对于没有固定来源IP地址但有需要进行防护的场景来说,DenyHosts来防止暴力破解是一种非常有效的措施。
DenyHost是使用Python开发的,它通过监控系统日志文件(/var/log/secure),来分析是否存在对OpenSSH的暴力破解行为,如果发现暴力破解,则其从系统安全日志分析出来源IP地址,然后通过在/etc/hosts.deny文件中加入相应的条目来使TCP Warappers禁止该IP地址的后续连接尝试。
安装 DenyHosts
wget https://sourceforge.net/projects/denyhosts/files/latest/download -O denyhosts-2.3.tar.gz
tar xf denyhosts-2.3.tar.gz
cd DenyHosts-2.6/
python setup.py install
cd /usr/share/denyhosts/
cp denyhosts.cfg-dist denyhosts.cfg
cp daemon-control-dist daemon-control
ln -s /usr/share/denyhosts/daemon-control /etc/init.d/
/etc/init.d/daemon-control start
注:如果启动有如下报错
#service denyhost start
starting DenyHosts: /usr/bin/env python /usr/bin/denyhosts.py --daemon --config=/usr/share/denyhosts/denyhosts.cfg
python: can't open file '/usr/bin/denyhosts.py&#