denyhost:有效阻止ssh暴力破解

DenyHosts是用Python2.3写的一个程序,它会分析/var/log/secure(redhat,Fedora Core,Centos)等日志文件,当发现同一IP在进行多次SSH密码尝试时就会记录IP到/etc/hosts.deny文件,从而达到自动屏蔽该 IP的目的。      
      
DenyHosts官方网站 为:http://denyhosts.sourceforge.net
 
一:检查安装要求
首选检查Sshd是否支持 Tcpwrap,只有支持Tcpwrap才可以安装Denyhost
ldd /usr/sbin/sshd |grep wrap
再检查 Python的版本,Python2.3以上版本可以直接安装
python -V
 
二:安装Denyhost
先从 Sourceforge.net上下载
wget http://umn.dl.sourceforge.net/sourceforge/denyhosts/DenyHosts-2.6.tar.gz

进 行解压再进入到源目录
tar -xzvf DenyHosts-2.6.tar.gz
cd DenyHosts-2.6

执 行Python脚本进行安装,
 python setup.py install
 
程序脚本自动安装到/usr/share /denyhosts      
库文件自动安装到/usr/lib/python2.3/site-packages /DenyHosts      
denyhosts.py安装到/usr/bin
如果编译的python,会安装到/usr /local/python-2.4/bin/python

二.2 关于使用编译编译安装的python的denyhost。
关于错误
Traceback (most recent call last):
  File "/usr/local/python-2.4/bin/denyhosts.py", line 5, in ?
    import DenyHosts.python_version
ImportError: No module named DenyHosts.python_version

需要 修改下面的部分:
1、/usr/share/denyhosts/daemon-control
PYTHON_BIN      = "/usr/bin/env python"
改为
PYTHON_BIN     = "/usr/local/python-2.4/bin/python"

#!/usr/bin/env python
改 为
#!/usr/local/python-2.4/bin/python

DENYHOSTS_BIN   = "/usr/bin/denyhosts.py"
改为
DENYHOSTS_BIN   = "/usr/local/python-2.4/bin/denyhosts.py"

2.
cp -rp /usr/local/python-2.4/lib/python2.4/site-packages/DenyHosts/  /usr/local/python-2.4/lib/python2.4/

3、




 
三: 设置启动脚本
cd /usr/share/denyhosts/

拷贝模板文件
cp daemon-control-dist daemon-control

设置好启动脚本的所属用户和权限
chown root daemon-control
chmod 700 daemon-control

生成Denyhost的主配置文件,(将模板文 件中开头是#的过滤后再导入到Denyhost.cfg)
grep -v "^#" denyhosts.cfg-dist > denyhosts.cfg

编辑Denyhost.cfg文件,根据自己需要进行相应的修改      
----------------denyhosts.cfg------------------------      
SECURE_LOG = /var/log/secure             
      
PURGE_DENY = 2h      
#过多久后清除,这个参数还受DAEMON_PURGE = 影响,如DAEMON_PURGE = 1h,即 1h执行一次清理。应设为PURGE_DENY 〉DAEMON_PURGE
      
DENY_THRESHOLD_INVALID = 1      
#允许无效用户(/etc/passwd未列出)登录失败的次数      
      
DENY_THRESHOLD_VALID = 5      
#允许有效(普通)用户登录失败的次数      
      
DENY_THRESHOLD_ROOT = 3      
#允许root登录失败的次数      
      
HOSTNAME_LOOKUP=NO      
# 是否做域名反解

DAEMON_PURGE = 1h
#多长时间执行一次 预设清理,如:
----------------denyhosts.cfg------------------------



将 Denyhost启动脚本添加到自动启动中
echo '/usr/share/denyhosts/daemon-control start'>>/etc/rc.d/rc.local
启动Denyhost的进程
/usr/share/denyhosts/daemon-control start
可以查看到Denyhost在运行中
ps -ef |grep deny
在另外一台机器上使用Ssh进行连接,当在 连续几次输入错误的密码后,会被自动阻止掉,在一定时内不可以再连接Ssh连接记录的日志文件
 tail /var/log/secure –f
Denyhost 日志文件
tail /var/log/denyhosts –f
Denyhost将恶意连接的IP记录到Hosts.deny文件中,过 一定时间后再从该文件中清除(Denyhost.cfg中设定的时间)
 vi /etc/hosts.deny


其他:
AGE_RESET_VALID=5d
AGE_RESET_ROOT=25d
AGE_RESET_RESTRICTED=25d
AGE_RESET_INVALID=10d
用 户的登陆失败计数会在多长时间后重置为0

RESET_ON_SUCCESS = yes
如果一个ip登陆成功后,失败的登陆计数 是否重置为0


例外,设定某个ip不会被阻止
Additionally, as of v1.0.3, a valid hostname can also be placed in the allowed-hosts file. For each hostname appearing in this file, the IP address   will be resolved and any ssh connections that match either this hostname or this resolved IP address will not be blocked

重置一个被阻止的ip的方法:
to force a reset of your blocked IP address you can stop the DH daemon.  Search for your IP address in all of the files in WORK_DIR (except for allowed_hosts), edit those files and remove the line containing your IP address.Start DH.

写了个小脚本,重置被阻止的ip
=======================================================================================
#!/bin/sh
echook ()
{
echo -ne "/033[40C ["
echo -ne "/033[32m"
echo -ne "/033[1C OK"
echo -ne "/033[39m"
echo -ne "/033[1C ]/n"
}

echo -e "Shutting down Denyhost: "
/usr/share/denyhosts/daemon-control stop #>/dev/null 2>&1
echook

echo ""
echo ""

echo -e "input the ip which you want to reset: /c"
read ip
path=/usr/share/denyhosts/data/
files=$(/bin/ls $path|grep ^hosts|grep -v tmp)
for i in $files
do
sed "/$ip/d" $path$i  >$path$i.tmp
cat $path$i.tmp >$path$i
sed "/$ip/d" /etc/hosts.deny >/etc/hosts.deny.tmp1
cat /etc/hosts.deny.tmp1 >/etc/hosts.deny
rm $path$i.tmp
done
echo "Restting ip: $ip "

#echo "Starting up Denyhost:"
/usr/share/denyhosts/daemon-control start
echook
=======================================================================================


阻 止对vsftpd的暴力破解
vi /usr/share/denyhosts/denyhosts.cfg
修改:
BLOCK_SERVICE  = sshd,ftp

重启denyhosts,查看/var/log /denyhost

2009-05-20 11:14:23,091 - prefs       : INFO        BLOCK_SERVICE: [sshd ftp ]
2009-05-20 11:14:23,091 - prefs       : INFO        DAEMON_LOG: [/var/log/denyhosts]
2009-05-20 11:14:23,091 - prefs       : INFO        DAEMON_LOG_MESSAGE_FORMAT: [%(asctime)s - %(name)-12s: %(levelname)-8s %(message
)s]
2009-05-20 11:14:23,091 - prefs       : INFO        DAEMON_LOG_TIME_FORMAT: [None]
2009-05-20 11:14:23,092 - prefs       : INFO        DAEMON_PURGE: [3600]

 


你可能感兴趣的:(python,centos,脚本,service,ssh,Path)