denyhosts也是一个防止sshd暴力破解的开源软件,他可以有效的阻止对ssd服务器的攻击。
1. 对/var/log/secure日志文件进行分析,查找所有的登录尝试,并且过滤出失败和成功的尝试。
2.记录下所有失败的登录尝试的用户名和主机,如果超过阀值,则记录主机。
3.保持对每一个登录失败的用户(存在系统中或不存在系统中的用户)的跟踪
4.对每一个可疑的登录进行跟踪。(虽然登录成功,但是有很多次登录失败的记录)
5.将可疑地址的主机加入到/etc/hosts.deny文件中。
具体的使用步骤
1下载
wget http://jaist.dl.sourceforge.net/project/denyhosts/denyhosts/2.6/DenyHosts-2.6.tar.gz
[root@rxtekweb ~]# wget http://jaist.dl.sourceforge.net/project/denyhosts/denyhosts/2.6/DenyHosts-2.6.tar.gz
--2021-08-31 09:45:46-- http://jaist.dl.sourceforge.net/project/denyhosts/denyhosts/2.6/DenyHosts-2.6.tar.gz
Resolving jaist.dl.sourceforge.net (jaist.dl.sourceforge.net)... 150.65.7.130, 2001:df0:2ed:feed::feed
Connecting to jaist.dl.sourceforge.net (jaist.dl.sourceforge.net)|150.65.7.130|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 42667 (42K) [application/x-gzip]
Saving to: ‘DenyHosts-2.6.tar.gz’
100%[======================================>] 42,667 143KB/s in 0.3s
2解压
[root@### ~]# tar -zxvf DenyHosts-2.6.tar.gz
DenyHosts-2.6/
DenyHosts-2.6/PKG-INFO
DenyHosts-2.6/denyhosts.py
DenyHosts-2.6/denyhosts.cfg-dist
DenyHosts-2.6/setup.py
DenyHosts-2.6/DenyHosts/
DenyHosts-2.6/DenyHosts/prefs.py
DenyHosts-2.6/DenyHosts/report.py
DenyHosts-2.6/DenyHosts/lockfile.py
DenyHosts-2.6/DenyHosts/__init__.py
DenyHosts-2.6/DenyHosts/plugin.py
DenyHosts-2.6/DenyHosts/denyfileutil.py
DenyHosts-2.6/DenyHosts/deny_hosts.py
DenyHosts-2.6/DenyHosts/regex.py
DenyHosts-2.6/DenyHosts/sync.py
DenyHosts-2.6/DenyHosts/counter.py
DenyHosts-2.6/DenyHosts/old-daemon.py
DenyHosts-2.6/DenyHosts/util.py
DenyHosts-2.6/DenyHosts/daemon.py
DenyHosts-2.6/DenyHosts/python_version.py
DenyHosts-2.6/DenyHosts/allowedhosts.py
DenyHosts-2.6/DenyHosts/filetracker.py
DenyHosts-2.6/DenyHosts/loginattempt.py
DenyHosts-2.6/DenyHosts/restricted.py
DenyHosts-2.6/DenyHosts/purgecounter.py
DenyHosts-2.6/DenyHosts/version.py
DenyHosts-2.6/DenyHosts/constants.py
DenyHosts-2.6/CHANGELOG.txt
DenyHosts-2.6/LICENSE.txt
DenyHosts-2.6/daemon-control-dist
DenyHosts-2.6/plugins/
DenyHosts-2.6/plugins/README.contrib
DenyHosts-2.6/plugins/shorewall_allow.sh
DenyHosts-2.6/plugins/shorewall_deny.sh
DenyHosts-2.6/plugins/test_deny.py
DenyHosts-2.6/scripts/
DenyHosts-2.6/scripts/restricted_from_invalid.py
DenyHosts-2.6/scripts/restricted_from_passwd.py
DenyHosts-2.6/README.txt
DenyHosts-2.6/MANIFEST.in
3进入解压文件夹
[root@### ~]# cd DenyHosts-2.6
[root@### DenyHosts-2.6]# ls
CHANGELOG.txt denyhosts.cfg-dist MANIFEST.in README.txt
daemon-control-dist denyhosts.py PKG-INFO scripts
DenyHosts LICENSE.txt plugins setup.py
4开始编译安装setup.py
[root@### DenyHosts-2.6]# python setup.py install
running install
running build
running build_py
creating build
creating build/lib
creating build/lib/DenyHosts
copying DenyHosts/loginattempt.py -> build/lib/DenyHosts
copying DenyHosts/denyfileutil.py -> build/lib/DenyHosts
copying DenyHosts/regex.py -> build/lib/DenyHosts
copying DenyHosts/filetracker.py -> build/lib/DenyHosts
copying DenyHosts/lockfile.py -> build/lib/DenyHosts
copying DenyHosts/__init__.py -> build/lib/DenyHosts
copying DenyHosts/restricted.py -> build/lib/DenyHosts
copying DenyHosts/purgecounter.py -> build/lib/DenyHosts
copying DenyHosts/version.py -> build/lib/DenyHosts
copying DenyHosts/counter.py -> build/lib/DenyHosts
copying DenyHosts/plugin.py -> build/lib/DenyHosts
copying DenyHosts/allowedhosts.py -> build/lib/DenyHosts
copying DenyHosts/util.py -> build/lib/DenyHosts
copying DenyHosts/old-daemon.py -> build/lib/DenyHosts
copying DenyHosts/deny_hosts.py -> build/lib/DenyHosts
copying DenyHosts/daemon.py -> build/lib/DenyHosts
copying DenyHosts/prefs.py -> build/lib/DenyHosts
copying DenyHosts/report.py -> build/lib/DenyHosts
copying DenyHosts/constants.py -> build/lib/DenyHosts
copying DenyHosts/python_version.py -> build/lib/DenyHosts
copying DenyHosts/sync.py -> build/lib/DenyHosts
running build_scripts
creating build/scripts-2.7
copying and adjusting denyhosts.py -> build/scripts-2.7
changing mode of build/scripts-2.7/denyhosts.py from 644 to 755
running install_lib
running install_scripts
copying build/scripts-2.7/denyhosts.py -> /usr/bin
changing mode of /usr/bin/denyhosts.py to 755
running install_data
running install_egg_info
Removing /usr/lib/python2.7/site-packages/DenyHosts-2.6-py2.7.egg-info
Writing /usr/lib/python2.7/site-packages/DenyHosts-2.6-py2.7.egg-info
5编辑配置文件
cd /usr/share/denyhosts/
vim denyhosts.cfg
[root@### denyhosts]# cat denyhosts.cfg
SECURE_LOG = /var/log/secure
HOSTS_DENY = /etc/hosts.deny
PURGE_DENY = 5w
BLOCK_SERVICE = sshd
DENY_THRESHOLD_INVALID = 4
DENY_THRESHOLD_VALID = 4
DENY_THRESHOLD_ROOT = 3
DENY_THRESHOLD_RESTRICTED = 1
WORK_DIR = /usr/share/denyhosts/data
SUSPICIOUS_LOGIN_REPORT_ALLOWED_HOSTS=YES
HOSTNAME_LOOKUP=NO
LOCK_FILE = /var/lock/subsys/denyhosts
#SMTP_HOST = localhost
#SMTP_PORT = 25
#SMTP_FROM = DenyHosts <nobody@localhost>
#SMTP_SUBJECT = DenyHosts Report
AGE_RESET_VALID=5d
AGE_RESET_ROOT=25d
AGE_RESET_RESTRICTED=25d
AGE_RESET_INVALID=10d
DAEMON_LOG = /var/log/denyhosts
DAEMON_SLEEP = 30s
DAEMON_PURGE = 1h
6启动denyhosts并且设置为开机自启动
[root@### denyhosts]$ cat denyhosts.service
[Unit]
Description=SSH log watcher
Before=sshd.service
[Service]
Type=forking
ExecStartPre=/bin/rm -f /var/lock/subsys/denyhosts
ExecStart=/usr/bin/denyhosts.py --daemon --config=/usr/share/denyhosts/denyhosts.cfg
PIDFile=/var/lock/subsys/denyhosts
[Install]
WantedBy=multi-user.target
[root@### denyhosts]# cp denyhosts.service /usr/lib/systemd/system/
[root@### denyhosts]# systemctl enable denyhosts.service
Created symlink from /etc/systemd/system/multi-user.target.wants/denyhosts.service to /usr/lib/systemd/system/denyhosts.service.
[root@### denyhosts]# systemctl start denyhosts.service
[root@### denyhosts]# systemctl status denyhosts.service
● denyhosts.service - SYSV: Activates/Deactivates the
Loaded: loaded (/etc/rc.d/init.d/denyhosts; bad; vendor preset: disabled)
Active: active (running) since Mon 2021-08-30 11:24:43 CST; 23h ago
7安装完成。
配置文件的重要说明
PURGE_DENY:当一个IP被阻止以后,过多长时间被自动解禁。可选如3m(三分钟)、5h(5小时)、2d(两天)、8w(8周)、1y(一年);
PURGE_THRESHOLD:定义了某一IP最多被解封多少次。即某一IP由于暴力破解SSH密码被阻止/解封达到了PURGE_THRESHOLD次,则会被永久禁止;
BLOCK_SERVICE:需要阻止的服务名;
DENY_THRESHOLD_INVALID:某一无效用户名(不存在的用户)尝试多少次登录后被阻止;
DENY_THRESHOLD_VALID:某一有效用户名尝试多少次登陆后被阻止(比如账号正确但密码错误),root除外;
DENY_THRESHOLD_ROOT:root用户尝试登录多少次后被阻止;
HOSTNAME_LOOKUP:是否尝试解析源IP的域名;
查看已阻止的IP
[root@### denyhosts]# cat /etc/hosts.deny
# DenyHosts: Tue Aug 31 05:26:43 2021 | sshd: 205.185.127.100
sshd: 205.185.127.100
# DenyHosts: Tue Aug 31 06:19:47 2021 | sshd: 141.98.10.250
sshd: 141.98.10.250
# DenyHosts: Tue Aug 31 06:42:48 2021 | sshd: 107.189.31.247
sshd: 107.189.31.247
# DenyHosts: Tue Aug 31 07:26:51 2021 | sshd: 157.230.246.207
sshd: 157.230.246.207
# DenyHosts: Tue Aug 31 10:05:00 2021 | sshd: 209.141.50.151
sshd: 209.141.50.151
# DenyHosts: Tue Aug 31 10:10:30 2021 | sshd: 85.95.191.186
sshd: 85.95.191.186
# DenyHosts: Tue Aug 31 10:14:00 2021 | sshd: 59.103.191.34
sshd: 59.103.191.34
# DenyHosts: Tue Aug 31 10:43:02 2021 | sshd: 172.248.49.109
sshd: 172.248.49.109
# DenyHosts: Tue Aug 31 11:02:03 2021 | sshd: 179.118.209.55
sshd: 179.118.209.55
# DenyHosts: Tue Aug 31 11:16:16 2021 | sshd: 37.0.11.169
sshd: 37.0.11.169
# DenyHosts: Tue Aug 31 11:16:16 2021 | sshd: 209.141.48.211
sshd: 209.141.48.211
# DenyHosts: Tue Aug 31 11:16:16 2021 | sshd: 209.141.43.141
sshd: 209.141.43.141
# DenyHosts: Tue Aug 31 11:16:16 2021 | sshd: 60.216.46.77
sshd: 60.216.46.77
# DenyHosts: Tue Aug 31 11:16:16 2021 | sshd: 47.106.250.53
sshd: 47.106.250.53
# DenyHosts: Tue Aug 31 11:16:16 2021 | sshd: 209.141.51.153
sshd: 209.141.51.153
# DenyHosts: Tue Aug 31 11:16:16 2021 | sshd: 124.152.213.145
sshd: 124.152.213.145
# DenyHosts: Tue Aug 31 11:16:16 2021 | sshd: 47.226.72.92
sshd: 47.226.72.92
# DenyHosts: Tue Aug 31 11:16:16 2021 | sshd: 45.144.225.69
sshd: 45.144.225.69
6847
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
