DenyHosts的安装与配置

• 使用DenyHosts避免密码暴力破解SSH
  DenyHosts是一个python写的脚本，占用资源特别小，常用来限制SSH登陆，通过监控系统日志，将超过错误次数的IP放入TCP Wrappers中禁止登陆。UNIX Review杂志评选的2005年8月的月度工具。除了基础的屏蔽IP功能，还有邮件通知，插件，同步等功能。

安装

wget https://github.com/denyhosts/denyhosts/archive/v2.10.tar.gz
tar xf v2.10.tar.gz
cd denyhosts-2.10
python setup.py install

或者直接点击下载：denyhosts-2.10.tar.gz
下载完重命名为denyhosts-2.10.tar.gz

配置

##线上直接配置替换
sed -i 's#^SECURE_LOG.*#SECURE_LOG = /var/log/secure#' /etc/denyhosts.conf
sed -i 's#^HOSTS_DENY.*#HOSTS_DENY = /etc/hosts.deny#' /etc/denyhosts.conf
sed -i 's#^DENY_THRESHOLD_VALID.*#DENY_THRESHOLD_VALID = 5#' /etc/denyhosts.conf
sed -i 's#^DENY_THRESHOLD_ROOT.*#DENY_THRESHOLD_ROOT = 5#' /etc/denyhosts.conf
sed -i 's$IPTABLES = /sbin/iptables$#IPTABLES = /sbin/iptables$' /etc/denyhosts.conf
sed -i 's$^ADMIN_EMAIL.*$ADMIN_EMAIL = $' /etc/denyhosts.conf

##完整的配置文件
cat > /etc/denyhosts.conf <<EOF
SECURE_LOG = /var/log/secure
HOSTS_DENY = /etc/hosts.deny
PURGE_DENY = 
BLOCK_SERVICE  = sshd
DENY_THRESHOLD_INVALID = 5
DENY_THRESHOLD_VALID = 5
DENY_THRESHOLD_ROOT = 5
DENY_THRESHOLD_RESTRICTED = 1
WORK_DIR = /var/lib/denyhosts
ETC_DIR = /etc
SUSPICIOUS_LOGIN_REPORT_ALLOWED_HOSTS=YES
HOSTNAME_LOOKUP=NO
LOCK_FILE = /var/run/denyhosts.pid
ADMIN_EMAIL = 
SMTP_HOST = localhost
SMTP_PORT = 25
SMTP_FROM = DenyHosts <nobody@localhost>
SMTP_SUBJECT = DenyHosts Report
ALLOWED_HOSTS_HOSTNAME_LOOKUP=NO
AGE_RESET_VALID=5d
AGE_RESET_ROOT=25d
AGE_RESET_RESTRICTED=25d
AGE_RESET_INVALID=10d
DAEMON_LOG = /var/log/denyhosts
DAEMON_SLEEP = 30s
DAEMON_PURGE = 1h
SYNC_UPLOAD = no
SYNC_DOWNLOAD = no
EOF

• 配置文件重要解析

#ssh 日志文件 #redhat系列根据/var/log/secure文件来判断
SECURE_LOG = /var/log/secure
#控制用户登陆的文件，封禁的ip
HOSTS_DENY = /etc/hosts.deny
#默认情况下，永远不会清理长期被禁止的IP，建议保持默认
PURGE_DENY =
#禁止的服务名，当然DenyHost不仅仅用于SSH服务
BLOCK_SERVICE = sshd
#允许无效用户失败的次数
DENY_THRESHOLD_INVALID = 5
#允许普通用户登陆失败的次数
DENY_THRESHOLD_VALID = 5
#允许root登陆失败的次数
DENY_THRESHOLD_ROOT = 5
#默认情况下，会调用iptables禁止IP建立连接，可以关闭该功能，centos7
#IPTABLES = /sbin/iptables
#默认情况下会发送email到root@localhost，可以关闭该功能
ADMIN_EMAIL =

修改白名单配置

# vi /etc/hosts.allow
#sshd: ALL
注释掉sshd: ALL这一行
# sed -i '/^sshd: ALL/d' /etc/hosts.allow

centos7启动脚本

cp denyhosts.service /etc/systemd/system/
systemctl daemon-reload
systemctl enable denyhosts
systemctl start denyhosts

centos6启动脚本

cp daemon-control-dist /etc/init.d/denyhosts
sed -i  's#/usr/sbin/denyhosts#/usr/bin/denyhosts.py#' /etc/init.d/denyhosts
sed -i  's#/run/denyhosts.pid#/var/run/denyhosts.pid#' /etc/init.d/denyhosts
/etc/init.d/denyhosts start
chkconfig --add denyhosts
chkconfig denyhosts on

解封IP

• 例如解封：192.168.1.160

方法一：

systemctl  stop denyhosts  ##/etc/init.d/denyhosts stop 
vi /etc/hosts.deny  ###删除/etc/hosts.deny中相关IP
cd /var/lib/denyhosts/ && find . -type f|xargs sed -i "/192.168.1.160/d"
systemctl  start denyhosts ##/etc/init.d/denyhosts start

方法二：

echo "sshd:192.168.1.160:allow" >>/etc/hosts.allow
systemctl  restart denyhosts  ##/etc/init.d/denyhosts restart