DenyHos黑白名单防ssh攻击
DenyHosts是Python语言写的一个程序,它会分析sshd的日志文件(/var/log/secure),当发现重 复的攻击时就会记录IP到/etc/hosts.deny文件,从而达到自动屏IP的功能。
官网下载DenyHosts
DenyHosts官网:http://denyhosts.sourceforge.net/
https://nchc.dl.sourceforge.net/project/denyhosts/denyhosts/2.10/denyhosts-2.10.zip
安装部署
yum安装
#yum install repe-release denyhosts -y
#systemctl enable --now denyhosts
# cat /usr/lib/systemd/system/denyhosts.service
[Unit]
Description=SSH log watcher
Before=sshd.service
[Service]
Type=forking
ExecStartPre=/bin/rm -f /var/run/denyhosts.pid
ExecStart=/usr/bin/denyhosts.py --daemon --config=/etc/denyhosts.conf
PIDFile=/var/run/denyhosts.pid
[Install]
WantedBy=multi-user.target
$systemctl enable denyhosts.service相关配置文件
$rpm -ql denyhosts
## 该目录中主要存放计划任务,日志压缩 以及 chkconfig 和 service 启动的文档
/etc/cron.d/denyhosts
/etc/denyhosts.conf
/etc/logrotate.d/denyhosts
/etc/rc.d/init.d/denyhosts
/etc/sysconfig/denyhosts
/usr/bin/denyhosts-control
/usr/bin/denyhosts.py
## 该目录中主要存放 denyhosts 所拒绝及允许的一些主机信息
/var/lib/denyhosts
/var/lib/denyhosts/allowed-hosts
/var/lib/denyhosts/allowed-warned-hosts
/var/lib/denyhosts/hosts
/var/lib/denyhosts/hosts-restricted
/var/lib/denyhosts/hosts-root
/var/lib/denyhosts/hosts-valid
/var/lib/denyhosts/offset
/var/lib/denyhosts/suspicious-logins
/var/lib/denyhosts/sync-hosts
/var/lib/denyhosts/users-hosts
/var/lib/denyhosts/users-invalid
/var/lib/denyhosts/users-valid
/var/log/denyhostsdenyhosts配置说明
############ THESE SETTINGS ARE REQUIRED ############
# 系统安全日志文件,主要获取ssh信息
SECURE_LOG = /var/log/secure
# 拒绝写入IP文件 hosts.deny
HOSTS_DENY = /etc/hosts.deny
# #过多久后清除已经禁止的,其中w代表周,d代表天,h代表小时,s代表秒,m代表分钟
PURGE_DENY = 4w
# denyhosts所要阻止的服务名称
BLOCK_SERVICE = sshd
# 允许无效用户登录失败的次数
DENY_THRESHOLD_INVALID = 3
# 允许普通用户登录失败的次数
DENY_THRESHOLD_VALID = 10
# 允许ROOT用户登录失败的次数
DENY_THRESHOLD_ROOT = 6
# 设定 deny host 写入到该资料夹
DENY_THRESHOLD_RESTRICTED = 1
# 将deny的host或ip纪录到Work_dir中
WORK_DIR = /var/lib/denyhosts
SUSPICIOUS_LOGIN_REPORT_ALLOWED_HOSTS=YES
# 是否做域名反解
HOSTNAME_LOOKUP=YES
# 将DenyHOts启动的pid纪录到LOCK_FILE中,已确保服务正确启动,防止同时启动多个服务
LOCK_FILE = /var/lock/subsys/denyhosts
############ THESE SETTINGS ARE OPTIONAL ############
# 管理员Mail地址
ADMIN_EMAIL = root
SMTP_HOST = localhost
SMTP_PORT = 25
SMTP_FROM = DenyHosts <nobody@localhost>
SMTP_SUBJECT = DenyHosts Report from $[HOSTNAME]
# 有效用户登录失败计数归零的时间
AGE_RESET_VALID=5d
# ROOT用户登录失败计数归零的时间
AGE_RESET_ROOT=25d
# 用户的失败登录计数重置为0的时间(/usr/share/denyhosts/restricted-usernames)
AGE_RESET_RESTRICTED=25d
# 无效用户登录失败计数归零的时间
AGE_RESET_INVALID=10d
######### THESE SETTINGS ARE SPECIFIC TO DAEMON MODE ##########
# denyhosts log文件
DAEMON_LOG = /var/log/denyhosts
DAEMON_SLEEP = 30s
# 该项与PURGE_DENY 设置成一样,也是清除hosts.deniedssh 用户的时间
DAEMON_PURGE = 4w
黑白名单
]# cat /etc/hosts.allow
#
# hosts.allow This file contains access rules which are used to
# allow or deny connections to network services that
# either use the tcp_wrappers library or that have been
# started through a tcp_wrappers-enabled xinetd.
#
# See 'man 5 hosts_options' and 'man 5 hosts_access'
# for information on rule syntax.
# See 'man tcpd' for information on tcp_wrappers
#
sshd:*.*.*.* #表示允许所有
]# head -18 /etc/hosts.deny
#
# hosts.deny This file contains access rules which are used to
# deny connections to network services that either use
# the tcp_wrappers library or that have been
# started through a tcp_wrappers-enabled xinetd.
#
# The rules in this file can also be set up in
# /etc/hosts.allow with a 'deny' option instead.
#
# See 'man 5 hosts_options' and 'man 5 hosts_access'
# for information on rule syntax.
# See 'man tcpd' for information on tcp_wrappers
#
# DenyHosts: Fri Jan 6 14:59:19 2023 | sshd: 200.148.153.172
sshd: 200.148.153.172
# DenyHosts: Fri Jan 6 14:59:19 2023 | sshd: 159.223.229.158
sshd: 159.223.229.158
# DenyHosts: Fri Jan 6 14:59:19 2023 | sshd: 41.79.235.36编译安装
# wget http://imcat.in/down/DenyHosts-2.6.tar.gz
# du -sh DenyHosts-2.6.tar.gz
# tar xvf DenyHosts-2.6.tar.gz -C /usr/local/
# cd /usr/local/DenyHosts-2.6/
# python setup.py install
#cp /usr/share/denyhosts/denyhosts.cfg-dist /usr/share/denyhosts/denyhosts.cfg
# egrep -v '^#|^$' /usr/share/denyhosts/denyhosts.cfg
############ THESE SETTINGS ARE REQUIRED ############
SECURE_LOG = /var/log/secure
HOSTS_DENY = /etc/hosts.deny
PURGE_DENY = 1h
BLOCK_SERVICE = sshd
DENY_THRESHOLD_INVALID = 5
DENY_THRESHOLD_VALID = 10
DENY_THRESHOLD_ROOT = 1
DENY_THRESHOLD_RESTRICTED = 1
WORK_DIR = /usr/share/denyhosts/data
SUSPICIOUS_LOGIN_REPORT_ALLOWED_HOSTS=YES
HOSTNAME_LOOKUP=YES
LOCK_FILE = /var/lock/subsys/denyhosts
############ THESE SETTINGS ARE OPTIONAL ############
ADMIN_EMAIL =
SMTP_HOST = localhost
SMTP_PORT = 25
SMTP_FROM = DenyHosts <nobody@localhost>
SMTP_SUBJECT = DenyHosts Report
AGE_RESET_VALID=5d
AGE_RESET_ROOT=25d
AGE_RESET_RESTRICTED=25d
AGE_RESET_INVALID=10d
######### THESE SETTINGS ARE SPECIFIC TO DAEMON MODE ##########
DAEMON_LOG = /var/log/denyhosts
DAEMON_SLEEP = 30s
DAEMON_PURGE = 1h
######### THESE SETTINGS ARE SPECIFIC TO ##########
######### DAEMON SYNCHRONIZATION ########### cp /usr/share/denyhosts/daemon-control-dist /usr/share/denyhosts/daemon-control //启动文件
# chown root /usr/share/denyhosts/daemon-control
# chmod 754 /usr/share/denyhosts/daemon-control
# ln -s /usr/share/denyhosts/daemon-control /etc/init.d/denyhosts
# chkconfig --level 345 denyhosts on
# /sbin/service denyhosts restart
# /sbin/service denyhosts stop
# /sbin/service denyhosts status
####或开启启动方式# vi /etc/rc.local
/usr/share/denyhosts/daemon-control start
denyhosts配置说明
############ THESE SETTINGS ARE REQUIRED ############
# format is: i[dhwmy]
# Where i is an integer (eg. 7)
# m = minutes
# h = hours
# d = days
# w = weeks
# y = years
PURGE_DENY = 50m #过多久后清除已阻止IP
HOSTS_DENY = /etc/hosts.deny #将阻止IP写入到hosts.deny
BLOCK_SERVICE = sshd #阻止服务名
PURGE_THRESHOLD = #定义了某一IP最多被解封多少次。某IP暴力破解SSH密码被阻止/解封达到了PURGE_THRESHOLD次,则会被永久禁止;
DENY_THRESHOLD_INVALID = 1 #允许无效用户登录失败的次数
DENY_THRESHOLD_VALID = 10 #允许普通用户登录失败的次数
DENY_THRESHOLD_ROOT = 5 #允许root登录失败的次数
WORK_DIR = /usr/local/share/denyhosts/data #将deny的host或ip纪录到Work_dir中
DENY_THRESHOLD_RESTRICTED = 1 #设定 deny host 写入到该资料夹
LOCK_FILE = /var/lock/subsys/denyhosts #将DenyHOts启动的pid纪录到LOCK_FILE中,已确保服务正确启动,防止同时启动多个服务。
HOSTNAME_LOOKUP=NO #是否做域名反解
ADMIN_EMAIL = #设置管理员邮件地址
DAEMON_LOG = /var/log/denyhosts #DenyHosts日志位置示例配置
# egrep -v '^#|^$' /usr/share/denyhosts/denyhosts.cfg
############ THESE SETTINGS ARE REQUIRED ############
SECURE_LOG = /var/log/secure
HOSTS_DENY = /etc/hosts.deny
PURGE_DENY = 4w
BLOCK_SERVICE = sshd
DENY_THRESHOLD_INVALID = 5
DENY_THRESHOLD_VALID = 10
DENY_THRESHOLD_ROOT = 1
DENY_THRESHOLD_RESTRICTED = 1
WORK_DIR = /usr/share/denyhosts/data
SUSPICIOUS_LOGIN_REPORT_ALLOWED_HOSTS=YES
HOSTNAME_LOOKUP=YES
LOCK_FILE = /var/lock/subsys/denyhosts
############ THESE SETTINGS ARE OPTIONAL ############
ADMIN_EMAIL =
SMTP_HOST = localhost
SMTP_PORT = 25
SMTP_FROM = DenyHosts <nobody@localhost>
SMTP_SUBJECT = DenyHosts Report
AGE_RESET_VALID=5d
AGE_RESET_ROOT=25d
AGE_RESET_RESTRICTED=25d
AGE_RESET_INVALID=10d
######### THESE SETTINGS ARE SPECIFIC TO DAEMON MODE ##########
DAEMON_LOG = /var/log/denyhosts
DAEMON_SLEEP = 30s
DAEMON_PURGE = 4w
######### THESE SETTINGS ARE SPECIFIC TO ##########
######### DAEMON SYNCHRONIZATION ##########一键安装脚本
#!/bin/bash
#****************************************************************************************
#Author: wei
#***************************************************************************************
. /etc/rc.d/init.d/functions
install_package () {
[ -f DenyHosts-2.6.tar.gz ] ||wget https://static-resource-1302962335.cos.ap-shanghai.myqcloud.com/DenyHosts-2.6.tar.gz
tar xf DenyHosts-2.6.tar.gz -C /usr/local/
rm -f DenyHosts-2.6.tar.gz
cd /usr/local/DenyHosts-2.6/
python setup.py install
cp /usr/share/denyhosts/daemon-control-dist /usr/share/denyhosts/daemon-control
chown root /usr/share/denyhosts/daemon-control
chmod 754 /usr/share/denyhosts/daemon-control
ln -s /usr/share/denyhosts/daemon-control /etc/init.d/denyhosts
cat > /usr/share/denyhosts/denyhosts.cfg <<EOF
############ THESE SETTINGS ARE REQUIRED ############
SECURE_LOG = /var/log/secure
HOSTS_DENY = /etc/hosts.deny
PURGE_DENY = 4w
BLOCK_SERVICE = sshd
DENY_THRESHOLD_INVALID = 5
DENY_THRESHOLD_VALID = 10
DENY_THRESHOLD_ROOT = 1
DENY_THRESHOLD_RESTRICTED = 1
WORK_DIR = /usr/share/denyhosts/data
SUSPICIOUS_LOGIN_REPORT_ALLOWED_HOSTS=YES
HOSTNAME_LOOKUP=YES
LOCK_FILE = /var/lock/subsys/denyhosts
############ THESE SETTINGS ARE OPTIONAL ############
ADMIN_EMAIL =
SMTP_HOST = localhost
SMTP_PORT = 25
SMTP_FROM = DenyHosts <nobody@localhost>
SMTP_SUBJECT = DenyHosts Report
AGE_RESET_VALID=5d
AGE_RESET_ROOT=25d
AGE_RESET_RESTRICTED=25d
AGE_RESET_INVALID=10d
######### THESE SETTINGS ARE SPECIFIC TO DAEMON MODE ##########
DAEMON_LOG = /var/log/denyhosts
DAEMON_SLEEP = 30s
DAEMON_PURGE = 4w
######### THESE SETTINGS ARE SPECIFIC TO ##########
######### DAEMON SYNCHRONIZATION ##########
EOF
chkconfig --level 345 denyhosts on
/sbin/service denyhosts restart
/sbin/service denyhosts status && action "安装成功!" || action "安装失败!" false
}
install_package
本文章为转载内容,我们尊重原作者对文章享有的著作权。如有内容错误或侵权问题,欢迎原作者联系我们进行内容更正或删除文章。
