1.DenyHosts的安装与配置
使用DenyHosts避免密码暴力破解SSH
DenyHosts是一个python写的脚本,占用资源特别小,常用来限制SSH登陆,通过监控系统日志,将超过错误次数的IP放入TCP Wrappers中禁止登陆。UNIX Review杂志评选的2005年8月的月度工具。除了基础的屏蔽IP功能,还有邮件通知,插件,同步等功能。
##DenyHosts官网:http://denyhosts.sourceforge.net/
2.centos7启动脚本
7.sh
#!/bin/bash tar xf denyhosts-2.10.tar.gz cd /root/denyhosts-2.10 python setup.py install ##线上直接配置替换 cat > /etc/denyhosts.conf <SMTP_SUBJECT = DenyHosts Report ALLOWED_HOSTS_HOSTNAME_LOOKUP=NO AGE_RESET_VALID=5d AGE_RESET_ROOT=25d AGE_RESET_RESTRICTED=25d AGE_RESET_INVALID=10d DAEMON_LOG = /var/log/denyhosts DAEMON_SLEEP = 30s DAEMON_PURGE = 1h SYNC_UPLOAD = no SYNC_DOWNLOAD = no EOF #centos7启动脚本 cp denyhosts.service /etc/systemd/system/ systemctl daemon-reload systemctl enable denyhosts systemctl start denyhosts systemctl status denyhosts
3.centos6启动脚本
6.sh
#!/bin/bash tar xf denyhosts-2.10.tar.gz cd denyhosts-2.10 python setup.py install ##线上直接配置替换 cat > /etc/denyhosts.conf <SMTP_SUBJECT = DenyHosts Report ALLOWED_HOSTS_HOSTNAME_LOOKUP=NO AGE_RESET_VALID=5d AGE_RESET_ROOT=25d AGE_RESET_RESTRICTED=25d AGE_RESET_INVALID=10d DAEMON_LOG = /var/log/denyhosts DAEMON_SLEEP = 30s DAEMON_PURGE = 1h SYNC_UPLOAD = no SYNC_DOWNLOAD = no EOF ##centos6启动脚本 cp daemon-control-dist /etc/init.d/denyhosts sed -i 's#/usr/sbin/denyhosts#/usr/bin/denyhosts.py#' /etc/init.d/denyhosts sed -i 's#/run/denyhosts.pid#/var/run/denyhosts.pid#' /etc/init.d/denyhosts /etc/init.d/denyhosts start chkconfig --add denyhosts chkconfig denyhosts on chkconfig --list |grep denyhosts /etc/init.d/denyhosts status
4.Centos5启动脚本
5.sh
#!/bin/bash tar xf DenyHosts-2.6.tar.gz cd DenyHosts-2.6 python setup.py install cd /usr/share/denyhosts cp /usr/share/denyhosts/denyhosts.cfg-dist /usr/share/denyhosts/denyhosts.cfg cp daemon-control-dist daemon-control chown root daemon-control chmod 700 daemon-control ##线上直接配置替换 cat > /usr/share/denyhosts/denyhosts.cfg <SMTP_SUBJECT = DenyHosts Report ALLOWED_HOSTS_HOSTNAME_LOOKUP=NO AGE_RESET_VALID=5d AGE_RESET_ROOT=25d AGE_RESET_RESTRICTED=25d AGE_RESET_INVALID=10d DAEMON_LOG = /var/log/denyhosts DAEMON_SLEEP = 30s DAEMON_PURGE = 1h SYNC_UPLOAD = no SYNC_DOWNLOAD = no EOF ##centos5启动脚本 cp /usr/share/denyhosts/daemon-control /etc/init.d/denyhosts echo "service denyhosts restart" >> /etc/rc.local /etc/init.d/denyhosts start /etc/init.d/denyhosts status
5.配置文件重要解析
#ssh 日志文件 #redhat系列根据/var/log/secure文件来判断 SECURE_LOG = /var/log/secure #控制用户登陆的文件,封禁的ip HOSTS_DENY = /etc/hosts.deny #默认情况下,永远不会清理长期被禁止的IP,建议保持默认 PURGE_DENY = #禁止的服务名,当然DenyHost不仅仅用于SSH服务 BLOCK_SERVICE = sshd #允许无效用户失败的次数 DENY_THRESHOLD_INVALID = 5 #允许普通用户登陆失败的次数 DENY_THRESHOLD_VALID = 5 #允许root登陆失败的次数 DENY_THRESHOLD_ROOT = 5 PURGE_DENY:当一个IP被阻止以后,过多长时间被自动解禁。可选如3m(三分钟)、5h(5小时)、2d(两天)、8w(8周)、1y(一年) #默认情况下,会调用iptables禁止IP建立连接,可以关闭该功能,centos7 #IPTABLES = /sbin/iptables #默认情况下会发送email到root@localhost,可以关闭该功能 ADMIN_EMAIL =
6.遇到的错误
1、#service denyhost startstarting DenyHosts: /usr/bin/env python /usr/bin/denyhosts.py --daemon --config=/usr/share/denyhosts/denyhosts.cfg
python: can’t open file ‘/usr/bin/denyhosts.py’: [Errno 2] No such file or directory
这个错误很明显是找不到’/usr/bin/denyhosts.py’ 文件,使用which 找出文件的真实路径,然后打开启动脚本把默认的路径替换掉即可。
whereis denyhosts.py
vim /etc/init.d/denyhost
DENYHOSTS_BIN = “/usr/local/python27/bin/denyhosts.py”
DENYHOSTS_LOCK = “/var/lock/subsys/denyhosts”
DENYHOSTS_CFG = “/usr/share/denyhosts/denyhosts.cfg”
2、/etc/init.d/denyhost start
starting DenyHosts: /usr/bin/env python /usr/local/python27/bin/denyhosts.py --daemon --config=/usr/share/denyhosts/denyhosts.cfg
Traceback (most recent call last):
File “/usr/local/python27/bin/denyhosts.py”, line 5, in ?
import DenyHosts.python_version
ImportError: No module named DenyHosts.python_version
错误显示是找不到DenyHost的模块,载入失败。 这是由于系统上有两个python版本引起的,此系统上默认rpm包安装有python2.6 还有后面手动编译的python2.7,我们上面是手动使用python2.7安装Denyhost,所以该模块也安装在了python2.7下,然而系统默认使用的是python2.6。 解决的办法就是:编辑启动脚本,修改解释器路径为python2.7即可。
下面用红色标出已修改的行
#!/usr/local/python27/bin/python2.7
###############################################
Edit these to suit your configuration###############################################
DENYHOSTS_BIN = “/usr/local/python27/bin/denyhosts.py”
DENYHOSTS_LOCK = “/var/lock/subsys/denyhosts”
DENYHOSTS_CFG = “/usr/share/denyhosts/denyhosts.cfg”
PYTHON_BIN = “/usr/local/python27/bin/python2.7”
