Centos765安装与配置denyhosts

DenyHosts的安装与配置Centos7/6/5

1.DenyHosts的安装与配置

使用DenyHosts避免密码暴力破解SSH
DenyHosts是一个python写的脚本，占用资源特别小，常用来限制SSH登陆，通过监控系统日志，将超过错误次数的IP放入TCP Wrappers中禁止登陆。UNIX Review杂志评选的2005年8月的月度工具。除了基础的屏蔽IP功能，还有邮件通知，插件，同步等功能。

##DenyHosts官网：http://denyhosts.sourceforge.net/

2.centos7启动脚本

7.sh

#!/bin/bash

tar xf denyhosts-2.10.tar.gz

cd /root/denyhosts-2.10

python setup.py install


##线上直接配置替换
cat > /etc/denyhosts.conf <<EOF
SECURE_LOG = /var/log/secure
HOSTS_DENY = /etc/hosts.deny
PURGE_DENY = 1d
BLOCK_SERVICE  = sshd
DENY_THRESHOLD_INVALID = 5
DENY_THRESHOLD_VALID = 5
DENY_THRESHOLD_ROOT = 5
DENY_THRESHOLD_RESTRICTED = 1
WORK_DIR = /var/lib/denyhosts
ETC_DIR = /etc
SUSPICIOUS_LOGIN_REPORT_ALLOWED_HOSTS=YES
HOSTNAME_LOOKUP=NO
LOCK_FILE = /var/run/denyhosts.pid
ADMIN_EMAIL = 
SMTP_HOST = localhost
SMTP_PORT = 25
SMTP_FROM = DenyHosts <nobody@localhost>
SMTP_SUBJECT = DenyHosts Report
ALLOWED_HOSTS_HOSTNAME_LOOKUP=NO
AGE_RESET_VALID=5d
AGE_RESET_ROOT=25d
AGE_RESET_RESTRICTED=25d
AGE_RESET_INVALID=10d
DAEMON_LOG = /var/log/denyhosts
DAEMON_SLEEP = 30s
DAEMON_PURGE = 1h
SYNC_UPLOAD = no
SYNC_DOWNLOAD = no
EOF

#centos7启动脚本

cp denyhosts.service /etc/systemd/system/
systemctl daemon-reload
systemctl enable denyhosts
systemctl start denyhosts
systemctl status denyhosts

3.centos6启动脚本
6.sh

#!/bin/bash

tar xf denyhosts-2.10.tar.gz

cd denyhosts-2.10

python setup.py install


##线上直接配置替换
cat > /etc/denyhosts.conf <<EOF
SECURE_LOG = /var/log/secure
HOSTS_DENY = /etc/hosts.deny
PURGE_DENY = 1d
BLOCK_SERVICE  = sshd
DENY_THRESHOLD_INVALID = 5
DENY_THRESHOLD_VALID = 5
DENY_THRESHOLD_ROOT = 5
DENY_THRESHOLD_RESTRICTED = 1
WORK_DIR = /var/lib/denyhosts
ETC_DIR = /etc
SUSPICIOUS_LOGIN_REPORT_ALLOWED_HOSTS=YES
HOSTNAME_LOOKUP=NO
LOCK_FILE = /var/run/denyhosts.pid
ADMIN_EMAIL = 
SMTP_HOST = localhost
SMTP_PORT = 25
SMTP_FROM = DenyHosts <nobody@localhost>
SMTP_SUBJECT = DenyHosts Report
ALLOWED_HOSTS_HOSTNAME_LOOKUP=NO
AGE_RESET_VALID=5d
AGE_RESET_ROOT=25d
AGE_RESET_RESTRICTED=25d
AGE_RESET_INVALID=10d
DAEMON_LOG = /var/log/denyhosts
DAEMON_SLEEP = 30s
DAEMON_PURGE = 1h
SYNC_UPLOAD = no
SYNC_DOWNLOAD = no
EOF



##centos6启动脚本

cp daemon-control-dist /etc/init.d/denyhosts
sed -i  's#/usr/sbin/denyhosts#/usr/bin/denyhosts.py#' /etc/init.d/denyhosts
sed -i  's#/run/denyhosts.pid#/var/run/denyhosts.pid#' /etc/init.d/denyhosts
/etc/init.d/denyhosts start
chkconfig --add denyhosts
chkconfig denyhosts on

chkconfig --list |grep denyhosts

/etc/init.d/denyhosts status

4.Centos5启动脚本

5.sh

#!/bin/bash

tar xf DenyHosts-2.6.tar.gz

cd DenyHosts-2.6

python setup.py install

cd /usr/share/denyhosts
cp /usr/share/denyhosts/denyhosts.cfg-dist /usr/share/denyhosts/denyhosts.cfg


cp daemon-control-dist daemon-control


chown root daemon-control

chmod 700 daemon-control

##线上直接配置替换
cat > /usr/share/denyhosts/denyhosts.cfg <<EOF
SECURE_LOG = /var/log/secure
HOSTS_DENY = /etc/hosts.deny
PURGE_DENY = 1d
BLOCK_SERVICE  = sshd
DENY_THRESHOLD_INVALID = 5
DENY_THRESHOLD_VALID = 5
DENY_THRESHOLD_ROOT = 5
DENY_THRESHOLD_RESTRICTED = 1
WORK_DIR = /usr/share/denyhosts/data
SUSPICIOUS_LOGIN_REPORT_ALLOWED_HOSTS=YES
HOSTNAME_LOOKUP=NO
LOCK_FILE = /var/lock/subsys/denyhosts
ADMIN_EMAIL = 
SMTP_HOST = localhost
SMTP_PORT = 25
SMTP_FROM = DenyHosts <nobody@localhost>
SMTP_SUBJECT = DenyHosts Report
ALLOWED_HOSTS_HOSTNAME_LOOKUP=NO
AGE_RESET_VALID=5d
AGE_RESET_ROOT=25d
AGE_RESET_RESTRICTED=25d
AGE_RESET_INVALID=10d
DAEMON_LOG = /var/log/denyhosts
DAEMON_SLEEP = 30s
DAEMON_PURGE = 1h
SYNC_UPLOAD = no
SYNC_DOWNLOAD = no
EOF


##centos5启动脚本

cp /usr/share/denyhosts/daemon-control /etc/init.d/denyhosts

echo "service denyhosts restart" >> /etc/rc.local

/etc/init.d/denyhosts start


/etc/init.d/denyhosts status

5.配置文件重要解析

#ssh 日志文件 #redhat系列根据/var/log/secure文件来判断
SECURE_LOG = /var/log/secure
#控制用户登陆的文件，封禁的ip
HOSTS_DENY = /etc/hosts.deny
#默认情况下，永远不会清理长期被禁止的IP，建议保持默认
PURGE_DENY =
#禁止的服务名，当然DenyHost不仅仅用于SSH服务
BLOCK_SERVICE = sshd
#允许无效用户失败的次数
DENY_THRESHOLD_INVALID = 5
#允许普通用户登陆失败的次数
DENY_THRESHOLD_VALID = 5
#允许root登陆失败的次数
DENY_THRESHOLD_ROOT = 5
PURGE_DENY：当一个IP被阻止以后，过多长时间被自动解禁。可选如3m（三分钟）、5h（5小时）、2d（两天）、8w（8周）、1y（一年）
#默认情况下，会调用iptables禁止IP建立连接，可以关闭该功能，centos7
#IPTABLES = /sbin/iptables
#默认情况下会发送email到root@localhost，可以关闭该功能
ADMIN_EMAIL =

6.遇到的错误

1、#service denyhost startstarting DenyHosts: /usr/bin/env python /usr/bin/denyhosts.py --daemon --config=/usr/share/denyhosts/denyhosts.cfg

python: can’t open file ‘/usr/bin/denyhosts.py’: [Errno 2] No such file or directory

这个错误很明显是找不到’/usr/bin/denyhosts.py’ 文件，使用which 找出文件的真实路径，然后打开启动脚本把默认的路径替换掉即可。

whereis denyhosts.py

vim /etc/init.d/denyhost

DENYHOSTS_BIN = “/usr/local/python27/bin/denyhosts.py”

DENYHOSTS_LOCK = “/var/lock/subsys/denyhosts”

DENYHOSTS_CFG = “/usr/share/denyhosts/denyhosts.cfg”

2、/etc/init.d/denyhost start

starting DenyHosts: /usr/bin/env python /usr/local/python27/bin/denyhosts.py --daemon --config=/usr/share/denyhosts/denyhosts.cfg

Traceback (most recent call last):

File “/usr/local/python27/bin/denyhosts.py”, line 5, in ?

import DenyHosts.python_version

ImportError: No module named DenyHosts.python_version

错误显示是找不到DenyHost的模块，载入失败。 这是由于系统上有两个python版本引起的，此系统上默认rpm包安装有python2.6 还有后面手动编译的python2.7，我们上面是手动使用python2.7安装Denyhost，所以该模块也安装在了python2.7下，然而系统默认使用的是python2.6。 解决的办法就是：编辑启动脚本，修改解释器路径为python2.7即可。

下面用红色标出已修改的行

#!/usr/local/python27/bin/python2.7

###############################################

Edit these to suit your configuration

###############################################

DENYHOSTS_BIN = “/usr/local/python27/bin/denyhosts.py”

DENYHOSTS_LOCK = “/var/lock/subsys/denyhosts”

DENYHOSTS_CFG = “/usr/share/denyhosts/denyhosts.cfg”

PYTHON_BIN = “/usr/local/python27/bin/python2.7”