科技行者

行者学院 转型私董会 科技行者专题报道 网红大战科技行者

知识库

知识库 安全导航

至顶网安全频道安装denyhost防止SSH和FTP被暴力破解

安装denyhost防止SSH和FTP被暴力破解

  • 扫一扫
    分享文章到微信

  • 扫一扫
    关注官方公众号
    至顶头条

  做人到低调啊,我其实很低调的嘛,不知道得罪了哪个人,我的SSH和FTP一直被人扫描,而且还是那种多线程的,导致我的SSH和FTP开启了多进程来应付它的暴力破解,无奈之下还有改了端口了.

来源:zdnet整理 2011年7月3日

关键字: 系统安全 linux安全

  • 评论
  • 分享微博
  • 分享邮件

  做人到低调啊,我其实很低调的嘛,不知道得罪了哪个人,我的SSH和FTP一直被人扫描,而且还是那种多线程的,导致我的SSH和FTP开启了多进程来应付它的暴力破解,无奈之下还有改了端口了.

  不过这是治标不治本的啦,Google一翻,终于给我找到了这个软件DenyHosts,DenyHosts是用Python语言编写的一个程序,它会分析你的日志文件,当发现重复的错误登录时就会记录IP到/etc/hosts.deny文件,然后自动屏蔽IP.功能很不错吧,下面是安装过程 (环境CentOS 5.5, DenyHosts 2.6)

  下载:

  wget http://imcat.in/down/DenyHosts-2.6.tar.gz

  安装:

  tar -zxvf DenyHosts-2.6.tar.gz

  cd DenyHosts-2.6

  python setup.py install

  修改配置文件:

  cp /usr/share/denyhosts/denyhosts.cfg-dist /usr/share/denyhosts/denyhosts.cfg

  vi /usr/share/denyhosts/denyhosts.cfg

  配置文件比较长,需要修改的,我都做了注释,自己看吧

  ############ THESE SETTINGS ARE REQUIRED ############

  ########################################################################

  #

  # SECURE_LOG: the log file that contains sshd logging info

  # if you are not sure, grep "sshd:" /var/log/*

  #

  # The file to process can be overridden with the --file command line

  # argument

  #

  # Redhat or Fedora Core:

  #日志文件,根据这个文件来判断

  SECURE_LOG = /var/log/secure

  #

  # Mandrake, FreeBSD or OpenBSD:

  #SECURE_LOG = /var/log/auth.log

  #

  # SuSE:

  #SECURE_LOG = /var/log/messages

  #

  # Mac OS X (v10.4 or greater -

  #   also refer to:   http://www.denyhosts.net/faq.html#macos

  #SECURE_LOG = /private/var/log/asl.log

  #

  # Mac OS X (v10.3 or earlier):

  #SECURE_LOG=/private/var/log/system.log

  #

  ########################################################################

  ########################################################################

  #

  # HOSTS_DENY: the file which contains restricted host access information

  #

  # Most operating systems:

  #记录屏蔽的IP文件

  HOSTS_DENY = /etc/hosts.deny

  #

  # Some BSD (FreeBSD) Unixes:

  #HOSTS_DENY = /etc/hosts.allow

  #

  # Another possibility (also see the next option):

  #HOSTS_DENY = /etc/hosts.evil

  #######################################################################

  ########################################################################

  #

  # PURGE_DENY: removed HOSTS_DENY entries that are older than this time

  #             when DenyHosts is invoked with the --purge flag

  #

  #      format is: i[dhwmy]

  #      Where 'i' is an integer (eg. 7)

  #            'm' = minutes

  #            'h' = hours

  #            'd' = days

  #            'w' = weeks

  #            'y' = years

  #

  # never purge:

  #多久清除屏蔽的IP,我设置一天

  PURGE_DENY = 1d

  #

  # purge entries older than 1 week

  #PURGE_DENY = 1w

  #

  # purge entries older than 5 days

  #PURGE_DENY = 5d

  #######################################################################

  #######################################################################

  #

  # PURGE_THRESHOLD: defines the maximum times a host will be purged.

  # Once this value has been exceeded then this host will not be purged.

  # Setting this parameter to 0 (the default) disables this feature.

  #

  # default: a denied host can be purged/re-added indefinitely

  #PURGE_THRESHOLD = 0

  #

  # a denied host will be purged at most 2 times.

  #PURGE_THRESHOLD = 2

  #

  #######################################################################

  #######################################################################

  #

  # BLOCK_SERVICE: the service name that should be blocked in HOSTS_DENY

  #

  # man 5 hosts_access for details

  #

  # eg.   sshd: 127.0.0.1  # will block sshd logins from 127.0.0.1

  #

  # To block all services for the offending host:

  #BLOCK_SERVICE = ALL

  # To block only sshd:

  #禁止的服务,我设置为全部,禁止登录SSH和/FTP

  BLOCK_SERVICE  = ALL

  # To only record the offending host and nothing else (if using

  # an auxilary file to list the hosts).  Refer to:

  # http://denyhosts.sourceforge.net/faq.html#aux

  #BLOCK_SERVICE =

  #

  #######################################################################

  #######################################################################

  #

  # DENY_THRESHOLD_INVALID: block each host after the number of failed login

  # attempts has exceeded this value.  This value applies to invalid

  # user login attempts (eg. non-existent user accounts)

  #

  #允许无效用户失败的数次

  DENY_THRESHOLD_INVALID = 1

  #

  #######################################################################

  #######################################################################

  #

  # DENY_THRESHOLD_VALID: block each host after the number of failed

  # login attempts has exceeded this value.  This value applies to valid

  # user login attempts (eg. user accounts that exist in /etc/passwd) except

  # for the "root" user

  #允许普通用户失败的次数

  DENY_THRESHOLD_VALID = 1

  #

  #######################################################################

  #######################################################################

  #

  # DENY_THRESHOLD_ROOT: block each host after the number of failed

  # login attempts has exceeded this value.  This value applies to

  # "root" user login attempts only.

  #允许root用户失败的次数

  DENY_THRESHOLD_ROOT = 3

  #

  #######################################################################

  #######################################################################

  #

  # DENY_THRESHOLD_RESTRICTED: block each host after the number of failed

  # login attempts has exceeded this value.  This value applies to

  # usernames that appear in the WORK_DIR/restricted-usernames file only.

  #

  DENY_THRESHOLD_RESTRICTED = 1

  #

  #######################################################################

  #######################################################################

  #

  # WORK_DIR: the path that DenyHosts will use for writing data to

  # (it will be created if it does not already exist).

  #

  # Note: it is recommended that you use an absolute pathname

  # for this value (eg. /home/foo/denyhosts/data)

  #

  WORK_DIR = /usr/share/denyhosts/data

  #

  #######################################################################

  #######################################################################

  #

  # SUSPICIOUS_LOGIN_REPORT_ALLOWED_HOSTS

  #

  # SUSPICIOUS_LOGIN_REPORT_ALLOWED_HOSTS=YES|NO

  # If set to YES, if a suspicious login attempt results from an allowed-host

  # then it is considered suspicious.  If this is NO, then suspicious logins

  # from allowed-hosts will not be reported.  All suspicious logins from

  # ip addresses that are not in allowed-hosts will always be reported.

  #

  SUSPICIOUS_LOGIN_REPORT_ALLOWED_HOSTS=YES

  ######################################################################

  ######################################################################

  #

  # HOSTNAME_LOOKUP

  #

  # HOSTNAME_LOOKUP=YES|NO

  # If set to YES, for each IP address that is reported by Denyhosts,

  # the corresponding hostname will be looked up and reported as well

  # (if available).

  #是否做域名反解析

  HOSTNAME_LOOKUP=NO

  #

  ######################################################################

  ######################################################################

  #

  # LOCK_FILE

  #

  # LOCK_FILE=/path/denyhosts

  # If this file exists when DenyHosts is run, then DenyHosts will exit

  # immediately.  Otherwise, this file will be created upon invocation

  # and deleted upon exit.  This ensures that only one instance is

  # running at a time.

  #

  # Redhat/Fedora:

  LOCK_FILE = /var/lock/subsys/denyhosts

  #

  # Debian

  #LOCK_FILE = /var/run/denyhosts.pid

  #

  # Misc

  #LOCK_FILE = /tmp/denyhosts.lock

  #

  ######################################################################

  ############ THESE SETTINGS ARE OPTIONAL ############

  #######################################################################

  #

  # ADMIN_EMAIL: if you would like to receive emails regarding newly

  # restricted hosts and suspicious logins, set this address to

  # match your email address.  If you do not want to receive these reports

  # leave this field blank (or run with the --noemail option)

  #

  # Multiple email addresses can be delimited by a comma, eg:

  # ADMIN_EMAIL = foo@bar.com, bar@foo.com, etc@foobar.com

  #管理员Email

  ADMIN_EMAIL =

  #

  #######################################################################

  #######################################################################

  #

  # SMTP_HOST and SMTP_PORT: if DenyHosts is configured to email

  # reports (see ADMIN_EMAIL) then these settings specify the

  # email server address (SMTP_HOST) and the server port (SMTP_PORT)

  #

  #

  SMTP_HOST = localhost

  SMTP_PORT = 25

  #

  #######################################################################

  #######################################################################

  #

  # SMTP_USERNAME and SMTP_PASSWORD: set these parameters if your

  # smtp email server requires authentication

  #

  #SMTP_USERNAME=foo

  #SMTP_PASSWORD=bar

  #

  ######################################################################

  #######################################################################

  #

  # SMTP_FROM: you can specify the "From:" address in messages sent

  # from DenyHosts when it reports thwarted abuse attempts

  #

  SMTP_FROM = DenyHosts <nobody@localhost>

  #

  #######################################################################

  #######################################################################

  #

  # SMTP_SUBJECT: you can specify the "Subject:" of messages sent

  # by DenyHosts when it reports thwarted abuse attempts

  SMTP_SUBJECT = DenyHosts Report

  #

  ######################################################################

  ######################################################################

  #

  # SMTP_DATE_FORMAT: specifies the format used for the "Date:" header

  # when sending email messages.

  #

  # for possible values for this parameter refer to: man strftime

  #

  # the default:

  #

  #SMTP_DATE_FORMAT = %a, %d %b %Y %H:%M:%S %z

  #

  ######################################################################

  ######################################################################

  #

  # SYSLOG_REPORT

  #

  # SYSLOG_REPORT=YES|NO

  # If set to yes, when denied hosts are recorded the report data

  # will be sent to syslog (syslog must be present on your system).

  # The default is: NO

  #

  #SYSLOG_REPORT=NO

  #

  #SYSLOG_REPORT=YES

  #

  ######################################################################

  ######################################################################

  #

  # ALLOWED_HOSTS_HOSTNAME_LOOKUP

  #

  # ALLOWED_HOSTS_HOSTNAME_LOOKUP=YES|NO

  # If set to YES, for each entry in the WORK_DIR/allowed-hosts file,

  # the hostname will be looked up.  If your versions of tcp_wrappers

  # and sshd sometimes log hostnames in addition to ip addresses

  # then you may wish to specify this option.

  #

  #ALLOWED_HOSTS_HOSTNAME_LOOKUP=NO

  #

  ######################################################################

  ######################################################################

  #

  # AGE_RESET_VALID: Specifies the period of time between failed login

  # attempts that, when exceeded will result in the failed count for

  # this host to be reset to 0.  This value applies to login attempts

  # to all valid users (those within /etc/passwd) with the

  # exception of root.  If not defined, this count will never

  # be reset.

  #

  # See the comments in the PURGE_DENY section (above)

  # for details on specifying this value or for complete details

  # refer to:  http://denyhosts.sourceforge.net/faq.html#timespec

  #

  AGE_RESET_VALID=5d

  #

  ######################################################################

  ######################################################################

  #

  # AGE_RESET_ROOT: Specifies the period of time between failed login

  # attempts that, when exceeded will result in the failed count for

  # this host to be reset to 0.  This value applies to all login

  # attempts to the "root" user account.  If not defined,

  # this count will never be reset.

  #

  # See the comments in the PURGE_DENY section (above)

  # for details on specifying this value or for complete details

  # refer to:  http://denyhosts.sourceforge.net/faq.html#timespec

  #

  AGE_RESET_ROOT=25d

  #

  ######################################################################

  ######################################################################

  #

  # AGE_RESET_RESTRICTED: Specifies the period of time between failed login

  # attempts that, when exceeded will result in the failed count for

  # this host to be reset to 0.  This value applies to all login

  # attempts to entries found in the WORK_DIR/restricted-usernames file.

  # If not defined, the count will never be reset.

  #

  # See the comments in the PURGE_DENY section (above)

  # for details on specifying this value or for complete details

  # refer to:  http://denyhosts.sourceforge.net/faq.html#timespec

  #

  AGE_RESET_RESTRICTED=25d

  #

  ######################################################################

  ######################################################################

  #

  # AGE_RESET_INVALID: Specifies the period of time between failed login

  # attempts that, when exceeded will result in the failed count for

  # this host to be reset to 0.  This value applies to login attempts

  # made to any invalid username (those that do not appear

  # in /etc/passwd).  If not defined, count will never be reset.

  #

  # See the comments in the PURGE_DENY section (above)

  # for details on specifying this value or for complete details

  # refer to:  http://denyhosts.sourceforge.net/faq.html#timespec

  #

  AGE_RESET_INVALID=10d

  #

  ######################################################################

  ######################################################################

  #

  # RESET_ON_SUCCESS: If this parameter is set to "yes" then the

  # failed count for the respective ip address will be reset to 0

  # if the login is successful.

  #

  # The default is RESET_ON_SUCCESS = no

  #

  #RESET_ON_SUCCESS = yes

  #

  #####################################################################

  ######################################################################

  #

  # PLUGIN_DENY: If set, this value should point to an executable

  # program that will be invoked when a host is added to the

  # HOSTS_DENY file.  This executable will be passed the host

  # that will be added as it's only argument.

  #

  #PLUGIN_DENY=/usr/bin/true

  #

  ######################################################################

  ######################################################################

  #

  # PLUGIN_PURGE: If set, this value should point to an executable

  # program that will be invoked when a host is removed from the

  # HOSTS_DENY file.  This executable will be passed the host

  # that is to be purged as it's only argument.

  #

  #PLUGIN_PURGE=/usr/bin/true

  #

  ######################################################################

  ######################################################################

  #

  # USERDEF_FAILED_ENTRY_REGEX: if set, this value should contain

  # a regular expression that can be used to identify additional

  # hackers for your particular ssh configuration.  This functionality

  # extends the built-in regular expressions that DenyHosts uses.

  # This parameter can be specified multiple times.

  # See this faq entry for more details:

  #    http://denyhosts.sf.net/faq.html#userdef_regex

  #

  #USERDEF_FAILED_ENTRY_REGEX=

  #

  #

  ######################################################################

  ######### THESE SETTINGS ARE SPECIFIC TO DAEMON MODE  ##########

  #######################################################################

  #

  # DAEMON_LOG: when DenyHosts is run in daemon mode (--daemon flag)

  # this is the logfile that DenyHosts uses to report it's status.

  # To disable logging, leave blank.  (default is: /var/log/denyhosts)

  #

  DAEMON_LOG = /var/log/denyhosts

  #

  # disable logging:

  #DAEMON_LOG =

  #

  ######################################################################

  #######################################################################

  #

  # DAEMON_LOG_TIME_FORMAT: when DenyHosts is run in daemon mode

  # (--daemon flag) this specifies the timestamp format of

  # the DAEMON_LOG messages (default is the ISO8061 format:

  # ie. 2005-07-22 10:38:01,745)

  #

  # for possible values for this parameter refer to: man strftime

  #

  # Jan 1 13:05:59

  #DAEMON_LOG_TIME_FORMAT = %b %d %H:%M:%S

  #

  # Jan 1 01:05:59

  #DAEMON_LOG_TIME_FORMAT = %b %d %I:%M:%S

  #

  ######################################################################

  #######################################################################

  #

  # DAEMON_LOG_MESSAGE_FORMAT: when DenyHosts is run in daemon mode

  # (--daemon flag) this specifies the message format of each logged

  # entry.  By default the following format is used:

  #

  # %(asctime)s - %(name)-12s: %(levelname)-8s %(message)s

  #

  # Where the "%(asctime)s" portion is expanded to the format

  # defined by DAEMON_LOG_TIME_FORMAT

  #

  # This string is passed to python's logging.Formatter contstuctor.

  # For details on the possible format types please refer to:

  # http://docs.python.org/lib/node357.html

  #

  # This is the default:

  #DAEMON_LOG_MESSAGE_FORMAT = %(asctime)s - %(name)-12s: %(levelname)-8s %(message)s

  #

  #

  ######################################################################

  #######################################################################

  #

  # DAEMON_SLEEP: when DenyHosts is run in daemon mode (--daemon flag)

  # this is the amount of time DenyHosts will sleep between polling

  # the SECURE_LOG.  See the comments in the PURGE_DENY section (above)

  # for details on specifying this value or for complete details

  # refer to:    http://denyhosts.sourceforge.net/faq.html#timespec

  #

  #

  DAEMON_SLEEP = 30s

  #

  #######################################################################

  #######################################################################

  #

  # DAEMON_PURGE: How often should DenyHosts, when run in daemon mode,

  # run the purge mechanism to expire old entries in HOSTS_DENY

  # This has no effect if PURGE_DENY is blank.

  #

  DAEMON_PURGE = 1h

  #

  #######################################################################

  #########   THESE SETTINGS ARE SPECIFIC TO     ##########

  #########       DAEMON SYNCHRONIZATION         ##########

  #######################################################################

  #

  # Synchronization mode allows the DenyHosts daemon the ability

  # to periodically send and receive denied host data such that

  # DenyHosts daemons worldwide can automatically inform one

  # another regarding banned hosts.   This mode is disabled by

  # default, you must uncomment SYNC_SERVER to enable this mode.

  #

  # for more information, please refer to:

  #        http:/denyhosts.sourceforge.net/faq.html#sync

  #

  #######################################################################

  #######################################################################

  #

  # SYNC_SERVER: The central server that communicates with DenyHost

  # daemons.  Currently, denyhosts.net is the only available server

  # however, in the future, it may be possible for organizations to

  # install their own server for internal network synchronization

  #

  # To disable synchronization (the default), do nothing.

  #

  # To enable synchronization, you must uncomment the following line:

  #SYNC_SERVER = http://xmlrpc.denyhosts.net:9911

  #

  #######################################################################

  #######################################################################

  #

  # SYNC_INTERVAL: the interval of time to perform synchronizations if

  # SYNC_SERVER has been uncommented.  The default is 1 hour.

  #

  #SYNC_INTERVAL = 1h

  #

  #######################################################################

  #######################################################################

  #

  # SYNC_UPLOAD: allow your DenyHosts daemon to transmit hosts that have

  # been denied?  This option only applies if SYNC_SERVER has

  # been uncommented.

  # The default is SYNC_UPLOAD = yes

  #

  #SYNC_UPLOAD = no

  #SYNC_UPLOAD = yes

  #

  #######################################################################

  #######################################################################

  #

  # SYNC_DOWNLOAD: allow your DenyHosts daemon to receive hosts that have

  # been denied by others?  This option only applies if SYNC_SERVER has

  # been uncommented.

  # The default is SYNC_DOWNLOAD = yes

  #

  #SYNC_DOWNLOAD = no

  #SYNC_DOWNLOAD = yes

  #

  #

  #

  #######################################################################

  #######################################################################

  #

  # SYNC_DOWNLOAD_THRESHOLD: If SYNC_DOWNLOAD is enabled this parameter

  # filters the returned hosts to those that have been blocked this many

  # times by others.  That is, if set to 1, then if a single DenyHosts

  # server has denied an ip address then you will receive the denied host.

  #

  # See also SYNC_DOWNLOAD_RESILIENCY

  #

  #SYNC_DOWNLOAD_THRESHOLD = 10

  #

  # The default is SYNC_DOWNLOAD_THRESHOLD = 3

  #

  #SYNC_DOWNLOAD_THRESHOLD = 3

  #

  #######################################################################

  #######################################################################

  #

  # SYNC_DOWNLOAD_RESILIENCY:  If SYNC_DOWNLOAD is enabled then the

  # value specified for this option limits the downloaded data

  # to this resiliency period or greater.

  #

  # Resiliency is defined as the timespan between a hackers first known

  # attack and it's most recent attack.  Example:

  #

  # If the centralized   denyhosts.net server records an attack at 2 PM

  # and then again at 5 PM, specifying a SYNC_DOWNLOAD_RESILIENCY = 4h

  # will not download this ip address.

  #

  # However, if the attacker is recorded again at 6:15 PM then the

  # ip address will be downloaded by your DenyHosts instance.

  #

  # This value is used in conjunction with the SYNC_DOWNLOAD_THRESHOLD

  # and only hosts that satisfy both values will be downloaded.

  # This value has no effect if SYNC_DOWNLOAD_THRESHOLD = 1

  #

  # The default is SYNC_DOWNLOAD_RESILIENCY = 5h (5 hours)

  #

  # Only obtain hackers that have been at it for 2 days or more:

  #SYNC_DOWNLOAD_RESILIENCY = 2d

  #

  # Only obtain hackers that have been at it for 5 hours or more:

  #SYNC_DOWNLOAD_RESILIENCY = 5h

  #

  #######################################################################

  最后就是设置启动脚本了

  cp /usr/share/denyhosts/daemon-control-dist /usr/share/denyhosts/daemon-control

  chown root /usr/share/denyhosts/daemon-control

  chmod 755 /usr/share/denyhosts/daemon-control

  ln -s /usr/share/denyhosts/daemon-control /etc/init.d/denyhosts

  chkconfig --level 345 denyhosts on

  启动denyhosts

  service denyhosts start

  这样就安装完成了,每次开机都自动启动的,自己测试下,输入几次错误的密码.然后看看cat /etc/hosts.deny 里面是否有屏蔽的IP,再然后测试下,有屏蔽IP是否还能登录SSH和FTP.我的FTP安装的是VSFTP,其他的没测试过..

    • 评论
    • 分享微博
    • 分享邮件
    邮件订阅

    如果您非常迫切的想了解IT领域最新产品与技术信息,那么订阅至顶网技术邮件将是您的最佳途径之一。

    重磅专题
    往期文章
    最新文章