Linux / 安全管理
  • DenyHosts 是一个由 Linux 系统管理员运行的脚本,用于帮助抵御SSH服务器攻击(也称为基于字典的攻击和蛮力攻击)。
  • DenyHosts 是 Python 语言写的一个程序,它会分析 sshd 的日志文件(/var/log/secure),当发现重复的攻击时就会记录IP到 etc/hosts.deny 文件,从而达到自动屏IP的功能。

安装 Denyhosts

  • 离线安装 Denyhosts

Shell
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
 
wget https://jaist.dl.sourceforge.net/project/denyhosts/denyhosts/2.6/DenyHosts-2.6.tar.gz # 下载离线安装包
 
tar -zxvf DenyHosts-2.6.tar.gz # 解压 Denyhosts 压缩包
yum install python-ipaddr-2.1.9-5.el7.noarch # 安装 python 相关包
 
python ./DenyHosts-2.6/setup.py install # 运行 Denyhosts 安装脚本
 
cd /usr/share/denyhosts/ # 进入 Denyhosts 默认的安装目录
cp denyhosts.cfg-dist denyhosts.cfg # 拷贝 denyhosts.cfg-dist 模板配置文件为:denyhosts.cfg
cp daemon-control-dist daemon-control # 拷贝 daemon-control-dist 模板服务文件为:daemon-control
chown root daemon-control # 改变 daemon-control 服务文件的组为:root
chmod 700 daemon-control # 将 daemon-control 服务文件权限改为:文件拥有着具有 rwx 权限
ln -s /usr/share/denyhosts/daemon-control /etc/init.d/ # 将 daemon-control 服务软链接到 /etc/init.d/ 目录下
 
/etc/init.d/daemon-control start # 启动 daemon-control 服务
chkconfig daemon-control on # 设置 daemon-control 服务开机启动
 
 

  • yum 在线安装 Denyhosts

Shell
1
2
3
4
5
6
7
8
9
10
11
 
yum update # 更新系统
yum install python-ipaddr-2.1.9-5.el7.noarch # 安装 python 相关包
 
yum search denyhosts  # 在 yum 源中搜索包含 denyhosts 的软件包
===========================================N/S matched: denyhosts ================
denyhosts.noarch :
 
yum install denyhosts.noarch  # 安装 denyhosts.noarch 软件包
 
 

Denyhosts 配置文件解析

Shell
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
 
vim /etc/denyhosts.conf  # 编辑 denyhosts.conf 配置文件
 
SECURE_LOG = /var/log/secure # 定义Log存放路径
 
# Mandrake, FreeBSD or OpenBSD:
#SECURE_LOG = /var/log/auth.log
 
# SuSE:
#SECURE_LOG = /var/log/messages
 
# Mac OS X (v10.4 or greater -
#   also refer to:   http://www.denyhost.net/faq.html#macos
#SECURE_LOG = /private/var/log/asl.log
 
# Mac OS X (v10.3 or earlier):
#SECURE_LOG=/private/var/log/system.log
 
# Debian and Ubuntu
#SECURE_LOG = /var/log/auth.log
########################################################################
 
########################################################################
 
# HOSTS_DENY: the file which contains restricted host access information
 
# Most operating systems:
HOSTS_DENY = /etc/hosts.deny # IP地址黑名单存放文件路径
 
# Some BSD (FreeBSD) Unixes:
#HOSTS_DENY = /etc/hosts.allow
 
# Another possibility (also see the next option):
#HOSTS_DENY = /etc/hosts.evil
 
PURGE_DENY =7w # 清除 hosts.deny 文件中超过 7 周的IP地址条目,其中:w代表周,d代表天,h代表小时,s代表秒,m代表分钟
 
# default: a denied host can be purged/re-added indefinitely
#PURGE_THRESHOLD = 0
 
# a denied host will be purged at most 2 times.
#PURGE_THRESHOLD = 2
 
# BLOCK_SERVICE: the service name that should be blocked in HOSTS_DENY
BLOCK_SERVICE  = sshd # 监控服务的名称
 
DENY_THRESHOLD_INVALID = 2 # 设置无效用户登陆次数,超过阈值则将IP地址列入 hosts.deny
 
DENY_THRESHOLD_VALID = 2 # 设置普通用户登陆失败次数,超过阈值则将IP地址列入 hosts.deny
 
DENY_THRESHOLD_ROOT = 1 # 设置root用户登入失败次数,超过阈值则将IP地址列入 hosts.deny
 
DENY_THRESHOLD_RESTRICTED = 1 # 设置是否启用 denyhosts 监控
 
WORK_DIR = /var/lib/denyhosts # 记录 denyhosts 使用数据
 
ETC_DIR = /etc # denyhosts 文件存放目录
 
SUSPICIOUS_LOGIN_REPORT_ALLOWED_HOSTS=YES # 是否记录可疑的登陆
 
HOSTNAME_LOOKUP=NO # 是否记录主机名做域名反解析
 
# Redhat/Fedora:
LOCK_FILE = /var/lock/subsys/denyhosts # 文件实例
 
# Debian
#LOCK_FILE = /var/run/denyhosts.pid
 
# Misc
#LOCK_FILE = /tmp/denyhosts.lock
 
##IPTABLES = /sbin/iptables
## 是否启用 IPtables 并指定 iptables 路径
 
## BLOCKPORT = 22
## 在 iptables 中只组赛特定的端口
 
# PFCTL_PATH = /sbin/pfctl
# PF_TABLE = blacklist
 
# ADMIN_EMAIL = foo@bar.com, bar@foo.com, etc@foobar.com
 
ADMIN_EMAIL = root@localhost # 管理员邮件地址
 
SMTP_HOST = localhost # 邮件服务器
SMTP_PORT = 25 # 邮件服务器端口
 
#SMTP_USERNAME=foo
#SMTP_PASSWORD=bar
 
SMTP_FROM = DenyHosts <nobody@localhost>
 
SMTP_SUBJECT = DenyHosts Report from $[HOSTNAME]
 
#SMTP_DATE_FORMAT = %a, %d %b %Y %H:%M:%S %z
 
#SYSLOG_REPORT=NO
 
#SYSLOG_REPORT=YES
 
ALLOWED_HOSTS_HOSTNAME_LOOKUP=NO
 
AGE_RESET_VALID=5d # 设置有效用户登陆失败计数归零时间
 
AGE_RESET_ROOT=25d # 设置root用户登陆失败计数归零时间
 
AGE_RESET_RESTRICTED=25d # 用户登陆失败计数重置为 0 的时间
 
AGE_RESET_INVALID=10d # 设置无效用户登录失败计数归零的时间
 
RESET_ON_SUCCESS = no # 设置如果用户登陆成功,则清除以前登陆失败时记录的IP地址
 
#PLUGIN_DENY=/usr/bin/true
 
#PLUGIN_PURGE=/usr/bin/true
 
#PLUGIN_PURGE=/usr/share/denyhosts/plugins/restorecon.sh
 
#USERDEF_FAILED_ENTRY_REGEX=
 
DAEMON_LOG = /var/log/denyhosts # 记录 denyhosts 日志的文件
 
# disable logging:
#DAEMON_LOG =
 
#DAEMON_LOG_TIME_FORMAT = %b %d %H:%M:%S
 
#DAEMON_LOG_TIME_FORMAT = %b %d %I:%M:%S
 
#DAEMON_LOG_MESSAGE_FORMAT = %(asctime)s - %(name)-12s: %(levelname)-8s %(message)s
 
DAEMON_SLEEP = 30s # 守护进程休眠时间
 
DAEMON_PURGE = 1h
 
#SYNC_SERVER = http://xmlrpc.denyhosts.net:9911
 
#SYNC_INTERVAL = 1h
 
SYNC_UPLOAD = no
#SYNC_UPLOAD = yes
 
SYNC_DOWNLOAD = no
#SYNC_DOWNLOAD = yes
 
#SYNC_DOWNLOAD_THRESHOLD = 10
 
#SYNC_DOWNLOAD_THRESHOLD = 3
 
#SYNC_DOWNLOAD_RESILIENCY = 2d
 
#SYNC_DOWNLOAD_RESILIENCY = 5h</nobody@localhost>
 

发表评论