简介

DenyHosts是一个python写的脚本,常用来限制SSH登陆,通过监控系统日志,将超过错误次数的IP放入TCP Wrappers中禁止登陆。UNIX Review杂志评选的2005年8月的月度工具。除了基础的屏蔽IP功能,还有邮件通知,插件,同步等功能。
官方站点:http://denyhosts.sourceforge.net/
GitHub代码:https://github.com/denyhosts/denyhosts

安装

tar xf DenyHosts-2.6.tar.gz
cd DenyHosts-2.6
python setup.py install
cd /usr/share/denyhosts/
cp denyhosts.cfg-dist denyhosts.cfg
cp daemon-control-dist daemon-control
chown root daemon-control
chmod 700 daemon-control
ln -sv /usr/share/denyhosts/daemon-control /etc/init.d/denyhosts
/etc/init.d/denyhosts start
chkconfig denyhosts on

配置

#登陆失败次数,无效用户,普通用户,root用户,限制用户
DENY_THRESHOLD_INVALID = 5
DENY_THRESHOLD_VALID = 10
DENY_THRESHOLD_ROOT = 1
DENY_THRESHOLD_RESTRICTED = 1

#登陆失败计数重置时间,普通用户,root用户,限制用户,无效用户
AGE_RESET_VALID=5d
AGE_RESET_ROOT=25d
AGE_RESET_RESTRICTED=25d
AGE_RESET_INVALID=10d

#清除已阻止IP时间间隔,定时任务模式,需要--purge,守护进程模式
PURGE_DENY = 1h
DAEMON_PURGE = 1h

解除屏蔽

Stop DenyHosts
Remove the IP address from /etc/hosts.deny
Edit WORK_DIR/hosts and remove the lines containing the IP address. Save the file.
Edit WORK_DIR/hosts-restricted and remove the lines containing the IP address. Save the file.
Edit WORK_DIR/hosts-root and remove the lines containing the IP address. Save the file.
Edit WORK_DIR/hosts-valid and remove the lines containing the IP address. Save the file.
Edit WORK_DIR/user-hosts and remove the lines containing the IP address. Save the file.
(optional) Consider adding the IP address to WORK_DIR/allowed-hosts
Start DenyHosts

白名单

create a file named allowed-hosts in the WORK_DIR. Simply add an IP address, one per line.支持域名和glob通配

监控非SSH服务

需要添加正则匹配,官方文档有说明。

相似工具

Fail2Ban,使用iptables
BlockHosts
Blacklist

SSH安全配置

PermitRootLogin no
PasswordAuthentication no
Port 59922