinux-python.x86_64                 1.33.4-5.7.el5                installed
     libxml2-python.x86_64                    2.6.26-2.1.2.8.el5_5.1        installed
     python.x86_64                            2.4.3-44.el5                  installed
     python-elementtree.x86_64                1.2.6-5                       installed
     python-iniparse.noarch                   0.2.3-4.el5                   installed
     python-ldap.x86_64                       2.2.0-2.1                     installed
     python-libs.x86_64                       2.4.3-44.el5                  installed
     python-numeric.x86_64                    23.7-2.2.2.el5_6.1            installed
     python-sqlite.x86_64                     1.1.7-1.2.1                   installed
     python-urlgrabber.noarch                 3.1.0-6.el5                   installed
     rpm-python.x86_64                        4.4.2.3-22.el5                installed
    
  3. python-devel がインストールされていないようなので、yum でインストールします。
  4.  # yum -y install python-devel
     Loaded plugins: downloadonly, fastestmirror, priorities
     Loading mirror speeds from cached hostfile
      * base: ftp.nara.wide.ad.jp
      * extras: ftp.nara.wide.ad.jp
      * rpmforge: fr2.rpmfind.net
      * updates: ftp.nara.wide.ad.jp
     base                                                               | 2.1 kB     00:00
     extras                                                             | 2.1 kB     00:00
     rpmforge                                                           | 1.1 kB     00:00
     updates                                                            | 1.9 kB     00:00
     72 packages excluded due to repository priority protections
     Setting up Install Process
     Resolving Dependencies
     --> Running transaction check
     ---> Package python-devel.i386 0:2.4.3-44.el5 set to be updated
     ---> Package python-devel.x86_64 0:2.4.3-44.el5 set to be updated
     --> Finished Dependency Resolution
     
     Dependencies Resolved
     
     ==========================================================================================
      Package                Arch             Version                  Repository         Size
     ==========================================================================================
     Installing:
      python-devel           i386             2.4.3-44.el5             updates           3.0 M
      python-devel           x86_64           2.4.3-44.el5             updates           3.0 M
     
     Transaction Summary
     ==========================================================================================
     Install       2 Package(s)
     Upgrade       0 Package(s)
     
     Total download size: 5.9 M
     Downloading Packages:
     (1/2): python-devel-2.4.3-44.el5.i386.rpm                          | 3.0 MB     00:00
     (2/2): python-devel-2.4.3-44.el5.x86_64.rpm                        | 3.0 MB     00:00
     ------------------------------------------------------------------------------------------
     Total                                                      15 MB/s | 5.9 MB     00:00
     Running rpm_check_debug
     Running Transaction Test
     Finished Transaction Test
     Transaction Test Succeeded
     Running Transaction
       Installing     : python-devel                                                       1/2
       Installing     : python-devel                                                       2/2
     
     Installed:
       python-devel.i386 0:2.4.3-44.el5           python-devel.x86_64 0:2.4.3-44.el5
     
     Complete!
    
  5. RPMforgeより yum で denyhosts をインストールします。
  6. # yum -y --enablerepo=rpmforge install denyhosts
     Loaded plugins: downloadonly, fastestmirror, priorities
     Loading mirror speeds from cached hostfile
      * base: ftp.nara.wide.ad.jp
      * extras: ftp.nara.wide.ad.jp
      * rpmforge: fr2.rpmfind.net
      * updates: ftp.nara.wide.ad.jp
     base                                                               | 2.1 kB     00:00
     extras                                                             | 2.1 kB     00:00
     rpmforge                                                           | 1.1 kB     00:00
     updates                                                            | 1.9 kB     00:00
     72 packages excluded due to repository priority protections
     Setting up Install Process
     Resolving Dependencies
     --> Running transaction check
     ---> Package denyhosts.noarch 0:2.6-3.el5.rf set to be updated
     --> Finished Dependency Resolution
     
     Dependencies Resolved
     
     ==========================================================================================
      Package              Arch              Version                 Repository           Size
     ==========================================================================================
     Installing:
      denyhosts            noarch            2.6-3.el5.rf            rpmforge             91 k
     
     Transaction Summary
     ==========================================================================================
     Install       1 Package(s)
     Upgrade       0 Package(s)
     
     Total download size: 91 k
     Downloading Packages:
     denyhosts-2.6-3.el5.rf.noarch.rpm                                  |  91 kB     00:01
     Running rpm_check_debug
     Running Transaction Test
     Finished Transaction Test
     Transaction Test Succeeded
     Running Transaction
       Installing     : denyhosts                                                          1/1
     
     Installed:
       denyhosts.noarch 0:2.6-3.el5.rf
     
     Complete!
    
  7. DenyHostsの設定ファイル(/etc/denyhosts/denyhosts.cfg)を編集します。
  8.  # vi /etc/denyhosts/denyhosts.cfg
    
    • 監視するログファイルの指定
    • SECURELOG = /var/log/secure
      
    • 拒否アドレスの記述場所(初期状態のまま)
    • HOSTS_DENY = /etc/hosts.deny
      
    • 拒否する期間(今回の場合は1時間。空欄にすると永久拒否)
    • PURGE_DENY = 1h
      
    • ブロック対象のサービス(初期状態のまま)
    • BLOCK_SERVICE = sshd
      
    • 存在しないユーザログインを拒否するまでの回数(今回の場合は1回で拒否)
    • DENY_THRESHOLD_INVALID = 1
      
    • 存在するユーザログインを拒否するまでの回数(今回の場合は5回で拒否)
    • DENY_THRESHOLD_VALID = 5
      
    • 「root」ログインを拒否するまでの回数(初期状態のままで、今回の場合は1回で拒否)
    • DENY_THRESHOLD_ROOT = 1
      
    • 検知メールの設定(ほぼ初期状態のまま)
    • ADMIN_EMAIL = root
      SMTP_HOST = localhost
      SMTP_PORT = 25
      SMTP_FROM = DenyHosts 
      SMTP_SUBJECT = DenyHosts Report
      

    編集後の denyhosts.cfg は以下のようになります。(コメント行削除済み)

            ############ THESE SETTINGS ARE REQUIRED ############
     
     SECURE_LOG = /var/log/secure
     HOSTS_DENY = /etc/hosts.deny
     PURGE_DENY = 1d
     BLOCK_SERVICE  = sshd
     DENY_THRESHOLD_INVALID = 1
     DENY_THRESHOLD_VALID = 5
     DENY_THRESHOLD_ROOT = 1
     DENY_THRESHOLD_RESTRICTED = 1
     
     WORK_DIR = /usr/share/denyhosts/data
     SUSPICIOUS_LOGIN_REPORT_ALLOWED_HOSTS=YES
     HOSTNAME_LOOKUP=YES
     LOCK_FILE = /var/lock/subsys/denyhosts
     
            ############ THESE SETTINGS ARE OPTIONAL ############
     
     ADMIN_EMAIL = root
     SMTP_HOST = localhost
     SMTP_PORT = 25
     SMTP_FROM = DenyHosts 
     SMTP_SUBJECT = DenyHosts Report
     
     AGE_RESET_VALID=5d
     AGE_RESET_ROOT=25d
     AGE_RESET_RESTRICTED=25d
     AGE_RESET_INVALID=10d
     
        ######### THESE SETTINGS ARE SPECIFIC TO DAEMON MODE  ##########
     
     DAEMON_LOG = /var/log/denyhosts
     DAEMON_SLEEP = 30s
     DAEMON_PURGE = 1h
     
        #########   THESE SETTINGS ARE SPECIFIC TO     ##########
        #########       DAEMON SYNCHRONIZATION         ##########
    
  9. DenyHostsをデーモンで起動します。
  10.  # chkconfig denyhosts on
     # chkconfig --list denyhosts
     denyhosts       0:off   1:off   2:on    3:on    4:on    5:on    6:off
     # /etc/init.d/denyhosts start
     starting DenyHosts:    /usr/bin/env python /usr/bin/denyhosts.py --daemon --config=/etc/denyhosts/denyhosts.cfg
    
  11. 不正アクセスを検知すると、/etc/hosts/denyに以下のような記述が追加されます。
  12.  # DenyHosts: Thu Jun 30 17:30:49 2011 | sshd: 49.212.83.182
     sshd: 49.212.83.182
    

    また、上記で設定した宛先(ここではroot宛)にメールで規制したことを通知されます。

     From: DenyHosts 
     To: root@xxxxx.iex3.info
     Subject: DenyHosts Report
     Date: Thu, 30 Jun 2011 17:30:49 +0900
     
     Added the following hosts to /etc/hosts.deny:
     
     49.212.83.182 (www10030ud.sakura.ne.jp)
     
     ----------------------------------------------------------------------
    

以上の設定で、SSHdへの不正アクセスの回数は格段に減らすことができました。