分类: 网事-网摘

fail2ban阻止vsftpd暴力攻击失败的对策

Fail2ban is failing to ban VSFTPD bruteforce:

In my case with VSFTPD, with unresolvable DNS names from /var/log/secure:

Scenario: VSFTP configuration is set for PAM authentication, using xferlog in standard format. Fail2ban for vsftpd is watching /var/log/secure

Problem: PAM sends failed login information to /var/log/secure, but the remote server’s IP address has been replaced by a DNS name. Resulting DNS name does not resolve or does not resolve correctly, thus fail2ban is unable to ban the IP address.

Fix: Configure VSFTP for “dual_log_enable=YES”, and have fail2ban watch /var/log/vsftpd.log instead. This log file shows the incoming ip address instead of the DNS name.

[ update: you also need to adde’use_localtime=YES’ to config file of VSFTPD. otherwise, above trick not working. it took me hours to solve the problem. :(]

Source and more tips.

CentOS安装Socks5

1.配置编译环境
2.安装socks5必要的包

yum -y install gcc automake make

yum -y install pam-devel openldap-devel cyrus-sasl-devel

3.下载,编译安装ss5(socks5)

wget http://disk.boluo.org/linux/27001-ss5-3.6.1-1.tar.gz
tar zxvf 27001-ss5-3.6.1-1.tar.gz
cd ss5-3.6.1
./configure
make
make install

可以通过修改 /etc/opt/ss5/ss5.conf 设置密码

# SHost                  SPort           Authentication
#
auth 0.0.0.0/0           –                –
# SHost                  SPort           Authentication

#

auth 0.0.0.0/0           –                  u

在 /etc/opt/ss5/ss5.passwd 中添加 用户名和密码 如:

admin   123456

使用用户验证,重启ss5服务

/etc/init.d/ss5 start

mysql新建用户本地无法登录

因为root权限过高,所以新建一用户esojourn,权限仅为要用到的数据库。创建语句如下:grant select,insert,update,delete on test.* to esojourn@”%” identified by “password”;其中@“%”是可以在任何地址登录。

创建后到mysql.user下查看,有该用户。但是使用mysql -u esojourn -ppassword 登录,提示无法登录:ERROR 1045 (28000): Access denied for user ‘esojourn’@’localhost’ (using password: YES)
百思不得其解,遂google,其中有人说到“mysql.user 表中有另外一些记录产生了作用,最有可能的就是已经有一条”@localhost记录,就是用户名是空,主机字段是localhost的记录。” 影响了。查看该表果然有。
mysql> select host,user,password from mysql.user;
+———–+——————+——————————————-+
| host      | user             | password                                  |
+———–+——————+——————————————-+
| localhost | root             | *81F5E21E35407D884A6CD4A731AEBFB6AF209E1B |
| esojourn.org| root             | *81F5E21E35407D884A6CD4A731AEBFB6AF209E1B |
| 127.0.0.1 | root             | *81F5E21E35407D884A6CD4A731AEBFB6AF209E1B |
| localhost |                  |                                           |
| esojourn.org       |                  |                                           |
| localhost | debian-sys-maint | *19DF6BF8310D46D681AE072AB73ECEC99C018C19 |
| %         | esojourn         | *2470C0C06DEE42FD1618BB99005ADCA2EC9D1E19 |
+———–+——————+——————————————-+
7 rows in set (0.00 sec)
但是删除那些为空(匿名)的用户后仍然无法登录。(可能是因为没有重启mysql)于是只好耐着性子看mysql参考手册。发现其中增加用户部分有这么一段话:
其中两个账户有相同的用户名monty和密码some_pass。两个账户均为超级用户账户,具有完全的权限可以做任何事情。一个账户 (‘monty’@’localhost’)只用于从本机连接时。另一个账户(‘monty’@’%’)可用于从其它主机连接。请注意monty的两个账户必须能从任何主机以monty连接。没有localhost账户,当monty从本机连接时,mysql_install_db创建的localhost的匿名用户账户将占先。结果是,monty将被视为匿名用户。原因是匿名用户账户的Host列值比’monty’@’%’账户更具体,这样在user表排序顺序中排在前面。
这段话说的很清楚,因此执行 grant select,insert,update,delete on test.* to esojourn@”localhost” identified by “password”;
退出后用esojourn登录,成功。

直接把esojourn的账户从全部主机改成localhost。

转自:http://anonymity.iteye.com/blog/347737