如果想删除一个已经禁止的主机IP,只在 /etc/hosts.deny 删除是没用的。需要进入 /var/lib/denyhosts 目录,进入以下操作:
1、停止DenyHosts服务:service denyhosts stop
2、在 /etc/hosts.deny 中删除想取消的主机IP如“110.88.32.70”
3、清理iptables的规则:iptables -F
4、编辑 DenyHosts 工作目录的所有文件 /var/lib/denyhosts,并且删除已被添加的主机信息。
/var/lib/denyhosts/hosts
/var/lib/denyhosts/hosts-restricted
/var/lib/denyhosts/hosts-root
/var/lib/denyhosts/hosts-valid
/var/lib/denyhosts/users-hosts
/var/lib/denyhosts/users-invalid
/var/lib/denyhosts/users-valid
新建文件"list",将上面denyhosts文件路径添加到文件中,然后执行语句,批量替换
for i in `cat list`;do sed -i '/110.88.32.70/d' $i;done
5、添加你想允许的主机IP地址到
/var/lib/denyhosts/allowed-hosts
6、启动DenyHosts服务: service denyhosts start
7、检查iptables:iptables -nvL | grep 110.88.32.70
HostDeny配置查看及源码学习
查看配置
#cat /etc/denyhosts.conf | egrep -v "^$|#"
SECURE_LOG = /var/log/auth.log
HOSTS_DENY = /etc/hosts.deny
PURGE_DENY = 4w #过多久后清除已经禁止的,格式:i[dhwmy] ,其中i为整数,dhwmy分别为天,小时,周,分钟,年。
BLOCK_SERVICE = sshd #禁止的服务名
DENY_THRESHOLD_INVALID = 5 #允许无效用户失败的次数
DENY_THRESHOLD_VALID = 10 #允许普通用户登陆失败的次数
DENY_THRESHOLD_ROOT = 3 #允许root登陆失败的次数
DENY_THRESHOLD_RESTRICTED = 3 #设定 deny host 写入到文件,3是失败次数
WORK_DIR = /var/lib/denyhosts #将deny的host或ip纪录到Work_dir中
ETC_DIR = /etc
SUSPICIOUS_LOGIN_REPORT_ALLOWED_HOSTS=YES
HOSTNAME_LOOKUP=YES #是否做域名反解
LOCK_FILE = /run/denyhosts.pid #将DenyHosts启动的pid纪录到LOCK_FILE中,已确保服务正确启动,防止同时启动多个服务。
IPTABLES = /sbin/iptables
ADMIN_EMAIL = root@localhost
SMTP_HOST = localhost
SMTP_PORT = 25
SMTP_FROM = DenyHosts <nobody@localhost>
SMTP_SUBJECT = DenyHosts Report
ALLOWED_HOSTS_HOSTNAME_LOOKUP=NO
AGE_RESET_VALID=5d
AGE_RESET_ROOT=25d
AGE_RESET_RESTRICTED=25d
AGE_RESET_INVALID=10d
DAEMON_LOG = /var/log/denyhosts #设定DenyHosts的日志文件
DAEMON_SLEEP = 30s
DAEMON_PURGE = 1h #该项与PURGE_DENY 设置成一样,也是清除hosts.deniedssh 用户的时间。再以daemon运行时以此时间为准
SYNC_UPLOAD = no
SYNC_DOWNLOAD = no
工作目录下的文件列表
purge-history
hosts-valid #ABUSIVE_HOSTS_INVALID v1.0.0增加,eg:1.119.10.198:0:Tue Jan 30 00:10:09 2018
hosts
hosts-root
hosts-restricted
users-valid #ABUSED_USERS_INVALID v2.1增加,会验证passwd文件内容 eg:backup:43:Thu Aug 23 12:24:59 2018
users-invalid
users-hosts
suspicious-logins //successful logins AFTER invalid
offset //SECURE_LOG_OFFSET
如何授权放行IP?
需要在工作目录下创建文件,并写入IP
/var/lib/denyhosts/allowed-hosts #主要
/var/lib/denyhosts/allowed-warned-hosts #ALLOWED_WARNED_HOSTS
何为warned?失败多次但还未达到失封禁限制
源码(DenyHosts-2.6)
起停服务文件:daemon-control-dist
安装后的配置文件:denyhosts.cfg-dist
# Redhat or Fedora Core:
SECURE_LOG = /var/log/secure
#
# Mandrake, FreeBSD or OpenBSD:
#SECURE_LOG = /var/log/auth.log
#
# SuSE:
#SECURE_LOG = /var/log/messages
#
# Mac OS X (v10.4 or greater -
# also refer to: http://www.denyhosts.net/faq.html#macos
#SECURE_LOG = /private/var/log/asl.log
#
# Mac OS X (v10.3 or earlier):
#SECURE_LOG=/private/var/log/system.log
scripts/restricted_from_passwd.py
/etc/passwd 提取用户名,如果非系统用户登录,则拒绝并记录到restricted-usernames/users-invalid,有的记录到user-valid
函数、功能方法都在此处
DenyHosts/constants.py
常量文件,如计数器、IP写入文件定义(拒绝、允许等)
# These files will be created relative to prefs WORK_DIR #
#################################################################################
SECURE_LOG_OFFSET = "offset"
DENIED_TIMESTAMPS = "denied-timestamps"
#PARSED_DATES = "file_dates"
ABUSIVE_HOSTS_INVALID = "hosts"
ABUSIVE_HOSTS_VALID = "hosts-valid"
ABUSIVE_HOSTS_ROOT = "hosts-root"
ABUSIVE_HOSTS_RESTRICTED = "hosts-restricted"
ABUSED_USERS_INVALID = "users-invalid"
ABUSED_USERS_VALID = "users-valid"
ABUSED_USERS_AND_HOSTS = "users-hosts"
SUSPICIOUS_LOGINS = "suspicious-logins" # successful logins AFTER invalid
# attempts from same host
ALLOWED_HOSTS = "allowed-hosts"
ALLOWED_WARNED_HOSTS = "allowed-warned-hosts"
RESTRICTED_USERNAMES = "restricted-usernames"
SYNC_TIMESTAMP = "sync-timestamp"
SYNC_HOSTS = "sync-hosts"
SYNC_HOSTS_TMP = "sync-hosts.tmp"
SYNC_RECEIVED_HOSTS = "sync-received"
PURGE_HISTORY = "purge-history"
TIME_SPEC_LOOKUP = {'s': 1, # s
'm': 60, # minute
'h': 3600, # hour
'd': 86400, # day
'w': 604800, # week
'y': 31536000} # year
SYNC_MIN_INTERVAL = 300 # 5 minutes
作者:董春磊
链接:https://www.jianshu.com/p/b4124b012e75
来源:简书
著作权归作者所有。商业转载请联系作者获得授权,非商业转载请注明出处。