利用denyhosts阻止ssh攻击

<!–markdown–>利用denyhosts阻止ssh攻击  
每天观察我的Linux logwatch日志,就会发现有很多验证失败的访问。可以肯定,有不友善的人在试图用我计算机内的账户非法入侵。我当然不能袖手旁观。假如你也遇到过类似事件,今天我们就一起来讨论下应对方法:
sshd:
   Authentication Failures:
      root (123.103.15.215):886Time(s)
      unknown (218.247.185.218): 224 Time(s)
      root (122.193.5.68): 388 Time(s)
      rpm (218.247.185.218): 1 Time(s)
      squid (218.247.185.218): 1 Time(s)
      sshd (218.247.185.218): 1 Time(s)
………………
   Invalid Users:
      Unknown Account: 341 Time(s)
其实,一个叫denyhosts的软件以解决这个问题。
Debian下面安装方法很简单:
root@netren.org apt-get install denyhosts
Reading package lists… Done
Building dependency tree
Reading state information… Done
The following NEW packages will be installed:
  denyhosts
0 upgraded, 1 newly installed, 0 to remove and 42 not upgraded.
Need to get 65.9kB of archives.
After this operation, 442kB of additional disk space will be used.
Get:1 http://ftp.debian.org lenny/main denyhosts 2.6-4 [65.9kB]
Fetched 65.9kB in 9s (7197B/s)
Selecting previously deselected package denyhosts.
(Reading database … 46319 files and directories currently installed.)
Unpacking denyhosts (from …/denyhosts_2.6-4_all.deb) …
Processing triggers for man-db …
Setting up denyhosts (2.6-4) …
Starting DenyHosts: denyhosts.
真是太智能了,安装完成后它按照你的系统品牌自动设置好了配置文件,而且已经开始工作了。当然我们也可以再根据自己的喜好做适当修改。
root@netren.org :~# vim /etc/denyhosts.conf
SECURE_LOG = /var/log/auth.log
#ssh 日志文件,它是根据这个文件来判断的。
HOSTS_DENY = /etc/hosts.deny
#控制用户登陆的文件
PURGE_DENY =
#过多久后清除已经禁止的
BLOCK_SERVICE  = sshd
#禁止的服务名
DENY_THRESHOLD_INVALID = 5
#允许无效用户失败的次数
DENY_THRESHOLD_VALID = 10
#允许普通用户登陆失败的次数
DENY_THRESHOLD_ROOT = 1
#允许root登陆失败的次数
DENY_THRESHOLD_RESTRICTED = 1
WORK_DIR = /var/lib/denyhosts
#运行目录
SUSPICIOUS_LOGIN_REPORT_ALLOWED_HOSTS=YES
HOSTNAME_LOOKUP=YES
#是否进行域名反解析
LOCK_FILE = /var/run/denyhosts.pid
#程序的进程ID
ADMIN_EMAIL = root@localhost (可以将这里改成常用的邮箱)
#管理员邮件地址,它会给管理员发邮件
SMTP_HOST = localhost
SMTP_PORT = 25
SMTP_FROM = DenyHosts <nobody@localhost>
SMTP_SUBJECT = DenyHosts Report
AGE_RESET_VALID=5d
AGE_RESET_ROOT=25d
AGE_RESET_RESTRICTED=25d
AGE_RESET_INVALID=10d
DAEMON_LOG = /var/log/denyhosts
DAEMON_SLEEP = 30s
DAEMON_PURGE = 1h
重启一下denyhosts 就让他工作吧。
下面我们再介绍一下在redhad或centos下面的安装方法:
先安装一个包,以便用yum直接在dag上取包:
wget http://ftp.belnet.be/packages/dries.ulyssis.org/redhat/el4/en/i386/RPMS.dries/rpmforge-release-0.2-2.2.el4.rf.i386.rpm
rpm -ivh rpmforge-release-0.2-2.2.el4.rf.i386.rpm
这样就可以直接用yum安装denyhosts了:
yum install denyhosts
再进行一下设置:
 cp /wp-content/share/doc/denyhosts-2.2/daemon-control-dist /etc/init.d/denyhosts
 cp /wp-content/share/doc/denyhosts-2.2/denyhosts.cfg-dist /etc/denyhosts.cfg
 vi /etc/init.d/denyhosts
 将DENYHOSTS_CFG参数的值改成 “/etc/denyhosts.cfg”
 再增加到services:
 chkconfig –add denyhosts
 chkconfig –level 2345 denyhosts on
再修改一下配置文件:
 vi /etc/denyhosts.cfg
SECURE_LOG = /var/log/secure
#ssh 日志文件,它是根据这个文件来判断的。
HOSTS_DENY = /etc/hosts.deny
#控制用户登陆的文件
PURGE_DENY = 5m
#过多久后清除已经禁止的
BLOCK_SERVICE  = sshd
#禁止的服务名
DENY_THRESHOLD_INVALID = 1
#允许无效用户失败的次数
DENY_THRESHOLD_VALID = 10
#允许普通用户登陆失败的次数
DENY_THRESHOLD_ROOT = 5
#允许root登陆失败的次数
HOSTNAME_LOOKUP=NO
#是否做域名反解
ADMIN_EMAIL = root@netren.org
#管理员邮件地址,它会给管理员发邮件
DAEMON_LOG = /var/log/denyhosts
#自己的日志文件
然后就可以启动了:
service denyhost start
可以看看/etc/hosts.deny内是否有禁止的IP,有的话说明已经成功了。</nobody@localhost>

去打赏

您的支持将鼓励我们继续创作!

[微信] 扫描二维码打赏

[支付宝] 扫描二维码打赏

发表评论