Denyhosts是用python写的一个程序,会分析/var/log/secure等日志文件,当发现同一IP在进行多次SSH密码尝试时就会将该IP记录到/etc/hosts.deny文件上,从而达到自动屏蔽该IP的目的。
Denyhosts安装步骤如下:
1.检查安装条件
1)首先判断系统安装的sshd是否支持TCP_Wrappers(默认都是支持的):
[root@node1 ~]$ ldd /usr/sbin/sshd | grep libwrap.so.0
libwrap.so.0 => /lib64/libwrap.so.0 (0x00007fd30bd5a000)
2).查看默认安装的python版本,命令如下:
[root@node1 ~]$ python -V
Python 2.7.5
2.安装及配置denyhosts工具
1)安装Denyhosts,命令如下
[root@node1 src]$ pwd
/usr/local/src
[root@node1 src]$ ls -l
total 92
drwxrwxr-x 6 probe probe 4096 Feb 26 2016 denyhosts
-rw-r--r-- 1 root root 87435 Jul 9 21:23 denyhosts-3.1.tar.gz
#进入/denyhosts文件夹
[root@node1 denyhosts]$ ls
CHANGELOG.txt denyhosts.8 denyhosts.service MANIFEST.in README.md tests
daemon-control-dist denyhosts.conf LICENSE.txt PKG-INFO scripts TODO
DenyHosts denyhosts.py Makefile plugins setup.py
2)错误解决,缺少python包
[root@node1 denyhosts]$ python setup.py install
Traceback (most recent call last):
File "setup.py", line 10, in <module>
from DenyHosts.util import normalize_whitespace
File "/usr/local/src/denyhosts/DenyHosts/util.py", line 9, in <module>
import ipaddr
ImportError: No module named ipaddr
[root@node1 denyhosts]# python setup.py
Traceback (most recent call last):
File "setup.py", line 10, in <module>
from DenyHosts.util import normalize_whitespace
File "/usr/local/src/denyhosts/DenyHosts/util.py", line 9, in <module>
import ipaddr
ImportError: No module named ipaddr
安装pip工具,pip 是 Python 包管理工具,该工具提供了对Python 包的查找、下载、安装、卸载的功能。
yum install python-pip
#安装ipaddr模块
[root@node1 denyhosts]$ pip install ipaddr
Collecting ipaddr
Downloading https://files.pythonhosted.org/packages/9d/a7/1b39a16cb90dfe491f57e1cab3103a15d4e8dd9a150872744f531b1106c1/ipaddr-2.2.0.tar.gz
Installing collected packages: ipaddr
Running setup.py install for ipaddr ... done
Successfully installed ipaddr-2.2.0
最后执行,提示成功。
python setup.py install
...
省略部分
...
changing mode of /usr/bin/daemon-control-dist to 755
running install_data
copying denyhosts.conf -> /etc
copying denyhosts.8 -> /usr/share/man/man8
running install_egg_info
Writing /usr/lib/python2.7/site-packages/DenyHosts-3.0-py2.7.egg-info
3).修改配置文件
SECURE_LOG = /var/log/secure
#上面表示安全日志的位置
HOSTS_DENY = /etc/hosts.deny
PURGE_DENY = 30m #表示过多久后清除
BLOCK_SERVICE = sshd
DENY_THRESHOLD_INVALID = 5 #表示允许无效用户(/etc/passwd未列出)登录失败的次数
DENY_THRESHOLD_VALID = 10 #表示普通有效用户登录失败的次数
DENY_THRESHOLD_ROOT = 3 #表示允许root登录失败的次数
DENY_THRESHOLD_RESTRICTED = 1
DETECT_DOVECOT_LOGIN_ATTEMPTS = NO
WORK_DIR = /var/lib/denyhosts
ETC_DIR = /etc
4)如果需要denghosts随系统重启而自动重启,做一下配置
vi /etc/rc.local
#加入以下命令
/usr/local/src/denyhosts/daemon-control-dist start
5)当用daemon-control-dist start 启动时报错,
python: can't open file '/usr/sbin/denyhosts': [Errno 2] No such file or directory
daemon-control-dist 原始内容如下
DENYHOSTS_BIN = "/usr/sbin/denyhosts"
DENYHOSTS_LOCK = "/run/denyhosts.pid"
DENYHOSTS_CFG = "/etc/denyhosts.conf"
修改如下,则启动成功
DENYHOSTS_BIN = "/usr/bin/denyhosts.py"
DENYHOSTS_LOCK = "/run/denyhosts.pid"
DENYHOSTS_CFG = "/etc/denyhosts.conf"
[root@node1 denyhosts]$ ./daemon-control-dist status
DenyHosts is running with pid = 10116
3.denyhosts开机自动动
denyohosts3.1版本安装完后,可以看到denyhosts.service,这个文件放到centos7 的/usr/lib/systemd/system/目录下
[root@node1 denyhosts]$ ls -l denyhosts.service
-rw-rw-r-- 1 probe probe 265 Feb 11 2015 denyhosts.service
[root@node1 denyhosts]$ cat denyhosts.service
[Unit]
Description=SSH log watcher
Before=sshd.service
[Service]
Type=forking
ExecStartPre=/bin/rm -f /var/run/denyhosts.pid
ExecStart=/usr/bin/denyhosts.py --daemon --config=/etc/denyhosts.conf
PIDFile=/var/run/denyhosts.pid
[Install]
WantedBy=multi-user.target
-----------------
#拷贝到启动目录下
cp denyhosts.service /usr/lib/systemd/system/
开机自启:
[root@node1 denyhosts]$ systemctl enable denyhosts.service
Created symlink from /etc/systemd/system/multi-user.target.wants/denyhosts.service to /usr/lib/systemd/system/denyhosts.service.
如果在/etc/hosts.deny里已有记录的IP机器仍然想连接安装了Denyhosts的机器,则会被拒绝。