Core,Centos)等日志文件,当发现同一IP在进行多次SSH密码尝试时就会记录IP到/etc/hosts.deny文件,从而达到自动屏蔽该
IP的目的。
DenyHosts官方网站
为:http://denyhosts.sourceforge.net
一:检查安装要求
首选检查Sshd是否支持
Tcpwrap,只有支持Tcpwrap才可以安装Denyhost
ldd /usr/sbin/sshd |grep wrap
再检查
Python的版本,Python2.3以上版本可以直接安装
python -V
二:安装Denyhost
先从
Sourceforge.net上下载
wget
http://umn.dl.sourceforge.net/sourceforge/denyhosts/DenyHosts-2.6.tar.gz
进
行解压再进入到源目录
tar -xzvf DenyHosts-2.6.tar.gz
cd DenyHosts-2.6
执
行Python脚本进行安装,
python setup.py install
程序脚本自动安装到/usr/share
/denyhosts
库文件自动安装到/usr/lib/python2.3/site-packages
/DenyHosts
denyhosts.py安装到/usr/bin
/local/python-2.4/bin/python
关于使用编译编译安装的python的denyhost。
call last):
"/usr/local/python-2.4/bin/denyhosts.py", line 5, in ?
DenyHosts.python_version
DenyHosts.python_version
修改下面的部分:
"/usr/bin/env python"
"/usr/local/python-2.4/bin/python"
为
"/usr/bin/denyhosts.py"
"/usr/local/python-2.4/bin/denyhosts.py"
-rp /usr/local/python-2.4/lib/python2.4/site-packages/DenyHosts/
/usr/local/python-2.4/lib/python2.4/
三:
设置启动脚本
cd /usr/share/denyhosts/
拷贝模板文件
cp
daemon-control-dist daemon-control
设置好启动脚本的所属用户和权限
chown root
daemon-control
chmod 700 daemon-control
生成Denyhost的主配置文件,(将模板文
件中开头是#的过滤后再导入到Denyhost.cfg)
grep -v "^#" denyhosts.cfg-dist >
denyhosts.cfg
编辑Denyhost.cfg文件,根据自己需要进行相应的修改
----------------denyhosts.cfg------------------------
SECURE_LOG = /var/log/secure
PURGE_DENY =
2h
#过多久后清除,这个参数还受DAEMON_PURGE = 影响,如DAEMON_PURGE = 1h,即
1h执行一次清理。应设为PURGE_DENY 〉DAEMON_PURGE
DENY_THRESHOLD_INVALID
= 1
#允许无效用户(/etc/passwd未列出)登录失败的次数
DENY_THRESHOLD_VALID
= 5
#允许有效(普通)用户登录失败的次数
DENY_THRESHOLD_ROOT =
3
#允许root登录失败的次数
HOSTNAME_LOOKUP=NO
#
是否做域名反解
DAEMON_PURGE = 1h
#多长时间执行一次 预设清理,如:
----------------denyhosts.cfg------------------------
将
Denyhost启动脚本添加到自动启动中
echo '/usr/share/denyhosts/daemon-control
start'>>/etc/rc.d/rc.local
启动Denyhost的进程
/usr/share/denyhosts/daemon-control
start
可以查看到Denyhost在运行中
ps -ef |grep deny
在另外一台机器上使用Ssh进行连接,当在
连续几次输入错误的密码后,会被自动阻止掉,在一定时内不可以再连接Ssh连接记录的日志文件
tail /var/log/secure –f
Denyhost
日志文件
tail /var/log/denyhosts –f
Denyhost将恶意连接的IP记录到Hosts.deny文件中,过
一定时间后再从该文件中清除(Denyhost.cfg中设定的时间)
vi /etc/hosts.deny
其他:
AGE_RESET_VALID=5d
AGE_RESET_ROOT=25d
AGE_RESET_RESTRICTED=25d
AGE_RESET_INVALID=10d
用
户的登陆失败计数会在多长时间后重置为0
RESET_ON_SUCCESS = yes
如果一个ip登陆成功后,失败的登陆计数
是否重置为0
例外,设定某个ip不会被阻止
Additionally, as of v1.0.3, a valid
hostname can also be placed in the allowed-hosts
file. For each
hostname appearing in this file, the IP address
will be
resolved and any ssh connections that match either this hostname or this
resolved IP address will not be blocked
重置一个被阻止的ip的方法:
to
force a reset of your blocked IP address you can stop the DH daemon.
Search for your IP address in all of the files in WORK_DIR (except for
allowed_hosts), edit those files and remove the line containing your IP
address.Start DH.
写了个小脚本,重置被阻止的ip
=======================================================================================
#!/bin/sh
echook
()
{
echo -ne "/033[40C ["
echo -ne "/033[32m"
echo -ne
"/033[1C OK"
echo -ne "/033[39m"
echo -ne "/033[1C ]/n"
}
echo
-e "Shutting down Denyhost: "
/usr/share/denyhosts/daemon-control
stop #>/dev/null 2>&1
echook
echo ""
echo ""
echo
-e "input the ip which you want to reset: /c"
read ip
path=/usr/share/denyhosts/data/
files=$(/bin/ls
$path|grep ^hosts|grep -v tmp)
for i in $files
do
sed "/$ip/d"
$path$i >$path$i.tmp
cat $path$i.tmp >$path$i
sed "/$ip/d"
/etc/hosts.deny >/etc/hosts.deny.tmp1
cat /etc/hosts.deny.tmp1
>/etc/hosts.deny
rm $path$i.tmp
done
echo "Restting ip: $ip "
#echo
"Starting up Denyhost:"
/usr/share/denyhosts/daemon-control start
echook
=======================================================================================
止对vsftpd的暴力破解
sshd,ftp
/denyhost
|
2009-05-20
11:14:23,091 - prefs : INFO BLOCK_SERVICE: [sshd ftp ] 2009-05-20
11:14:23,091 - prefs : INFO DAEMON_LOG: [/var/log/denyhosts] 2009-05-20 11:14:23,091 - prefs : INFO
DAEMON_LOG_MESSAGE_FORMAT: [%(asctime)s - %(name)-12s: %(levelname)-8s %(message )s]
2009-05-20
11:14:23,091 - prefs : INFO DAEMON_LOG_TIME_FORMAT: [None] 2009-05-20
11:14:23,092 - prefs : INFO DAEMON_PURGE: [3600]
|