DenyHosts的安裝與配置
-
使用DenyHosts避免密碼暴力破解SSH
DenyHosts是一個python寫的腳本,占用資源特别小,常用來限制SSH登陸,通過監控系統日志,将超過錯誤次數的IP放入TCP Wrappers中禁止登陸。UNIX Review雜志評選的2005年8月的月度工具。除了基礎的屏蔽IP功能,還有郵件通知,插件,同步等功能。
安裝
wget https://github.com/denyhosts/denyhosts/archive/v2.10.tar.gz
tar xf v2.10.tar.gz
cd denyhosts-2.10
python setup.py install 配置
##線上直接配置替換
sed -i 's#^SECURE_LOG.*#SECURE_LOG = /var/log/secure#' /etc/denyhosts.conf
sed -i 's#^HOSTS_DENY.*#HOSTS_DENY = /etc/hosts.deny#' /etc/denyhosts.conf
sed -i 's#^DENY_THRESHOLD_VALID.*#DENY_THRESHOLD_VALID = 5#' /etc/denyhosts.conf
sed -i 's#^DENY_THRESHOLD_ROOT.*#DENY_THRESHOLD_ROOT = 5#' /etc/denyhosts.conf
sed -i 's$IPTABLES = /sbin/iptables$#IPTABLES = /sbin/iptables$' /etc/denyhosts.conf
sed -i 's$^ADMIN_EMAIL.*$ADMIN_EMAIL = $' /etc/denyhosts.conf ##完整的配置檔案
cat > /etc/denyhosts.conf <<EOF
SECURE_LOG = /var/log/secure
HOSTS_DENY = /etc/hosts.deny
PURGE_DENY =
BLOCK_SERVICE = sshd
DENY_THRESHOLD_INVALID = 5
DENY_THRESHOLD_VALID = 5
DENY_THRESHOLD_ROOT = 5
DENY_THRESHOLD_RESTRICTED = 1
WORK_DIR = /var/lib/denyhosts
ETC_DIR = /etc
SUSPICIOUS_LOGIN_REPORT_ALLOWED_HOSTS=YES
HOSTNAME_LOOKUP=NO
LOCK_FILE = /var/run/denyhosts.pid
ADMIN_EMAIL =
SMTP_HOST = localhost
SMTP_PORT = 25
SMTP_FROM = DenyHosts <nobody@localhost>
SMTP_SUBJECT = DenyHosts Report
ALLOWED_HOSTS_HOSTNAME_LOOKUP=NO
AGE_RESET_VALID=5d
AGE_RESET_ROOT=25d
AGE_RESET_RESTRICTED=25d
AGE_RESET_INVALID=10d
DAEMON_LOG = /var/log/denyhosts
DAEMON_SLEEP = 30s
DAEMON_PURGE = 1h
SYNC_UPLOAD = no
SYNC_DOWNLOAD = no
EOF - 配置檔案重要解析
#ssh 日志檔案 #redhat系列根據/var/log/secure檔案來判斷
SECURE_LOG = /var/log/secure
#控制使用者登陸的檔案,封禁的ip
HOSTS_DENY = /etc/hosts.deny
#預設情況下,永遠不會清理長期被禁止的IP,建議保持預設
PURGE_DENY =
#禁止的服務名,當然DenyHost不僅僅用于SSH服務
BLOCK_SERVICE = sshd
#允許無效使用者失敗的次數
DENY_THRESHOLD_INVALID = 5
#允許普通使用者登陸失敗的次數
DENY_THRESHOLD_VALID = 5
#允許root登陸失敗的次數
DENY_THRESHOLD_ROOT = 5
#預設情況下,會調用iptables禁止IP建立連接配接,可以關閉該功能,centos7
#IPTABLES = /sbin/iptables
#預設情況下會發送email到root@localhost,可以關閉該功能
ADMIN_EMAIL = 修改白名單配置
# vi /etc/hosts.allow
#sshd: ALL
注釋掉sshd: ALL這一行
# sed -i '/^sshd: ALL/d' /etc/hosts.allow centos7啟動腳本
cp denyhosts.service /etc/systemd/system/
systemctl daemon-reload
systemctl enable denyhosts
systemctl start denyhosts centos6啟動腳本
cp daemon-control-dist /etc/init.d/denyhosts
sed -i 's#/usr/sbin/denyhosts#/usr/bin/denyhosts.py#' /etc/init.d/denyhosts
sed -i 's#/run/denyhosts.pid#/var/run/denyhosts.pid#' /etc/init.d/denyhosts
/etc/init.d/denyhosts start
chkconfig --add denyhosts
chkconfig denyhosts on 解封IP
- 例如解封:192.168.1.160
systemctl stop denyhosts ##/etc/init.d/denyhosts stop
vi /etc/hosts.deny ###删除/etc/hosts.deny中相關IP
cd /var/lib/denyhosts/ && find . -type f|xargs sed -i "/192.168.1.160/d"
systemctl start denyhosts ##/etc/init.d/denyhosts start echo "sshd:192.168.1.160:allow" >>/etc/hosts.allow
systemctl restart denyhosts ##/etc/init.d/denyhosts restart