centOS8.2安装防爆力破解ssh的denyhosts
1下载
cd /usr/local/
wget https://nchc.dl.sourceforge.net/project/denyhosts/denyhosts/2.10/denyhosts-2.10.zip
2解压
unzip deny*
3进入解压文件夹
cd DenyHosts
4安装python环境
dnf install python2
5开始编译安装setup.py
python2 setup.py install
6编辑配置文件
cd /usr/local/denyhosts/
cp denyhosts.conf /etc/denyhosts.conf
cp daemon-control-dist daemon-control
vim /etc/denyhosts.conf
将以下内容加入:
SECURE_LOG = /var/log/secure
#要读取安全日志路径
HOSTS_DENY = /etc/hosts.deny
#将阻止IP写入到hosts.deny
PURGE_DENY = 10y
#设定过多久后清除已阻止IP (m=分钟,h=小时,d=天,w=周)
BLOCK_SERVICE = ALL
#阻止服务名
DENY_THRESHOLD_INVALID = 2
#允许无效用户登录失败的次数
DENY_THRESHOLD_VALID = 2
#允许普通用户登录失败的次数
DENY_THRESHOLD_ROOT = 2
#允许root登录失败的次数
DENY_THRESHOLD_RESTRICTED = 1
#设定 deny host 写入到该资料夹
WORK_DIR = /var/lib/denyhosts
#将deny的host或ip纪录到Work_dir中
ETC_DIR = /etc
#配置文件默认目录
SUSPICIOUS_LOGIN_REPORT_ALLOWED_HOSTS=YES
#假如设定为YES,那么已经设为白名单中的IP登陆失败也会被设为可疑,也会被列入黑名
HOSTNAME_LOOKUP=NO
#是否做域名反解
LOCK_FILE = /var/lock/subsys/denyhosts
#将DenyHOts启动的pid纪录到LOCK_FILE中,已确保服务正确启动,防止同时启动多个服务
IPTABLES = /sbin/iptables
#SMTP_HOST = localhost
#SMTP_PORT = 25
#SMTP_FROM = DenyHosts <nobody@localhost>
#SMTP_SUBJECT = DenyHosts Report
AGE_RESET_VALID=5y
AGE_RESET_ROOT=25y
AGE_RESET_RESTRICTED=25y
AGE_RESET_INVALID=10y
ALLOWED_HOSTS_HOSTNAME_LOOKUP=NO
DAEMON_LOG = /var/log/denyhosts
#自己的日志文件
DAEMON_SLEEP = 30s
DAEMON_PURGE =10y
#该项与PURGE_DENY 设置成一样,也是清除hosts.deniedssh 用户的时间
SYNC_UPLOAD = no
SYNC_DOWNLOAD = no
7.修改denyhosts.py
cd /usr/bin/
vi denyhosts.py
将第一行修改为$!/usr/bin/env python2
vi /usr/local/denyhosts/daemon-control
将第一行修改为$!/usr/bin/env python2
并修改以下内容
DENYHOSTS_BIN = "/usr/bin/denyhosts.py"
DENYHOSTS_LOCK = "/run/denyhosts.pid"
DENYHOSTS_CFG = "/etc/denyhosts.conf"
PYTHON_BIN = "/usr/bin/env python2"
8.启动denyhosts
/usr/bin/env python2 /usr/bin/denyhosts.py --daemon --config=/etc/denyhosts.conf
9.设置自启动
vi /usr/lib/systemd/system/denyhosts.service
将以下内容加入
[Unit]
Description=SSH log watcher
Before=sshd.service
[Service]
Type=forking
#ExecStartPre=/bin/rm -rf /var/lib/denyhosts
ExecStart=/usr/local/denyhosts/daemon-control start
ExecStop=/usr/local/denyhosts/daemon-control stop
#PIDFile=/var/lib/denyhosts/denyhosts.pid
[Install]
WantedBy=multi-user.target
10.启动服务
systemctl stop denyhosts.service
systemctl status denyhosts.service
systemctl start denyhosts.service
systemctl enable denyhosts.service
11安装完成。