防止暴力破解SSH FTP的三个方法,可组合使用。
1.禁止公网访问SSH FTP端口
/ip firewall filter
add chain=input protocol=tcp dst-port=21-22 src-address-list=!allow-addresses action=drop comment="禁止公网SSH & FTP" disabled=no
2.使用IP列表来设置三分钟之内只允许建立三次会话,超过就阻塞
/ip firewall filter
add chain=input protocol=tcp dst-port=21,22,23,8291 src-address-list=login_blacklist action=drop comment="drop login brute forcers 1" disabled=no
add chain=input protocol=tcp dst-port=21,22,23,8291 connection-state=new src-address-list=login_stage5 action=add-src-to-address-list address-list=login_blacklist address-list-timeout=1d comment="drop login brute forcers 2" disabled=no
add chain=input protocol=tcp dst-port=21,22,23,8291 connection-state=new src-address-list=login_stage4 action=add-src-to-address-list address-list=login_stage5 address-list-timeout=1m comment="drop login brute forcers 3" disabled=no
add chain=input protocol=tcp dst-port=21,22,23,8291 connection-state=new src-address-list=login_stage3 action=add-src-to-address-list address-list=login_stage4 address-list-timeout=1m comment="drop login brute forcers 4" disabled=no
add chain=input protocol=tcp dst-port=21,22,23,8291 connection-state=new src-address-list=login_stage2 action=add-src-to-address-list address-list=login_stage3 address-list-timeout=1m comment="drop login brute forcers 5" disabled=no
add chain=input protocol=tcp dst-port=21,22,23,8291 connection-state=new src-address-list=login_stage1 action=add-src-to-address-list address-list=login_stage2 address-list-timeout=1m comment="drop login brute forcers 6" disabled=no
add chain=input protocol=tcp dst-port=21,22,23,8291 connection-state=new action=add-src-to-address-list address-list=login_stage1 address-list-timeout=1m comment="drop login brute forcers 7" disabled=no
3.阻止端口扫描
/ip firewall filter
add chain=input protocol=tcp psd=21,3s,3,1 action=add-src-to-address-list address-list="port scanners" address-list-timeout=14d comment="Port scanners to list" disabled=no
add chain=input protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg action=add-src-to-address-list address-list="port scanners" address-list-timeout=14d comment="NMAP FIN Stealth scan"
add chain=input protocol=tcp tcp-flags=fin,syn action=add-src-to-address-list address-list="port scanners" address-list-timeout=14d comment="SYN/FIN scan"
add chain=input protocol=tcp tcp-flags=syn,rst action=add-src-to-address-list address-list="port scanners" address-list-timeout=14d comment="SYN/RST scan"
add chain=input protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack action=add-src-to-address-list address-list="port scanners" address-list-timeout=14d comment="FIN/PSH/URG scan"
add chain=input protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg action=add-src-to-address-list address-list="port scanners" address-list-timeout=14d comment="ALL/ALL scan"
add chain=input protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg action=add-src-to-address-list address-list="port scanners" address-list-timeout=14d comment="NMAP NULL scan"
add chain=input src-address-list="port scanners" action=drop comment="dropping port scanners" disabled=no
GNOME
apt-get install ubuntu-desktop
KDE
apt-get install kubuntu-desktop
xfce
apt-get install xubuntu-desktop
install VNC
apt-get install vnc4server
reboot
/opt/bitnami/apps/wordpress/bnconfig --disable_banner 1
Restart Web Server:
If using Apache, execute the command below:
/opt/bitnami/ctlscript.sh restart apache
If using NGINX, execute the command below:
/opt/bitnami/ctlscript.sh restart nginx
下载密钥文件XXX.pem。
打开Xshell,工具--》用户密钥管理者,导入XXX.pem。
新建--》用户身份验证
方法:Public Key。
用户名:
<div>
<div> Amazon Linux,用户名称是 ec2-user。
RHEL5,用户名称是 root 或 ec2-user。
Ubuntu,用户名称是 ubuntu。
Fedora,用户名称是 fedora或 ec2-user。
SUSE Linux,用户名称是 root 或 ec2-user。</div>
</div>
其他系统具体需查看系统日志。
选择用户密钥,确定。
SSH切换到 root
sudo -i
修改密码
passwd root
修改SSH配置文件
vi /etc/ssh/sshd_config
允许密码登录 将注释去掉并修改成yes
PermitRootLogin yes
PasswordAuthentication yes