Linux利用hosts.deny防止暴力破解ssh
1.背景
最近服务器被同一个ip多次访问我的22号端口,能用22号端口的无非是ssh连接。
1.1 查看端口连接信息
[root@docker denyhosts]# ss -anp | grep tcp | grep sshd
tcp LISTEN 0 128 *:22 : users:((“sshd”,pid=3737,fd=3))
tcp ESTAB 23 0 172.16.102.26:22 147.16.11.17:56402 users:((“sshd”,pid=11463,fd=3))
tcp ESTAB 0 36 172.16.102.26:22 116.24.66.59:25224 users:((“sshd”,pid=11263,fd=3))
1.2 查看系统安全日志
[root@docker denyhosts]# tail -f /var/log/secure
Oct 17 19:33:48 izbp150ikdomqe3b32qaubz sshd[11417]: refused connect from 47.106.141.17 (147.16.11.17)
Oct 17 19:34:12 izbp150ikdomqe3b32qaubz sshd[11421]: Failed password for root from 147.16.11.17 port 56398 ssh2
Oct 17 19:34:13 izbp150ikdomqe3b32qaubz sshd[11421]: Failed password for root from 147.16.11.17 port 56398 ssh2
Oct 17 19:34:13 izbp150ikdomqe3b32qaubz sshd[11421]: Connection closed by 147.16.11.17 [preauth]
Oct 17 19:35:26 izbp150ikdomqe3b32qaubz sshd[11428]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=147.16.11.17 user=root
Oct 17 19:35:26 izbp150ikdomqe3b32qaubz sshd[11428]: pam_succeed_if(sshd:auth): requirement “uid >= 1000” not met by user “root”
Oct 17 19:35:28 izbp150ikdomqe3b32qaubz sshd[11428]: Failed password for root from 147.16.11.17 port 56400 ssh2
Oct 17 19:36:23 izbp150ikdomqe3b32qaubz sshd[11428]: Failed password for root from 147.16.11.17 port 56400 ssh2
Oct 17 19:36:24 izbp150ikdomqe3b32qaubz sshd[11428]: Failed password for root from 147.16.11.17 port 56400 ssh2
Oct 17 19:36:24 izbp150ikdomqe3b32qaubz sshd[11428]: Connection closed by 147.16.11.17 [preauth]
1.3 查询ip归属地
2. 利用denyhosts 防止暴力破解ssh
DenyHosts是Python语言写的一个程序,它会分析sshd的日志文件(/var/log/secure),当发现重复的攻击时就会记录IP到/etc/hosts.deny文件,从而达到自动屏IP的功能。
思路:利用读取到/var/log/secure登陆失败的IP信息,我们可以设定一个规则,如果登陆失败超过多少次,我们把这个IP写到 /etc/hosts.deny中,拒绝访问!
2.1 先把始终允许的IP填入 /etc/hosts.allow ,因为自己访问超过了次数那就尴尬了。
[root@docker denyhosts]# cat /etc/hosts.allow
#
# hosts.allow This file contains access rules which are used to
# allow or deny connections to network services that
# either use the tcp_wrappers library or that have been
# started through a tcp_wrappers-enabled xinetd.
#
# See 'man 5 hosts_options' and 'man 5 hosts_access'
# for information on rule syntax.
# See 'man tcpd' for information on tcp_wrappers
#
sshd: 147.16.11.17
2.2 安装DenyHosts 官方网站为:http://denyhosts.sourceforge.net
tar -zxvf DenyHosts-2.6.tar.gz
cd DenyHosts-2.6
python setup.py install
2.3 配置
cd /usr/share/denyhosts/
cp denyhosts.cfg-dist denyhosts.cfg
vi denyhosts.cfg
SECURE_LOG = /var/log/secure #要读取安全日志路径,默认的不管它
HOSTS_DENY = /etc/hosts.deny #将阻止IP写入到hosts.deny,默认的不管它
PURGE_DENY = 1d #设定过多久后清除已阻止IP (m=分钟,h=小时,d=天,w=周)
BLOCK_SERVICE = sshd #阻止服务名
DENY_THRESHOLD_INVALID = 5 #允许无效用户登录失败的次数**
DENY_THRESHOLD_VALID = 10 #允许普通用户登录失败的次数**
DENY_THRESHOLD_ROOT = 3 #允许root登录失败的次数**
(上面3个登陆失败的次数建议不要设定太苛刻,以免自己输错了被列入黑名单了)
DENY_THRESHOLD_RESTRICTED = 1 #设定 deny host 写入到该资料夹
WORK_DIR = /usr/local/share/denyhosts/data #将deny的host或ip纪录到Work_dir中
SUSPICIOUS_LOGIN_REPORT_ALLOWED_HOSTS=YES #假如设定为YES,那么已经设为白名单中的IP登陆失败也会被设为可疑,也会被列入黑名单中,设定NO的意思就相反。
HOSTNAME_LOOKUP=YES #如果可以的话记录登陆失败的hostname
LOCK_FILE = /var/lock/subsys/denyhosts #将DenyHOts启动的pid纪录到LOCK_FILE中,已确保服务正确启动,防止同时启动多个服务。
HOSTNAME_LOOKUP=NO #是否做域名反解
ADMIN_EMAIL = #设置管理员邮件地址
DAEMON_LOG = /var/log/denyhosts #自己的日志文件
DAEMON_PURGE = 1d #该项与PURGE_DENY 设置成一样,也是清除hosts.deniedssh 用户的时间。
2.4 设置启动脚本
cp daemon-control-dist daemon-control
chown root daemon-control
chmod 700 daemon-control
完了之后执行daemon-contron start就可以了。
**./daemon-control start**
如果要使DenyHosts每次重起后自动启动还需做如下设置:
ln -s /usr/share/denyhosts/daemon-control /etc/init.d/denyhosts
chkconfig --add denyhosts
chkconfig denyhosts on
ps -ef|grep denyhosts #检查是否启动
[root@docker denyhosts]# ps -ef|grep denyhosts
root 11309 1 0 19:29 ? 00:00:00 python /usr/bin/denyhosts.py --daemon --config=/usr/share/denyhosts/denyhosts.cfg
root 11523 11265 0 19:51 pts/0 00:00:00 grep --color=auto denyhosts
vim /etc/hosts.deny #查看内是否有禁止的IP,有的话说明已经成功了。
[root@docker denyhosts]# cat /etc/hosts.deny
#
# hosts.deny This file contains access rules which are used to
# deny connections to network services that either use
# the tcp_wrappers library or that have been
# started through a tcp_wrappers-enabled xinetd.
#
# The rules in this file can also be set up in
# /etc/hosts.allow with a 'deny' option instead.
#
# See 'man 5 hosts_options' and 'man 5 hosts_access'
# for information on rule syntax.
# See 'man tcpd' for information on tcp_wrappers
#
# DenyHosts: Thu Oct 17 19:44:52 2019 | sshd: 147.16.11.17
sshd: 147.16.11.17
9万+
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
