====== 保护VPS ======

=== 查看受到的攻击 ===
VPS 会遭到各种攻击(([[https://frostingsnow.com/2019/03/06/2019-03-06-vps-1-safety/|VPS 安全防护]]))

1.查看尝试暴力破解机器密码的人
<code>
sudo grep "Failed password for root" /var/log/auth.log | awk '{print $11}' | sort | uniq -c | sort -nr | more
cat /var/log/auth.log // 或者第二种方式
</code>
​
2.查看暴力猜用户名的人
<code>
sudo grep "Failed password for invalid user" /var/log/auth.log | awk '{print $13}' | sort | uniq -c | sort -nr | more
</code>

3. 统计以root或者其它用户登录的次数
<code>
sudo grep "Failed password for root" /var/log/auth.log | wc -l
sudo grep "Failed password for invalid user" /var/log/auth.log | wc -l
</code>

=== 禁止密码登录 ===

进去后更改一下root用户密码，并切换到root用户，然后修改 /etc/ssh/sshd_config 文件，免除密码登录。重启ssh服务  
  * <color #ff7f27>''%%sudo systemctl restart ssh%%''</color> 
  * <color #ff7f27>''%%sudo systemctl restart sshd%%''</color>
  * <color #ff7f27>''%%sudo service ssh restart%%''</color>

<code>
// 统计以 root 用户尝试登录到数量
sudo grep "Failed password for root" /var/log/auth.log | wc -l
// 统计以其它用户试登录到数量
sudo grep "Failed password for invalid user" /var/log/auth.log | wc -l
</code>

<code>
PasswordAuthentication no
PermitRootLogin yes
PubkeyAuthentication yes // 允许公钥登录
RSAAuthentication yes
ChallengeResponseAuthentication no
//使用命令重启 ssh 服务：
sudo /etc/init.d/ssh restart
</code>

将公钥复制到服务器，密码登录一次。验证完公钥登录后，关闭密码登录 <color #ed1c24>PasswordAuthentication no</color> 所有人都无法用密码登录了。
<code>
ssh-copy-id -i ~/.ssh/id_rsa.pub ubuntu@62.143.173.13
</code>

<color #ff7f27>''%%ps -e |grep ssh%%''</color> 查看是否启动ssh服务，

使用的密码身份验证PAM（在所有现代系统上）是由ChallengeResponseAuthentication选项处理的，yes默认情况下。质询响应认证指定是否允许质询-响应身份验证（例如，通过 PAM）。默认值为“是”。将它添加到您的sshd_configwith value no，重新启动，它将为您工作：
这在示例中多次提到sshd_config。
<code>
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
ChallengeResponseAuthentication no
</code>

如果依然可以密码登录，则是 <color #7092be>You can disable keyboard-interactive by setting KbdInteractiveAuthentication to "no"</color> 的原因。

===== fail2ban =====
安装 fail2ban 防止攻击 <color #ff7f27>''%%sudo apt-get install fail2ban%%''</color> (([[https://linux.cn/article-5067-1.html|为ssh服务器配置fail2ban]]))

检查状态 <color #ff7f27>''%%sudo iptables --list -n%%''</color>\\
解锁ssh fail2ban-client set sshd unbanip <ip>\\
或者更改 /etc/fail2ban/jail.conf  文件，为某些IP设置白名单。


添加对nginx 和 wordpress 的保护 mkdir -p /root/wwwlogs\\
然后重启服务 
  * service fail2ban restart 
  * fail2ban-client reload
++++ jail.local |
<code>
# 保护Linux，防止远程SSH爆破
[ssh-iptables]
enabled = true
filter  = sshd
action  = iptables[name=SSH, port=26568, protocol=tcp]
logpath = /var/log/fail2ban.log

# HTTP 验证防暴力破解
[nginx-http-auth]
enabled  = true
filter  = nginx-http-auth
port    = http,https
logpath  = /var/log/nginx/error.log
 
#屏蔽恶意爬虫
[nginx-badbots]
enabled  = true
port    = http,https
filter  = nginx-badbots
logpath  =  /var/log/nginx/error.log
maxretry = 2
 
#避免恶意请求网站目录结构
[nginx-nohome]
enabled  = true
port    = http,https
filter  = nginx-nohome
logpath  =  /var/log/nginx/error.log
maxretry = 2
 
#避免 nginx 被他人用于反向代理
[nginx-noproxy]
enabled  = true
port    = http,https
filter  = nginx-noproxy
logpath  =  /var/log/nginx/error.log
maxretry = 2

#防范 WordPress 暴力破解登录请求
[wp-login]
enabled = true
port = http,https
filter = wp-login
maxretry = 10
findtime = 60
bantime = 43600
logpath  =  /var/log/fail2ban.log

#防止 WordPress 受到 xmlrpc.php CC 攻击
[xmlrpc]
enabled = true
port = http,https
filter = xmlrpc
logpath  = /var/log/fail2ban.log
bantime = 43600
maxretry = 1
findtime  = 5
</code>
++++