简介
DenyHosts是一个python写的脚本,常用来限制SSH登陆,通过监控系统日志,将超过错误次数的IP放入TCP Wrappers中禁止登陆。UNIX Review杂志评选的2005年8月的月度工具。除了基础的屏蔽IP功能,还有邮件通知,插件,同步等功能。
官方站点:http://denyhosts.sourceforge.net/
GitHub代码:https://github.com/denyhosts/denyhosts
安装
tar xf DenyHosts-2.6.tar.gz
cd DenyHosts-2.6
python setup.py install
cd /usr/share/denyhosts/
cp denyhosts.cfg-dist denyhosts.cfg
cp daemon-control-dist daemon-control
chown root daemon-control
chmod 700 daemon-control
ln -sv /usr/share/denyhosts/daemon-control /etc/init.d/denyhosts
/etc/init.d/denyhosts start
chkconfig denyhosts on
配置
#登陆失败次数,无效用户,普通用户,root用户,限制用户
DENY_THRESHOLD_INVALID = 5
DENY_THRESHOLD_VALID = 10
DENY_THRESHOLD_ROOT = 1
DENY_THRESHOLD_RESTRICTED = 1
#登陆失败计数重置时间,普通用户,root用户,限制用户,无效用户
AGE_RESET_VALID=5d
AGE_RESET_ROOT=25d
AGE_RESET_RESTRICTED=25d
AGE_RESET_INVALID=10d
#清除已阻止IP时间间隔,定时任务模式,需要--purge
,守护进程模式
PURGE_DENY = 1h
DAEMON_PURGE = 1h
解除屏蔽
Stop DenyHosts
Remove the IP address from /etc/hosts.deny
Edit WORK_DIR/hosts and remove the lines containing the IP address. Save the file.
Edit WORK_DIR/hosts-restricted and remove the lines containing the IP address. Save the file.
Edit WORK_DIR/hosts-root and remove the lines containing the IP address. Save the file.
Edit WORK_DIR/hosts-valid and remove the lines containing the IP address. Save the file.
Edit WORK_DIR/user-hosts and remove the lines containing the IP address. Save the file.
(optional) Consider adding the IP address to WORK_DIR/allowed-hosts
Start DenyHosts
白名单
create a file named allowed-hosts in the WORK_DIR. Simply add an IP address, one per line.支持域名和glob通配
监控非SSH服务
需要添加正则匹配,官方文档有说明。
相似工具
Fail2Ban,使用iptables
BlockHosts
Blacklist
SSH安全配置
PermitRootLogin no
PasswordAuthentication no
Port 59922
转载于:https://blog.51cto.com/14043491/2309673