- 使用DenyHosts避免密码暴力破解SSH
DenyHosts是一个python写的脚本,占用资源特别小,常用来限制SSH登陆,通过监控系统日志,将超过错误次数的IP放入TCP Wrappers中禁止登陆。UNIX Review杂志评选的2005年8月的月度工具。除了基础的屏蔽IP功能,还有邮件通知,插件,同步等功能。
wget https://github.com/denyhosts/denyhosts/archive/v2.10.tar.gztar xf v2.10.tar.gzcd denyhosts-2.10python setup.py install或者直接点击下载:denyhosts-2.10.tar.gz
下载完重命名为denyhosts-2.10.tar.gz
##线上直接配置替换sed -i 's#^SECURE_LOG.*#SECURE_LOG = /var/log/secure#' /etc/denyhosts.confsed -i 's#^HOSTS_DENY.*#HOSTS_DENY = /etc/hosts.deny#' /etc/denyhosts.confsed -i 's#^DENY_THRESHOLD_VALID.*#DENY_THRESHOLD_VALID = 5#' /etc/denyhosts.confsed -i 's#^DENY_THRESHOLD_ROOT.*#DENY_THRESHOLD_ROOT = 5#' /etc/denyhosts.confsed -i 's$IPTABLES = /sbin/iptables$#IPTABLES = /sbin/iptables$' /etc/denyhosts.confsed -i 's$^ADMIN_EMAIL.*$ADMIN_EMAIL = $' /etc/denyhosts.conf##完整的配置文件c�ȴ�,�غ�at > /etc/denyhosts.conf <<EOFSECURE_LOG = /var/log/secureHOSTS_DENY = /etc/hosts.denyPURGE_DENY = BLOCK_SERVICE = sshdDENY_THRESHOLD_INVALID = 5DENY_THRESHOLD_VALID = 5DENY_THRESHOLD_ROOT = 5DENY_THRESHOLD_RESTRICTED = 1WORK_DIR = /var/lib/denyhostsETC_DIR = /etcSUSPICIOUS_LOGIN_REPORT_ALLOWED_HOSTS=YESHOSTNAME_LOOKUP=NOLOCK_FILE = /var/run/denyhosts.pidADMIN_EMAIL = SMTP_HOST = localhostSMTP_PORT = 25SMTP_FROM = DenyHosts <nobody@localhost>SMTP_SUBJECT = DenyHosts ReportALLOWED_HOSTS_HOSTNAME_LOOKUP=NOAGE_RESET_VALID=5dAGE_RESET_ROOT=25dAGE_RESET_RESTRICTED=25dAGE_RESET_INVALID=10dDAEMON_LOG = /var/log/denyhostsDAEMON_SLEEP = 30sDAEMON_PURGE = 1hSYNC_UPLOAD = noSYNC_DOWNLOAD = noEOF- 配置文件重要解析
#ssh 日志文件 #redhat系列根据/var/log/secure文件来判断SECURE_LOG = /var/log/secure#控制用户登陆的文件,封禁的ipHOSTS_DENY = /etc/hosts.deny#默认情况下,永远不会清理长期被禁止的IP,建议保持默认PURGE_DENY =#禁止的服务名,当然DenyHost不仅仅用于SSH服务BLOCK_SERVICE = sshd#允许无效用户失败的次数DENY_THRESHOLD_INVALID = 5#允许普通用户登陆失败的次数DENY_THRESHOLD_VALID = 5#允许root登陆失败的次数DENY_THRESHOLD_ROOT = 5#默认情况下,会调用iptables禁止IP建立连接,可以关闭该功能,centos7#IPTABLES = /sbin/iptables#默认情况下会发送email到root@localhost,可以关闭该功能ADMIN_EMAIL =# vi /etc/hosts.allow#sshd: ALL注释掉sshd: ALL这一行# sed -i '/^sshd: ALL/d' /etc/hosts.allowcp denyhosts.service /etc/systemd/system/systemctl daemon-reloadsystemctl enable denyhostssystemctl start denyhostscp daemon-control-dist /etc/init.d/denyhostssed -i 's#/usr/sbin/denyhosts#/usr/bin/denyhosts.py#' /etc/init.d/denyhostssed -i 's#/run/denyhosts.pid#/var/run/denyhosts.pid#' /etc/init.d/denyhosts/etc/init.d/denyhosts startchkconfig --add denyhostschkconfig denyhosts on- 例如解封:192.168.1.160
方法一:
systemctl stop denyhosts ##/etc/init.d/denyhosts stop vi /etc/hosts.deny ###删除/etc/hosts.deny中相关IPcd /var/lib/denyhosts/ && find . -type f|xargs sed -i "/192.168.1.160/d"systemctl start denyhosts ##/etc/init.d/denyhosts start方法二:
echo "sshd:192.168.1.160:allow" >>/etc/hosts.allowsystemctl restart denyhosts ##/etc/init.d/denyhosts restart