Centos服务器配置DenyHost防暴力破解

背景：

只要互联网上的服务器就会被恶意扫描或者暴力破解密码，一方面如果密码设置过于简单，服务器就会被入侵，另一方面服务器的资源开销也会增加。
http://blog.daobidao.com/centos-server-denyhost-config.html

安装方法：

1、安装Denyhost程序

Centos 6 X64 安装：

[Bash:4.1] <#> wget -c https://raw.githubusercontent.com/jinchengjiang/shell-script/master/denyhosts/denyhosts-2.6-5.el6.rf.noarch.rpm
[Bash:4.1] <#> rpm -ivh denyhosts-2.6-5.el6.rf.noarch.rpm

Centos 7 X64 安装：

[Bash:4.1] <#> wget -c https://raw.githubusercontent.com/jinchengjiang/shell-script/master/denyhosts/denyhosts-2.6-5.el7.rf.noarch.rpm
[Bash:4.1] <#> rpm -ivh denyhosts-2.6-5.el7.rf.noarch.rpm

如果不会配置denyhost配置文件，可以参考下面的命令，下载现成的配置文件使用。

[Bash:4.1] <#> cd /etc/denyhosts/
[Bash:4.1] <#> mv denyhosts.cfg denyhosts.cfg.bak
[Bash:4.1] <#> wget -c https://raw.githubusercontent.com/jinchengjiang/shell-script/master/conf/denyhosts.cfg
[Bash:4.1] <#> chkconfig denyhosts on
[Bash:4.1] <#> /etc/init.d/denyhosts restart

2、如果需要配置Denyhost邮件通知，需要修改/etc/denyhosts/denyhosts.cfg的文件，具体的内容如下：

ADMIN_EMAIL: if you would like to receive emails regarding newly

restricted hosts and suspicious logins, set this address to

match your email address. If you do not want to receive these reports

leave this field blank (or run with the –noemail option)

Multiple email addresses can be delimited by a comma, eg:

ADMIN_EMAIL = foo@bar.com, bar@foo.com, etc@foobar.com

ADMIN_EMAIL= 通知给哪个邮箱

SMTP_HOST and SMTP_PORT: if DenyHosts is configured to email

reports (see ADMIN_EMAIL) then these settings specify the

email server address (SMTP_HOST) and the server port (SMTP_PORT)

SMTP_HOST= SMTP地址
SMTP_PORT= SMTP端口

SMTP_USERNAME and SMTP_PASSWORD: set these parameters if your

smtp email server requires authentication

SMTP_USERNAME= SMTP发件的邮箱
SMTP_PASSWORD= SMTP发件的邮箱密码

SMTP_FROM: you can specify the “From:” address in messages sent

from DenyHosts when it reports thwarted abuse attempts

SMTP_FROM = DenyHosts 发件人的名字

1、详细配置参数：

SECURE_LOG = /var/log/secure # 系统安全日志文件，主要获取ssh信息

HOSTS_DENY = /etc/hosts.deny # 拒绝写入IP文件 hosts.deny

PURGE_DENY = 4w # 过多久后清除已经禁止的，其中w代表周，d代表天，h代表小时，s代表秒，m代表分钟

PURGE_THRESHOLD = 6 # 定义了某一IP最多被解封多少次。即某一IP由于暴力破解SSH密码被阻止/解封达到了PURGE_THRESHOLD次，则会被永久禁止；

BLOCK_SERVICE = ALL # denyhosts所要阻止的服务名称或者所有

DENY_THRESHOLD_INVALID = 3 # 允许无效用户登录失败的次数

DENY_THRESHOLD_VALID = 10 # 允许普通用户登录失败的次数

DENY_THRESHOLD_ROOT = 6 # 允许ROOT用户登录失败的次数

DENY_THRESHOLD_RESTRICTED = 1 # 设定 deny host 写入到该资料夹

WORK_DIR = /var/lib/denyhosts # 将deny的host或ip纪录到Work_dir中

SUSPICIOUS_LOGIN_REPORT_ALLOWED_HOSTS = YES

HOSTNAME_LOOKUP = NO # 是否做主机名反向解析

LOCK_FILE = /var/lock/subsys/denyhosts # 将DenyHOts启动的pid纪录到LOCK_FILE中，已确保服务正确启动，防止同时启动多个服务

SMTP_SUBJECT = DenyHosts Report # 邮件标题

AGE_RESET_VALID = 5d # 有效用户登录失败计数归零的时间

AGE_RESET_ROOT = 25d # ROOT用户登录失败计数归零的时间

AGE_RESET_RESTRICTED = 25d # 用户的失败登录计数重置为0的时间(/usr/share/denyhosts/restricted-usernames)

AGE_RESET_INVALID = 10d # 无效用户登录失败计数归零的时间

DAEMON_LOG = /var/log/denyhosts

DAEMON_SLEEP = 30s

DAEMON_PURGE = 1h # 该项与PURGE_DENY 设置成一样，也是清除hosts.deniedssh 用户的时间