お客様

思うところあって、某サービスでVPSサーバを借りる。やりたかったことを試す前に例によってお客様ご来店

sudo cat /var/log/secure | grep 'Invalid user' | cut -f10 -d' ' | sort | uniq -c | perl -anl -e's/^\s+//;print' | sort -k 1,1 -r -n 

で、最高回数でも400回くらいだけど気にはなる。

sudo firewall-cmd --permanent --zone=drop --add-source=*.*.*.0/24

firewalld でいちいちdropしていたけれどキリないな。何かいい方法はないだろうか？と思ったけれど、インターネットに接点を持つ以上、下記の記事の通り王道で行くのが良いみたい。

Based on what I’ve seen in the past, and my knowledge of IT Security, as well as the first-hand knowledge I’ve gained thanks to running multiple Internet-facing services myself, this activity looks like typical service scanning and probing activity that happens to most systems that are directly facing the Internet. It does not mean your server is directly under attack. Merely, what has happened is a service scanner found your server responded on port 22, and is repeatedly coming back and attempting to authenticate with weak passwords in an attempt to breach the server. This is not uncommon to see on Internet-facing connections.

There are a few things you can do, however, to mitigate this a little bit more:

1. Disable SSH login access for the root user directly.Edit /etc/ssh/sshd_config, find the line that says PermitRootLogin and make sure it’s set to prohibit-password or no.Note that you will need to have a non-root user that you can login to if you do this; this way you protect the root user, and you have a non-root user who can have sudo access configured for them so they can still execute superuser commands as needed. (NEVER SSH as root for your admin functions and actions!)
2. Disable password authentication, and set up SSH Key Authentication as the only viable SSH login mechanism. There are a lot of guides on how to do this, such as this one from Digital Ocean.
3. Set up something like fail2ban to help block the brute force attempts. This is a complicated process in and of itself, but you can get basic setup done by doing sudo apt install fail2ban. This will set itself up by default to be enabled to protect SSH connectivity.
4. Set up a firewall before you continue adding additional services. This way you can onlyreceive connections you trust to services you want to offer to the Internet rather than leave everything exposed.

https://askubuntu.com/questions/1080056/is-my-server-under-attack#comment1774638_1080075