标签:DENY DenyHosts Centos7 etc init sed denyhosts THRESHOLD 安装
DenyHosts的安装与配置
- 使用DenyHosts避免密码暴力破解SSH
DenyHosts是一个python写的脚本,占用资源特别小,常用来限制SSH登陆,通过监控系统日志,将超过错误次数的IP放入TCP Wrappers中禁止登陆。UNIX Review杂志评选的2005年8月的月度工具。除了基础的屏蔽IP功能,还有邮件通知,插件,同步等功能。
安装
wget https://github.com/denyhosts/denyhosts/archive/v2.10.tar.gz
tar xf v2.10.tar.gz
cd denyhosts-2.10
python setup.py install或者直接点击下载:denyhosts-2.10.tar.gz
下载完重命名为denyhosts-2.10.tar.gz
配置
##线上直接配置替换
sed -i 's#^SECURE_LOG.*#SECURE_LOG = /var/log/secure#' /etc/denyhosts.conf
sed -i 's#^HOSTS_DENY.*#HOSTS_DENY = /etc/hosts.deny#' /etc/denyhosts.conf
sed -i 's#^DENY_THRESHOLD_VALID.*#DENY_THRESHOLD_VALID = 5#' /etc/denyhosts.conf
sed -i 's#^DENY_THRESHOLD_ROOT.*#DENY_THRESHOLD_ROOT = 5#' /etc/denyhosts.conf
sed -i 's$IPTABLES = /sbin/iptables$#IPTABLES = /sbin/iptables$' /etc/denyhosts.conf
sed -i 's$^ADMIN_EMAIL.*$ADMIN_EMAIL = $' /etc/denyhosts.conf##完整的配置文件
cat > /etc/denyhosts.conf <<EOF
SECURE_LOG = /var/log/secure
HOSTS_DENY = /etc/hosts.deny
PURGE_DENY =
BLOCK_SERVICE = sshd
DENY_THRESHOLD_INVALID = 5
DENY_THRESHOLD_VALID = 5
DENY_THRESHOLD_ROOT = 5
DENY_THRESHOLD_RESTRICTED = 1
WORK_DIR = /var/lib/denyhosts
ETC_DIR = /etc
SUSPICIOUS_LOGIN_REPORT_ALLOWED_HOSTS=YES
HOSTNAME_LOOKUP=NO
LOCK_FILE = /var/run/denyhosts.pid
ADMIN_EMAIL =
SMTP_HOST = localhost
SMTP_PORT = 25
SMTP_FROM = DenyHosts <nobody@localhost>
SMTP_SUBJECT = DenyHosts Report
ALLOWED_HOSTS_HOSTNAME_LOOKUP=NO
AGE_RESET_VALID=5d
AGE_RESET_ROOT=25d
AGE_RESET_RESTRICTED=25d
AGE_RESET_INVALID=10d
DAEMON_LOG = /var/log/denyhosts
DAEMON_SLEEP = 30s
DAEMON_PURGE = 1h
SYNC_UPLOAD = no
SYNC_DOWNLOAD = no
EOF- 配置文件重要解析
#ssh 日志文件 #redhat系列根据/var/log/secure文件来判断
SECURE_LOG = /var/log/secure
#控制用户登陆的文件,封禁的ip
HOSTS_DENY = /etc/hosts.deny
#默认情况下,永远不会清理长期被禁止的IP,建议保持默认
PURGE_DENY =
#禁止的服务名,当然DenyHost不仅仅用于SSH服务
BLOCK_SERVICE = sshd
#允许无效用户失败的次数
DENY_THRESHOLD_INVALID = 5
#允许普通用户登陆失败的次数
DENY_THRESHOLD_VALID = 5
#允许root登陆失败的次数
DENY_THRESHOLD_ROOT = 5
#默认情况下,会调用iptables禁止IP建立连接,可以关闭该功能,centos7
#IPTABLES = /sbin/iptables
#默认情况下会发送email到root@localhost,可以关闭该功能
ADMIN_EMAIL =修改白名单配置
# vi /etc/hosts.allow
#sshd: ALL
注释掉sshd: ALL这一行
# sed -i '/^sshd: ALL/d' /etc/hosts.allowcentos7启动脚本
cp denyhosts.service /etc/systemd/system/
systemctl daemon-reload
systemctl enable denyhosts
systemctl start denyhostscentos6启动脚本
cp daemon-control-dist /etc/init.d/denyhosts
sed -i 's#/usr/sbin/denyhosts#/usr/bin/denyhosts.py#' /etc/init.d/denyhosts
sed -i 's#/run/denyhosts.pid#/var/run/denyhosts.pid#' /etc/init.d/denyhosts
/etc/init.d/denyhosts start
chkconfig --add denyhosts
chkconfig denyhosts on解封IP
- 例如解封:192.168.1.160
方法一:
systemctl stop denyhosts ##/etc/init.d/denyhosts stop
vi /etc/hosts.deny ###删除/etc/hosts.deny中相关IP
cd /var/lib/denyhosts/ && find . -type f|xargs sed -i "/192.168.1.160/d"
systemctl start denyhosts ##/etc/init.d/denyhosts start方法二:
echo "sshd:192.168.1.160:allow" >>/etc/hosts.allow
systemctl restart denyhosts ##/etc/init.d/denyhosts restart标签:DENY,DenyHosts,Centos7,etc,init,sed,denyhosts,THRESHOLD,安装 来源: https://blog.51cto.com/u_13155846/2735467
本站声明: 1. iCode9 技术分享网(下文简称本站)提供的所有内容,仅供技术学习、探讨和分享; 2. 关于本站的所有留言、评论、转载及引用,纯属内容发起人的个人观点,与本站观点和立场无关; 3. 关于本站的所有言论和文字,纯属内容发起人的个人观点,与本站观点和立场无关; 4. 本站文章均是网友提供,不完全保证技术分享内容的完整性、准确性、时效性、风险性和版权归属;如您发现该文章侵犯了您的权益,可联系我们第一时间进行删除; 5. 本站为非盈利性的个人网站,所有内容不会用来进行牟利,也不会利用任何形式的广告来间接获益,纯粹是为了广大技术爱好者提供技术内容和技术思想的分享性交流网站。