Yadda ake Nemo Duk Ƙoƙarin shiga SSH da ya gaza a cikin Linux


Kowane ƙoƙari na shiga zuwa uwar garken SSH ana bin sawu kuma ana yin rikodin shi cikin fayil ɗin log ta umarnin grep.

Domin nuna jerin gazawar shiga SSH a cikin Linux, fitar da wasu umarni da aka gabatar a cikin wannan jagorar. Tabbatar cewa an aiwatar da waɗannan umarni tare da gata na tushen.

Mafi sauƙaƙan umarni don jera duk abubuwan shiga SSH da suka gaza shine wanda aka nuna a ƙasa.

# grep "Failed password" /var/log/auth.log

Hakanan ana iya samun sakamako iri ɗaya ta hanyar ba da umarnin cat.

# cat /var/log/auth.log | grep "Failed password"

Domin nuna ƙarin bayani game da gazawar SSH shiga, ba da umarni kamar yadda aka nuna a cikin misalin da ke ƙasa.

# egrep "Failed|Failure" /var/log/auth.log

A cikin CentOS ko RHEL, an yi rikodin zaman SSH da suka gaza a /var/log/amintacce fayil. Ba da umarnin da ke sama akan wannan fayil ɗin log ɗin don gano abubuwan shiga SSH da suka gaza.

# egrep "Failed|Failure" /var/log/secure

Wani ɗan gyara na umarnin da ke sama don nuna gazawar shigar SSH a cikin CentOS ko RHEL shine kamar haka.

# grep "Failed" /var/log/secure
# grep "authentication failure" /var/log/secure

Don nuna jerin duk adiresoshin IP waɗanda suka gwada kuma suka kasa shiga cikin uwar garken SSH tare da adadin yunƙurin gazawar kowane adireshin IP, ba da umarnin da ke ƙasa.

# grep "Failed password" /var/log/auth.log | awk ‘{print $11}’ | uniq -c | sort -nr

A kan sabbin rabawa na Linux zaku iya bincika fayil ɗin log ɗin runtime wanda Systemd daemon ke kiyayewa ta umarnin journalctl. Domin nuna duk gazawar ƙoƙarin shiga SSH ya kamata ku busa sakamakon ta hanyar tace grep, kamar yadda aka kwatanta a cikin misalan umarni na ƙasa.

# journalctl _SYSTEMD_UNIT=ssh.service | egrep "Failed|Failure"
# journalctl _SYSTEMD_UNIT=sshd.service | egrep "Failed|Failure"  #In RHEL, CentOS 

A cikin CentOS ko RHEL, maye gurbin sashin daemon SSH tare da sshd.service, kamar yadda aka nuna a cikin misalan umarni na ƙasa.

# journalctl _SYSTEMD_UNIT=sshd.service | grep "failure"
# journalctl _SYSTEMD_UNIT=sshd.service | grep "Failed"

Bayan kun gano adiresoshin IP waɗanda akai-akai suna buga uwar garken SSH ɗinku don shiga cikin tsarin tare da asusun mai amfani da ake zargin ko asusun mai amfani mara inganci, yakamata ku sabunta ƙa'idodin Tacewar tsarin ku don kasa2ban sarrafa waɗannan hare-hare.