我们在使用ssh登录服务器的时候,经常会弹出类似于以下的提示:Last failed login: Fri May 1 23:31:22 CST 2021 from 87.251.74.56 on ssh:notty There were 187 failed login attempts since the last successful login.
后面一句意思是从上次登录成功之后,有187次失败的登录。也就是说有人在尝试登录我们的服务器,但是登录失败了,距离上次成功登录到本次登录之前产生了187的失败记录,不可质疑,有人在猜测服务器的登录用户名和密码. 我们来查看一下服务器失败登录记录,用以下命令查看:
# 查看失败登录记录
lastb
# 结果展示,跟上参数-xx,表示显示多少记录
root ssh:notty 110.188.85.88 Tue Oct 5 10:46 - 10:46 (00:00)
pi ssh:notty 121.180.246.194 Mon Oct 4 10:53 - 10:53 (00:00)
pi ssh:notty 121.180.246.194 Mon Oct 4 10:53 - 10:53 (00:00)
pi ssh:notty 121.180.246.194 Mon Oct 4 10:53 - 10:53 (00:00)
pi ssh:notty 121.180.246.194 Mon Oct 4 10:53 - 10:53 (00:00)
root ssh:notty 110.188.84.142 Mon Oct 4 10:09 - 10:09 (00:00)
root ssh:notty 110.188.84.142 Mon Oct 4 10:09 - 10:09 (00:00)
root ssh:notty 125.70.165.6 Sun Oct 3 09:39 - 09:39 (00:00)
db2inst1 ssh:notty 152.136.245.102 Sun Oct 3 09:00 - 09:00 (00:00)
db2inst1 ssh:notty 152.136.245.102 Sun Oct 3 09:00 - 09:00 (00:00)
db2inst1 ssh:notty 152.136.245.102 Sun Oct 3 08:57 - 08:57 (00:00)
db2inst1 ssh:notty 152.136.245.102 Sun Oct 3 08:57 - 08:57 (00:00)
db2inst1 ssh:notty 152.136.245.102 Sun Oct 3 08:55 - 08:55 (00:00)
db2inst1 ssh:notty 152.136.245.102 Sun Oct 3 08:55 - 08:55 (00:00)
rx ssh:notty 152.136.245.102 Sun Oct 3 08:53 - 08:53 (00:00)
rx ssh:notty 152.136.245.102 Sun Oct 3 08:53 - 08:53 (00:00)
rx ssh:notty 152.136.245.102 Sun Oct 3 08:50 - 08:50 (00:00)
rx ssh:notty 152.136.245.102 Sun Oct 3 08:50 - 08:50 (00:00)
rx ssh:notty 152.136.245.102 Sun Oct 3 08:48 - 08:48 (00:00)
rx ssh:notty 152.136.245.102 Sun Oct 3 08:48 - 08:48 (00:00)
“ Notty”一词仅表示“ no tty”,大致翻译为“ no terminal”。 当您本地登录到任何Linux计算机时,终端将始终在进程列表中显示为“ tty”。 如果通过SFTP建立了连接,或者您正在使用SCP复制文件,那么它将显示为tty(notty)。
Who or what is root@notty?
If you’re looking through WHM’s process manager and you see root@notty mentioned as one of the processes, don’t be alarmed. It’s perfectly normal and it’s definitely not some hacker called ‘Notty’ who has suddenly got root permissions. Be honest, you’re here because you thought that 😉
You may also have seen sshd: root@notty in the output of ps aux too.
Why notty?
The term ‘notty’ just represents ‘no tty’ which roughly translates as meaning ‘no terminal’. When you login locally to any Linux machine the terminal will always appear in the process list as ‘tty’. If a connection is made via SFTP or you are copying files with SCP (as I did here on a test server prior to bringing up the screenshot above) then it will show as no tty (notty).
Where does TTY come from?
Many years ago, user terminals that were connected to computers were clunky and noisy Electro-mechanical Teleprinters also known as Teletypewriters. They took the latter phrase and chopped some characters out to get the TTY abbreviation:
TeleTYpewriter = TTY
Since then, TTY has been used as the shortened name for a text-only console.
#!/bin/bash
#Denyhosts SHELL SCRIPT
# 分析登录日志文件,筛选失败登录并统计次数存入文件备用
cat /var/log/secure | awk '/Failed/{print $(NF-3)}'|sort|uniq -c|awk '{print $2"=" $1;}' >/root/Denyhosts.txt
# 定义允许失败登录的次数
DEFINE="10"
# 读取文件,并把条件范围内的IP写到hosts.deny中,实现黑名单效果
for i in `cat /root/Denyhosts.txt`
do
IP=`echo $i|awk -F= '{print $1}'`
NUM=`echo $i|awk -F= '{print $2}'`
if [ $NUM -gt $DEFINE ]
then
ipExists=`grep $IP /etc/hosts.deny |grep -v grep |wc -l`
if [ $ipExists -lt 1 ]
then
echo "sshd:$IP" >> /etc/hosts.deny
fi
fi
done
原文始发于微信公众号(释然IT杂谈):Linux服务器总是被猜测密码怎么办?这个脚本帮你简单加固
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论