至顶网›安全频道 ›安装denyhost防止SSH和FTP被暴力破解

安装denyhost防止SSH和FTP被暴力破解

扫一扫
分享文章到微信
扫一扫
关注官方公众号
至顶头条

　　做人到低调啊,我其实很低调的嘛,不知道得罪了哪个人,我的SSH和FTP一直被人扫描,而且还是那种多线程的,导致我的SSH和FTP开启了多进程来应付它的暴力破解,无奈之下还有改了端口了.

来源：zdnet整理 2011年7月3日

　　不过这是治标不治本的啦,Google一翻,终于给我找到了这个软件DenyHosts,DenyHosts是用Python语言编写的一个程序,它会分析你的日志文件,当发现重复的错误登录时就会记录IP到/etc/hosts.deny文件,然后自动屏蔽IP.功能很不错吧,下面是安装过程 (环境CentOS 5.5, DenyHosts 2.6)

　　下载:

　　wget http://imcat.in/down/DenyHosts-2.6.tar.gz

　　安装:

　　tar -zxvf DenyHosts-2.6.tar.gz

　　cd DenyHosts-2.6

　　python setup.py install

　　修改配置文件:

　　cp /usr/share/denyhosts/denyhosts.cfg-dist /usr/share/denyhosts/denyhosts.cfg

　　vi /usr/share/denyhosts/denyhosts.cfg

　　配置文件比较长,需要修改的,我都做了注释,自己看吧

　　############ THESE SETTINGS ARE REQUIRED ############

　　########################################################################

　　# SECURE_LOG: the log file that contains sshd logging info

　　# if you are not sure, grep "sshd:" /var/log/*

　　# The file to process can be overridden with the --file command line

　　# argument

　　# Redhat or Fedora Core:

　　#日志文件,根据这个文件来判断

　　SECURE_LOG = /var/log/secure

　　# Mandrake, FreeBSD or OpenBSD:

　　#SECURE_LOG = /var/log/auth.log

　　# SuSE:

　　#SECURE_LOG = /var/log/messages

　　# Mac OS X (v10.4 or greater -

　　# also refer to: http://www.denyhosts.net/faq.html#macos

　　#SECURE_LOG = /private/var/log/asl.log

　　# Mac OS X (v10.3 or earlier):

　　#SECURE_LOG=/private/var/log/system.log

　　########################################################################

　　# HOSTS_DENY: the file which contains restricted host access information

　　# Most operating systems:

　　#记录屏蔽的IP文件

　　HOSTS_DENY = /etc/hosts.deny

　　# Some BSD (FreeBSD) Unixes:

　　#HOSTS_DENY = /etc/hosts.allow

　　# Another possibility (also see the next option):

　　#HOSTS_DENY = /etc/hosts.evil

　　#######################################################################

　　########################################################################

　　# PURGE_DENY: removed HOSTS_DENY entries that are older than this time

　　# when DenyHosts is invoked with the --purge flag

　　# format is: i[dhwmy]

　　# Where 'i' is an integer (eg. 7)

　　# 'm' = minutes

　　# 'h' = hours

　　# 'd' = days

　　# 'w' = weeks

　　# 'y' = years

　　# never purge:

　　#多久清除屏蔽的IP,我设置一天

　　PURGE_DENY = 1d

　　# purge entries older than 1 week

　　#PURGE_DENY = 1w

　　# purge entries older than 5 days

　　#PURGE_DENY = 5d

　　#######################################################################

　　# PURGE_THRESHOLD: defines the maximum times a host will be purged.

　　# Once this value has been exceeded then this host will not be purged.

　　# Setting this parameter to 0 (the default) disables this feature.

　　# default: a denied host can be purged/re-added indefinitely

　　#PURGE_THRESHOLD = 0

　　# a denied host will be purged at most 2 times.

　　#PURGE_THRESHOLD = 2

　　#######################################################################

　　# BLOCK_SERVICE: the service name that should be blocked in HOSTS_DENY

　　# man 5 hosts_access for details

　　# eg. sshd: 127.0.0.1 # will block sshd logins from 127.0.0.1

　　# To block all services for the offending host:

　　#BLOCK_SERVICE = ALL

　　# To block only sshd:

　　#禁止的服务,我设置为全部,禁止登录SSH和/FTP

　　BLOCK_SERVICE = ALL

　　# To only record the offending host and nothing else (if using

　　# an auxilary file to list the hosts). Refer to:

　　# http://denyhosts.sourceforge.net/faq.html#aux

　　#BLOCK_SERVICE =

　　#######################################################################

　　# DENY_THRESHOLD_INVALID: block each host after the number of failed login

　　# attempts has exceeded this value. This value applies to invalid

　　# user login attempts (eg. non-existent user accounts)

　　#允许无效用户失败的数次

　　DENY_THRESHOLD_INVALID = 1

　　#######################################################################

　　# DENY_THRESHOLD_VALID: block each host after the number of failed

　　# login attempts has exceeded this value. This value applies to valid

　　# user login attempts (eg. user accounts that exist in /etc/passwd) except

　　# for the "root" user

　　#允许普通用户失败的次数

　　DENY_THRESHOLD_VALID = 1

　　#######################################################################

　　# DENY_THRESHOLD_ROOT: block each host after the number of failed

　　# login attempts has exceeded this value. This value applies to

　　# "root" user login attempts only.

　　#允许root用户失败的次数

　　DENY_THRESHOLD_ROOT = 3

　　#######################################################################

　　# DENY_THRESHOLD_RESTRICTED: block each host after the number of failed

　　# login attempts has exceeded this value. This value applies to

　　# usernames that appear in the WORK_DIR/restricted-usernames file only.

　　DENY_THRESHOLD_RESTRICTED = 1

　　#######################################################################

　　# WORK_DIR: the path that DenyHosts will use for writing data to

　　# (it will be created if it does not already exist).

　　# Note: it is recommended that you use an absolute pathname

　　# for this value (eg. /home/foo/denyhosts/data)

　　WORK_DIR = /usr/share/denyhosts/data

　　#######################################################################

　　# SUSPICIOUS_LOGIN_REPORT_ALLOWED_HOSTS

　　# SUSPICIOUS_LOGIN_REPORT_ALLOWED_HOSTS=YES|NO

　　# If set to YES, if a suspicious login attempt results from an allowed-host

　　# then it is considered suspicious. If this is NO, then suspicious logins

　　# from allowed-hosts will not be reported. All suspicious logins from

　　# ip addresses that are not in allowed-hosts will always be reported.

　　SUSPICIOUS_LOGIN_REPORT_ALLOWED_HOSTS=YES

　　######################################################################

　　# HOSTNAME_LOOKUP

　　# HOSTNAME_LOOKUP=YES|NO

　　# If set to YES, for each IP address that is reported by Denyhosts,

　　# the corresponding hostname will be looked up and reported as well

　　# (if available).

　　#是否做域名反解析

　　HOSTNAME_LOOKUP=NO

　　######################################################################

　　# LOCK_FILE

　　# LOCK_FILE=/path/denyhosts

　　# If this file exists when DenyHosts is run, then DenyHosts will exit

　　# immediately. Otherwise, this file will be created upon invocation

　　# and deleted upon exit. This ensures that only one instance is

　　# running at a time.

　　# Redhat/Fedora:

　　LOCK_FILE = /var/lock/subsys/denyhosts

　　# Debian

　　#LOCK_FILE = /var/run/denyhosts.pid

　　# Misc

　　#LOCK_FILE = /tmp/denyhosts.lock

　　######################################################################

　　############ THESE SETTINGS ARE OPTIONAL ############

　　#######################################################################

　　# ADMIN_EMAIL: if you would like to receive emails regarding newly

　　# restricted hosts and suspicious logins, set this address to

　　# match your email address. If you do not want to receive these reports

　　# leave this field blank (or run with the --noemail option)

　　# Multiple email addresses can be delimited by a comma, eg:

　　# ADMIN_EMAIL = foo@bar.com, bar@foo.com, etc@foobar.com

　　#管理员Email

　　ADMIN_EMAIL =

　　#######################################################################

　　# SMTP_HOST and SMTP_PORT: if DenyHosts is configured to email

　　# reports (see ADMIN_EMAIL) then these settings specify the

　　# email server address (SMTP_HOST) and the server port (SMTP_PORT)

　　SMTP_HOST = localhost

　　SMTP_PORT = 25

　　#######################################################################

　　# SMTP_USERNAME and SMTP_PASSWORD: set these parameters if your

　　# smtp email server requires authentication

　　#SMTP_USERNAME=foo

　　#SMTP_PASSWORD=bar

　　######################################################################

　　#######################################################################

　　# SMTP_FROM: you can specify the "From:" address in messages sent

　　# from DenyHosts when it reports thwarted abuse attempts

　　SMTP_FROM = DenyHosts <nobody@localhost>

　　#######################################################################

　　# SMTP_SUBJECT: you can specify the "Subject:" of messages sent

　　# by DenyHosts when it reports thwarted abuse attempts

　　SMTP_SUBJECT = DenyHosts Report

　　######################################################################

　　# SMTP_DATE_FORMAT: specifies the format used for the "Date:" header

　　# when sending email messages.

　　# for possible values for this parameter refer to: man strftime

　　# the default:

　　#SMTP_DATE_FORMAT = %a, %d %b %Y %H:%M:%S %z

　　######################################################################

　　# SYSLOG_REPORT

　　# SYSLOG_REPORT=YES|NO

　　# If set to yes, when denied hosts are recorded the report data

　　# will be sent to syslog (syslog must be present on your system).

　　# The default is: NO

　　#SYSLOG_REPORT=NO

　　#SYSLOG_REPORT=YES

　　######################################################################

　　# ALLOWED_HOSTS_HOSTNAME_LOOKUP

　　# ALLOWED_HOSTS_HOSTNAME_LOOKUP=YES|NO

　　# If set to YES, for each entry in the WORK_DIR/allowed-hosts file,

　　# the hostname will be looked up. If your versions of tcp_wrappers

　　# and sshd sometimes log hostnames in addition to ip addresses

　　# then you may wish to specify this option.

　　#ALLOWED_HOSTS_HOSTNAME_LOOKUP=NO

　　######################################################################

　　# AGE_RESET_VALID: Specifies the period of time between failed login

　　# attempts that, when exceeded will result in the failed count for

　　# this host to be reset to 0. This value applies to login attempts

　　# to all valid users (those within /etc/passwd) with the

　　# exception of root. If not defined, this count will never

　　# be reset.

　　# See the comments in the PURGE_DENY section (above)

　　# for details on specifying this value or for complete details

　　# refer to: http://denyhosts.sourceforge.net/faq.html#timespec

　　AGE_RESET_VALID=5d

　　######################################################################

　　# AGE_RESET_ROOT: Specifies the period of time between failed login

　　# attempts that, when exceeded will result in the failed count for

　　# this host to be reset to 0. This value applies to all login

　　# attempts to the "root" user account. If not defined,

　　# this count will never be reset.

　　# See the comments in the PURGE_DENY section (above)

　　# for details on specifying this value or for complete details

　　# refer to: http://denyhosts.sourceforge.net/faq.html#timespec

　　AGE_RESET_ROOT=25d

　　######################################################################

　　# AGE_RESET_RESTRICTED: Specifies the period of time between failed login

　　# attempts that, when exceeded will result in the failed count for

　　# this host to be reset to 0. This value applies to all login

　　# attempts to entries found in the WORK_DIR/restricted-usernames file.

　　# If not defined, the count will never be reset.

　　# See the comments in the PURGE_DENY section (above)

　　# for details on specifying this value or for complete details

　　# refer to: http://denyhosts.sourceforge.net/faq.html#timespec

　　AGE_RESET_RESTRICTED=25d

　　######################################################################

　　# AGE_RESET_INVALID: Specifies the period of time between failed login

　　# attempts that, when exceeded will result in the failed count for

　　# this host to be reset to 0. This value applies to login attempts

　　# made to any invalid username (those that do not appear

　　# in /etc/passwd). If not defined, count will never be reset.

　　# See the comments in the PURGE_DENY section (above)

　　# for details on specifying this value or for complete details

　　# refer to: http://denyhosts.sourceforge.net/faq.html#timespec

　　AGE_RESET_INVALID=10d

　　######################################################################

　　# RESET_ON_SUCCESS: If this parameter is set to "yes" then the

　　# failed count for the respective ip address will be reset to 0

　　# if the login is successful.

　　# The default is RESET_ON_SUCCESS = no

　　#RESET_ON_SUCCESS = yes

　　#####################################################################

　　######################################################################

　　# PLUGIN_DENY: If set, this value should point to an executable

　　# program that will be invoked when a host is added to the

　　# HOSTS_DENY file. This executable will be passed the host

　　# that will be added as it's only argument.

　　#PLUGIN_DENY=/usr/bin/true

　　######################################################################

　　# PLUGIN_PURGE: If set, this value should point to an executable

　　# program that will be invoked when a host is removed from the

　　# HOSTS_DENY file. This executable will be passed the host

　　# that is to be purged as it's only argument.

　　#PLUGIN_PURGE=/usr/bin/true

　　######################################################################

　　# USERDEF_FAILED_ENTRY_REGEX: if set, this value should contain

　　# a regular expression that can be used to identify additional

　　# hackers for your particular ssh configuration. This functionality

　　# extends the built-in regular expressions that DenyHosts uses.

　　# This parameter can be specified multiple times.

　　# See this faq entry for more details:

　　# http://denyhosts.sf.net/faq.html#userdef_regex

　　#USERDEF_FAILED_ENTRY_REGEX=

　　######################################################################

　　######### THESE SETTINGS ARE SPECIFIC TO DAEMON MODE ##########

　　#######################################################################

　　# DAEMON_LOG: when DenyHosts is run in daemon mode (--daemon flag)

　　# this is the logfile that DenyHosts uses to report it's status.

　　# To disable logging, leave blank. (default is: /var/log/denyhosts)

　　DAEMON_LOG = /var/log/denyhosts

　　# disable logging:

　　#DAEMON_LOG =

　　######################################################################

　　#######################################################################

　　# DAEMON_LOG_TIME_FORMAT: when DenyHosts is run in daemon mode

　　# (--daemon flag) this specifies the timestamp format of

　　# the DAEMON_LOG messages (default is the ISO8061 format:

　　# ie. 2005-07-22 10:38:01,745)

　　# for possible values for this parameter refer to: man strftime

　　# Jan 1 13:05:59

　　#DAEMON_LOG_TIME_FORMAT = %b %d %H:%M:%S

　　# Jan 1 01:05:59

　　#DAEMON_LOG_TIME_FORMAT = %b %d %I:%M:%S

　　######################################################################

　　#######################################################################

　　# DAEMON_LOG_MESSAGE_FORMAT: when DenyHosts is run in daemon mode

　　# (--daemon flag) this specifies the message format of each logged

　　# entry. By default the following format is used:

　　# %(asctime)s - %(name)-12s: %(levelname)-8s %(message)s

　　# Where the "%(asctime)s" portion is expanded to the format

　　# defined by DAEMON_LOG_TIME_FORMAT

　　# This string is passed to python's logging.Formatter contstuctor.

　　# For details on the possible format types please refer to:

　　# http://docs.python.org/lib/node357.html

　　# This is the default:

　　#DAEMON_LOG_MESSAGE_FORMAT = %(asctime)s - %(name)-12s: %(levelname)-8s %(message)s

　　######################################################################

　　#######################################################################

　　# DAEMON_SLEEP: when DenyHosts is run in daemon mode (--daemon flag)

　　# this is the amount of time DenyHosts will sleep between polling

　　# the SECURE_LOG. See the comments in the PURGE_DENY section (above)

　　# for details on specifying this value or for complete details

　　# refer to: http://denyhosts.sourceforge.net/faq.html#timespec

　　DAEMON_SLEEP = 30s

　　#######################################################################

　　# DAEMON_PURGE: How often should DenyHosts, when run in daemon mode,

　　# run the purge mechanism to expire old entries in HOSTS_DENY

　　# This has no effect if PURGE_DENY is blank.

　　DAEMON_PURGE = 1h

　　#######################################################################

　　######### THESE SETTINGS ARE SPECIFIC TO ##########

　　######### DAEMON SYNCHRONIZATION ##########

　　#######################################################################

　　# Synchronization mode allows the DenyHosts daemon the ability

　　# to periodically send and receive denied host data such that

　　# DenyHosts daemons worldwide can automatically inform one

　　# another regarding banned hosts. This mode is disabled by

　　# default, you must uncomment SYNC_SERVER to enable this mode.

　　# for more information, please refer to:

　　# http:/denyhosts.sourceforge.net/faq.html#sync

　　#######################################################################

　　# SYNC_SERVER: The central server that communicates with DenyHost

　　# daemons. Currently, denyhosts.net is the only available server

　　# however, in the future, it may be possible for organizations to

　　# install their own server for internal network synchronization

　　# To disable synchronization (the default), do nothing.

　　# To enable synchronization, you must uncomment the following line:

　　#SYNC_SERVER = http://xmlrpc.denyhosts.net:9911

　　#######################################################################

　　# SYNC_INTERVAL: the interval of time to perform synchronizations if

　　# SYNC_SERVER has been uncommented. The default is 1 hour.

　　#SYNC_INTERVAL = 1h

　　#######################################################################

　　# SYNC_UPLOAD: allow your DenyHosts daemon to transmit hosts that have

　　# been denied? This option only applies if SYNC_SERVER has

　　# been uncommented.

　　# The default is SYNC_UPLOAD = yes

　　#SYNC_UPLOAD = no

　　#SYNC_UPLOAD = yes

　　#######################################################################

　　# SYNC_DOWNLOAD: allow your DenyHosts daemon to receive hosts that have

　　# been denied by others? This option only applies if SYNC_SERVER has

　　# been uncommented.

　　# The default is SYNC_DOWNLOAD = yes

　　#SYNC_DOWNLOAD = no

　　#SYNC_DOWNLOAD = yes

　　#######################################################################

　　# SYNC_DOWNLOAD_THRESHOLD: If SYNC_DOWNLOAD is enabled this parameter

　　# filters the returned hosts to those that have been blocked this many

　　# times by others. That is, if set to 1, then if a single DenyHosts

　　# server has denied an ip address then you will receive the denied host.

　　# See also SYNC_DOWNLOAD_RESILIENCY

　　#SYNC_DOWNLOAD_THRESHOLD = 10

　　# The default is SYNC_DOWNLOAD_THRESHOLD = 3

　　#SYNC_DOWNLOAD_THRESHOLD = 3

　　#######################################################################

　　# SYNC_DOWNLOAD_RESILIENCY: If SYNC_DOWNLOAD is enabled then the

　　# value specified for this option limits the downloaded data

　　# to this resiliency period or greater.

　　# Resiliency is defined as the timespan between a hackers first known

　　# attack and it's most recent attack. Example:

　　# If the centralized denyhosts.net server records an attack at 2 PM

　　# and then again at 5 PM, specifying a SYNC_DOWNLOAD_RESILIENCY = 4h

　　# will not download this ip address.

　　# However, if the attacker is recorded again at 6:15 PM then the

　　# ip address will be downloaded by your DenyHosts instance.

　　# This value is used in conjunction with the SYNC_DOWNLOAD_THRESHOLD

　　# and only hosts that satisfy both values will be downloaded.

　　# This value has no effect if SYNC_DOWNLOAD_THRESHOLD = 1

　　# The default is SYNC_DOWNLOAD_RESILIENCY = 5h (5 hours)

　　# Only obtain hackers that have been at it for 2 days or more:

　　#SYNC_DOWNLOAD_RESILIENCY = 2d

　　# Only obtain hackers that have been at it for 5 hours or more:

　　#SYNC_DOWNLOAD_RESILIENCY = 5h

　　#######################################################################

　　最后就是设置启动脚本了

　　cp /usr/share/denyhosts/daemon-control-dist /usr/share/denyhosts/daemon-control

　　chown root /usr/share/denyhosts/daemon-control

　　chmod 755 /usr/share/denyhosts/daemon-control

　　ln -s /usr/share/denyhosts/daemon-control /etc/init.d/denyhosts

　　chkconfig --level 345 denyhosts on

　　启动denyhosts

　　service denyhosts start

　　这样就安装完成了,每次开机都自动启动的,自己测试下,输入几次错误的密码.然后看看cat /etc/hosts.deny 里面是否有屏蔽的IP,再然后测试下,有屏蔽IP是否还能登录SSH和FTP.我的FTP安装的是VSFTP,其他的没测试过..

VIP专区

VIP用户

普通用户

邮件订阅

如果您非常迫切的想了解IT领域最新产品与技术信息，那么订阅至顶网技术邮件将是您的最佳途径之一。

重磅专题

往期文章

安装denyhost防止SSH和FTP被暴力破解

业界热点: