CentOS 7下限制ip访问（白名单）

wget https://github.com/denyhosts/denyhosts/releases/download/v3.1/DenyHosts-3.1.2.tar.gz

vim /etc/hosts.allow

sshd:192.168.31.109:allow //只允许192.168.31.109登录

vim /etc/hosts.deny

sshd:ALL //开启白名单，只允许192.168.31.109登录

service sshd restart，重启sshd

查看本机运行的脚本

[root@cvm-3i2fmpd28a225 ~]# ps -ef|grep sh
root 1192 1114 0 Jan19 tty1 00:00:00 -bash

root 662609 1 0 21:40 ? 00:00:00 sshd: root [priv]
root 662613 662609 0 21:40 ? 00:00:01 sshd: root@pts/1
root 662614 662613 0 21:40 pts/1 00:00:00 -bash
root 694003 1 0 21:56 ? 00:00:00 /usr/sbin/sshd -D -oCiphers=aes256-gcm@openssh.com,chacha20
-poly1305@openssh.com,aes256-ctr,aes256-cbc,aes128-gcm@openssh.com,aes128-ctr,aes128-cbc -oMACs=hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512 -oGSSAPIKexAlgorithms=gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512-,gss-gex-sha1-,gss-group14-sha1- -oKexAlgorithms=curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1 -oHostKeyAlgorithms=ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com,ssh-rsa,ssh-rsa-cert-v01@openssh.com -oPubkeyAcceptedKeyTypes=ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com,ss-rsa,ssh-rsa-cert-v01@openssh.com -oCASignatureAlgorithms=ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,rsa-sha2-256,rsa-sha2-512,ssh-rsaroot 694543 694003 0 23:01 ? 00:00:00 sshd: root [priv]
root 694547 694543 0 23:01 ? 00:00:00 sshd: root@pts/3
root 694548 694547 0 23:01 pts/3 00:00:00 -bash
root 694658 694003 0 23:02 ? 00:00:00 sshd: [accepted]
root 694664 694003 0 23:04 ? 00:00:00 sshd: [accepted]
root 694665 694003 0 23:04 ? 00:00:00 sshd: root [priv]
sshd 694666 694665 0 23:04 ? 00:00:00 sshd: root [net]
root 694669 694548 0 23:04 pts/3 00:00:00 grep --color=auto sh
[root@cvm-3i2fmpd28a225 ~]# kill -9 694003

[root@cvm-3i2fmpd28a225 ~]# systemctl list-unit-files | grep enabled
auditd.service enabled
autovt@.service enabled
chronyd.service enabled
cloud-config.service enabled
cloud-final.service enabled
cloud-init-local.service enabled
cloud-init.service enabled
crond.service enabled
dbus-org.freedesktop.nm-dispatcher.service enabled
dbus-org.freedesktop.timedate1.service enabled
getty@.service enabled
import-state.service enabled
irqbalance.service enabled
kdump.service enabled
loadmodules.service enabled
microcode.service enabled
NetworkManager-dispatcher.service enabled
NetworkManager-wait-online.service enabled
NetworkManager.service enabled
nfs-convert.service enabled
nis-domainname.service enabled
rc-local.service enabled
rngd.service enabled
rpcbind.service enabled
rsyslog.service enabled
selinux-autorelabel-mark.service enabled

sssd.service enabled
syslog.service enabled
sysstat.service enabled
timedatex.service enabled
tuned.service enabled
rpcbind.socket enabled
sssd-kcm.socket enabled
cloud-init.target enabled-runtime
nfs-client.target enabled
remote-fs.target enabled
dnf-makecache.timer enabled
sysstat-collect.timer enabled
sysstat-summary.timer enabled
unbound-anchor.timer enable

安装DenyHosts

http://denyhosts.sourceforge.net/

https://github.com/denyhosts/denyhosts/tags

What is DenyHosts?
 
DenyHosts is a Python script that analyzes the sshd server log messages to determine what hosts are attempting to hack into your system. It also determines what user accounts are being targeted. It keeps track of the frequency of attempts from each host.
Additionally, upon discovering a repeated attack host, the /etc/hosts.deny file is updated to prevent future break-in attempts from that host.
 
An email report can be sent to a system admin.

requirements.txt

ipaddr >= 2.1 ; python_version < '3.0'
mock ; python_version < '3.3'
requests
configparser

python 版本小于3.0

[root@cvm-3i2fmpd28a225 denyhosts-3.1]# python setup.py install 
running install
running build
running build_py
creating build
creating build/lib
creating build/lib/DenyHosts
copying DenyHosts/__init__.py -> build/lib/DenyHosts
copying DenyHosts/allowedhosts.py -> build/lib/DenyHosts
copying DenyHosts/constants.py -> build/lib/DenyHosts
copying DenyHosts/counter.py -> build/lib/DenyHosts
copying DenyHosts/daemon.py -> build/lib/DenyHosts
copying DenyHosts/deny_hosts.py -> build/lib/DenyHosts
copying DenyHosts/denyfileutil.py -> build/lib/DenyHosts
copying DenyHosts/filetracker.py -> build/lib/DenyHosts
copying DenyHosts/lockfile.py -> build/lib/DenyHosts
copying DenyHosts/loginattempt.py -> build/lib/DenyHosts
copying DenyHosts/plugin.py -> build/lib/DenyHosts
copying DenyHosts/prefs.py -> build/lib/DenyHosts
copying DenyHosts/purgecounter.py -> build/lib/DenyHosts
copying DenyHosts/python_version.py -> build/lib/DenyHosts
copying DenyHosts/regex.py -> build/lib/DenyHosts
copying DenyHosts/report.py -> build/lib/DenyHosts
copying DenyHosts/restricted.py -> build/lib/DenyHosts
copying DenyHosts/sync.py -> build/lib/DenyHosts
copying DenyHosts/util.py -> build/lib/DenyHosts
copying DenyHosts/version.py -> build/lib/DenyHosts
running build_scripts
creating build/scripts-2.7
copying and adjusting denyhosts.py -> build/scripts-2.7
copying and adjusting daemon-control-dist -> build/scripts-2.7
changing mode of build/scripts-2.7/denyhosts.py from 644 to 755
changing mode of build/scripts-2.7/daemon-control-dist from 644 to 755
running install_lib
creating /root/.pyenv/versions/2.7.18/lib/python2.7/site-packages/DenyHosts
copying build/lib/DenyHosts/__init__.py -> /root/.pyenv/versions/2.7.18/lib/python2.7/site-packages/DenyHosts
copying build/lib/DenyHosts/allowedhosts.py -> /root/.pyenv/versions/2.7.18/lib/python2.7/site-packages/DenyHos
tscopying build/lib/DenyHosts/constants.py -> /root/.pyenv/versions/2.7.18/lib/python2.7/site-packages/DenyHosts
copying build/lib/DenyHosts/counter.py -> /root/.pyenv/versions/2.7.18/lib/python2.7/site-packages/DenyHosts
copying build/lib/DenyHosts/daemon.py -> /root/.pyenv/versions/2.7.18/lib/python2.7/site-packages/DenyHosts
copying build/lib/DenyHosts/deny_hosts.py -> /root/.pyenv/versions/2.7.18/lib/python2.7/site-packages/DenyHosts
copying build/lib/DenyHosts/denyfileutil.py -> /root/.pyenv/versions/2.7.18/lib/python2.7/site-packages/DenyHos
tscopying build/lib/DenyHosts/filetracker.py -> /root/.pyenv/versions/2.7.18/lib/python2.7/site-packages/DenyHost
scopying build/lib/DenyHosts/lockfile.py -> /root/.pyenv/versions/2.7.18/lib/python2.7/site-packages/DenyHosts
copying build/lib/DenyHosts/loginattempt.py -> /root/.pyenv/versions/2.7.18/lib/python2.7/site-packages/DenyHos
tscopying build/lib/DenyHosts/plugin.py -> /root/.pyenv/versions/2.7.18/lib/python2.7/site-packages/DenyHosts
copying build/lib/DenyHosts/prefs.py -> /root/.pyenv/versions/2.7.18/lib/python2.7/site-packages/DenyHosts
copying build/lib/DenyHosts/purgecounter.py -> /root/.pyenv/versions/2.7.18/lib/python2.7/site-packages/DenyHos
tscopying build/lib/DenyHosts/python_version.py -> /root/.pyenv/versions/2.7.18/lib/python2.7/site-packages/DenyH
ostscopying build/lib/DenyHosts/regex.py -> /root/.pyenv/versions/2.7.18/lib/python2.7/site-packages/DenyHosts
copying build/lib/DenyHosts/report.py -> /root/.pyenv/versions/2.7.18/lib/python2.7/site-packages/DenyHosts
copying build/lib/DenyHosts/restricted.py -> /root/.pyenv/versions/2.7.18/lib/python2.7/site-packages/DenyHosts
copying build/lib/DenyHosts/sync.py -> /root/.pyenv/versions/2.7.18/lib/python2.7/site-packages/DenyHosts
copying build/lib/DenyHosts/util.py -> /root/.pyenv/versions/2.7.18/lib/python2.7/site-packages/DenyHosts
copying build/lib/DenyHosts/version.py -> /root/.pyenv/versions/2.7.18/lib/python2.7/site-packages/DenyHosts
byte-compiling /root/.pyenv/versions/2.7.18/lib/python2.7/site-packages/DenyHosts/__init__.py to __init__.pyc
byte-compiling /root/.pyenv/versions/2.7.18/lib/python2.7/site-packages/DenyHosts/allowedhosts.py to allowedhos
ts.pycbyte-compiling /root/.pyenv/versions/2.7.18/lib/python2.7/site-packages/DenyHosts/constants.py to constants.pyc
byte-compiling /root/.pyenv/versions/2.7.18/lib/python2.7/site-packages/DenyHosts/counter.py to counter.pyc
byte-compiling /root/.pyenv/versions/2.7.18/lib/python2.7/site-packages/DenyHosts/daemon.py to daemon.pyc
byte-compiling /root/.pyenv/versions/2.7.18/lib/python2.7/site-packages/DenyHosts/deny_hosts.py to deny_hosts.p
ycbyte-compiling /root/.pyenv/versions/2.7.18/lib/python2.7/site-packages/DenyHosts/denyfileutil.py to denyfileut
il.pycbyte-compiling /root/.pyenv/versions/2.7.18/lib/python2.7/site-packages/DenyHosts/filetracker.py to filetracker
.pycbyte-compiling /root/.pyenv/versions/2.7.18/lib/python2.7/site-packages/DenyHosts/lockfile.py to lockfile.pyc
byte-compiling /root/.pyenv/versions/2.7.18/lib/python2.7/site-packages/DenyHosts/loginattempt.py to loginattem
pt.pycbyte-compiling /root/.pyenv/versions/2.7.18/lib/python2.7/site-packages/DenyHosts/plugin.py to plugin.pyc
byte-compiling /root/.pyenv/versions/2.7.18/lib/python2.7/site-packages/DenyHosts/prefs.py to prefs.pyc
byte-compiling /root/.pyenv/versions/2.7.18/lib/python2.7/site-packages/DenyHosts/purgecounter.py to purgecount
er.pycbyte-compiling /root/.pyenv/versions/2.7.18/lib/python2.7/site-packages/DenyHosts/python_version.py to python_v
ersion.pycbyte-compiling /root/.pyenv/versions/2.7.18/lib/python2.7/site-packages/DenyHosts/regex.py to regex.pyc
byte-compiling /root/.pyenv/versions/2.7.18/lib/python2.7/site-packages/DenyHosts/report.py to report.pyc
byte-compiling /root/.pyenv/versions/2.7.18/lib/python2.7/site-packages/DenyHosts/restricted.py to restricted.p
ycbyte-compiling /root/.pyenv/versions/2.7.18/lib/python2.7/site-packages/DenyHosts/sync.py to sync.pyc
byte-compiling /root/.pyenv/versions/2.7.18/lib/python2.7/site-packages/DenyHosts/util.py to util.pyc
byte-compiling /root/.pyenv/versions/2.7.18/lib/python2.7/site-packages/DenyHosts/version.py to version.pyc
running install_scripts
copying build/scripts-2.7/denyhosts.py -> /root/.pyenv/versions/2.7.18/bin
copying build/scripts-2.7/daemon-control-dist -> /root/.pyenv/versions/2.7.18/bin
changing mode of /root/.pyenv/versions/2.7.18/bin/denyhosts.py to 755
changing mode of /root/.pyenv/versions/2.7.18/bin/daemon-control-dist to 755
running install_data
copying denyhosts.conf -> /etc
copying denyhosts.8 -> /usr/share/man/man8
running install_egg_info
Writing /root/.pyenv/versions/2.7.18/lib/python2.7/site-packages/DenyHosts-3.0-py2.7.egg-info

[root@cvm-3i2fmpd28a225 denyhosts-3.1]# ls /etc/de
default/        denyhosts.conf  depmod.d/       
[root@cvm-3i2fmpd28a225 denyhosts-3.1]# ls /etc/denyhosts.conf 
/etc/denyhosts.conf
[root@cvm-3i2fmpd28a225 denyhosts-3.1]# ls
build                DenyHosts       denyhosts.py       Makefile     plugins           scripts   TODO
CHANGELOG.txt        denyhosts.8     denyhosts.service  MANIFEST.in  README.md         setup.py
daemon-control-dist  denyhosts.conf  LICENSE.txt        PKG-INFO     requirements.txt  tests
[root@cvm-3i2fmpd28a225 denyhosts-3.1]# cp daemon-control-dist daemon-control
[root@cvm-3i2fmpd28a225 denyhosts-3.1]# vim daemon-control
[root@cvm-3i2fmpd28a225 denyhosts-3.1]# chmod 700 daemon-control
[root@cvm-3i2fmpd28a225 denyhosts-3.1]# ./daemon-control start 
starting DenyHosts:    /usr/bin/env python /usr/sbin/denyhosts --daemon --config=/etc/denyhosts.conf
python: can't open file '/usr/sbin/denyhosts': [Errno 2] No such file or directory
[root@cvm-3i2fmpd28a225 denyhosts-3.1]# ls -l /usr/sbin/denyhosts
ls: cannot access '/usr/sbin/denyhosts': No such file or directory
[root@cvm-3i2fmpd28a225 denyhosts-3.1]# cp denyhosts.py  /usr/sbin/denyhosts
[root@cvm-3i2fmpd28a225 denyhosts-3.1]# ./daemon-control start 
starting DenyHosts:    /usr/bin/env python /usr/sbin/denyhosts --daemon --config=/etc/denyhosts.conf
Can't read: /var/log/auth.log
[Errno 2] No such file or directory: '/var/log/auth.log'
Error deleting DenyHosts lock file: /var/run/denyhosts.pid
[Errno 2] No such file or directory: '/var/run/denyhosts.pid'
[root@cvm-3i2fmpd28a225 denyhosts-3.1]# touch var/log/auth.log
touch: cannot touch 'var/log/auth.log': No such file or directory
[root@cvm-3i2fmpd28a225 denyhosts-3.1]# touch /var/log/auth.log
[root@cvm-3i2fmpd28a225 denyhosts-3.1]# touch /var/run/denyhosts.pid
[root@cvm-3i2fmpd28a225 denyhosts-3.1]# ./daemon-control start 
starting DenyHosts:    /usr/bin/env python /usr/sbin/denyhosts --daemon --config=/etc/denyhosts.conf
DenyHosts could not obtain lock (pid: )
[Errno 17] File exists: '/var/run/denyhosts.pid'
[root@cvm-3i2fmpd28a225 denyhosts-3.1]# ps -ef|grep den
root      453223       1  0 Feb18 ?        00:18:08 /usr/local/nexus/nexus-2.11.2-03/bin/jsw/linux-x86-64/wrapp
er /usr/local/nexus/nexus-2.11.2-03/bin/jsw/conf/wrapper.conf wrapper.syslog.ident=nexus wrapper.pidfile=/usr/local/nexus/nexus-2.11.2-03/bin/jsw/linux-x86-64/nexus.pid wrapper.daemonize=TRUE wrapper.lockfile=/var/lock/subsys/nexusroot      734738  702555  0 00:44 pts/1    00:00:00 grep --color=auto den
[root@cvm-3i2fmpd28a225 denyhosts-3.1]# ps -ef|grep denyhosts
root      734740  702555  0 00:45 pts/1    00:00:00 grep --color=auto denyhosts
[root@cvm-3i2fmpd28a225 denyhosts-3.1]# rm -rf /var/run/denyhosts.pid
[root@cvm-3i2fmpd28a225 denyhosts-3.1]# ./daemon-control start 
starting DenyHosts:    /usr/bin/env python /usr/sbin/denyhosts --daemon --config=/etc/denyhosts.conf
[root@cvm-3i2fmpd28a225 denyhosts-3.1]# ps -ef|grep deny
root      734779       1  0 00:45 ?        00:00:00 python /usr/sbin/denyhosts --daemon --config=/etc/denyhosts
.confroot      734784  702555  0 00:45 pts/1    00:00:00 grep --color=auto deny

主要配置文件：

daemon-control

DENYHOSTS_BIN   = "/usr/sbin/denyhosts"
DENYHOSTS_LOCK  = "/run/denyhosts.pid"
DENYHOSTS_CFG   = "/etc/denyhosts.conf"
 
PYTHON_BIN      = "/usr/bin/env python"

sed -i 's#^SECURE_LOG.*#SECURE_LOG = /var/log/secure#' /etc/denyhosts.conf
sed -i 's#^HOSTS_DENY.*#HOSTS_DENY = /etc/hosts.deny#' /etc/denyhosts.conf
sed -i 's#^DENY_THRESHOLD_VALID.*#DENY_THRESHOLD_VALID = 5#' /etc/denyhosts.conf
sed -i 's#^DENY_THRESHOLD_ROOT.*#DENY_THRESHOLD_ROOT = 5#' /etc/denyhosts.conf
sed -i 's$IPTABLES = /sbin/iptables$#IPTABLES = /sbin/iptables$' /etc/denyhosts.conf
sed -i 's$^ADMIN_EMAIL.*$ADMIN_EMAIL = $' /etc/denyhosts.conf

cat >/etc/denyhosts.conf<<EOF
SECURE_LOG = /var/log/secure
HOSTS_DENY = /etc/hosts.deny
PURGE_DENY = 
BLOCK_SERVICE  = sshd
DENY_THRESHOLD_INVALID = 5
DENY_THRESHOLD_VALID = 5
DENY_THRESHOLD_ROOT = 5
DENY_THRESHOLD_RESTRICTED = 1
WORK_DIR = /var/lib/denyhosts
ETC_DIR = /etc
SUSPICIOUS_LOGIN_REPORT_ALLOWED_HOSTS=YES
HOSTNAME_LOOKUP=NO
LOCK_FILE = /var/run/denyhosts.pid
ADMIN_EMAIL = 
SMTP_HOST = localhost
SMTP_PORT = 25
SMTP_FROM = DenyHosts <nobody@localhost>
SMTP_SUBJECT = DenyHosts Report
ALLOWED_HOSTS_HOSTNAME_LOOKUP=NO
AGE_RESET_VALID=5d
AGE_RESET_ROOT=25d
AGE_RESET_RESTRICTED=25d
AGE_RESET_INVALID=10d
DAEMON_LOG = /var/log/denyhosts
DAEMON_SLEEP = 30s
DAEMON_PURGE = 1h
SYNC_UPLOAD = no
SYNC_DOWNLOAD = no
EOF

#ssh 日志文件 #redhat系列根据/var/log/secure文件来判断
SECURE_LOG = /var/log/secure
#控制用户登陆的文件，封禁的ip
HOSTS_DENY = /etc/hosts.deny
#默认情况下，永远不会清理长期被禁止的IP，建议保持默认
PURGE_DENY =
#禁止的服务名，当然DenyHost不仅仅用于SSH服务
BLOCK_SERVICE = sshd
#允许无效用户失败的次数
DENY_THRESHOLD_INVALID = 5
#允许普通用户登陆失败的次数
DENY_THRESHOLD_VALID = 5
#允许root登陆失败的次数
DENY_THRESHOLD_ROOT = 5
#默认情况下，会调用iptables禁止IP建立连接，可以关闭该功能，centos7
#IPTABLES = /sbin/iptables
#默认情况下会发送email到root@localhost，可以关闭该功能
ADMIN_EMAIL =

cp daemon-control-dist /etc/init.d/denyhosts
sed -i  's#/usr/sbin/denyhosts#/usr/bin/denyhosts.py#' /etc/init.d/denyhosts
sed -i  's#/run/denyhosts.pid#/var/run/denyhosts.pid#' /etc/init.d/denyhosts
/etc/init.d/denyhosts start
chkconfig --add denyhosts
chkconfig denyhosts on

systemctl  stop denyhosts  ##/etc/init.d/denyhosts stop 
vi /etc/hosts.deny  ###删除/etc/hosts.deny中相关IP
cd /var/lib/denyhosts/ && find . -type f|xargs sed -i "/192.168.1.160/d"
systemctl  start denyhosts ##/etc/init.d/denyhosts start
 
 
echo "sshd:192.168.1.160:allow" >>/etc/hosts.allow
systemctl  restart denyhosts  ##/etc/init.d/denyhosts restart

http://mirror.neu.edu.cn/fedora-epel/7/x86_64/d/denyhosts-2.9-4.el7.noarch.rpm

wget http://mirror.neu.edu.cn/fedora-epel/7/x86_64/d/denyhosts-2.9-4.el7.noarch.rpm
rpm -ivh denyhosts-2.9-4.el7.noarch.rpm

vim /etc/denyhosts.conf 

grep -v "^#" /etc/denyhosts.conf | grep -v "^$"
具体配置文件的解释如下
       ############ THESE SETTINGS ARE REQUIRED ############
SECURE_LOG = /var/log/secure #ssh 日志文件，它是根据这个文件来判断的。
HOSTS_DENY = /etc/hosts.deny #控制用户登陆的文件
PURGE_DENY = 4w  #过多久后清除已经禁止的IP,其中w代表周，d代表天，h代表小时，s代表秒，m代表分钟
BLOCK_SERVICE  = sshd #denyhosts所要阻止的服务名称
DENY_THRESHOLD_INVALID = 5 #允许无效用户登录失败的次数
DENY_THRESHOLD_VALID = 10 #允许普通用户登录失败的次数
DENY_THRESHOLD_ROOT = 1 #允许ROOT用户登录失败的次数
DENY_THRESHOLD_RESTRICTED = 1 #在失败次数后阻止每个主机登录尝试次数已超过此值。该值适用于只出现在 WORK_DIR/restricted-usernames 文件中的用户名。
WORK_DIR = /var/lib/denyhosts #denyhosts工作数据目录，将deny的host或ip记录到WORK_DIR中 
ETC_DIR = /etc
SUSPICIOUS_LOGIN_REPORT_ALLOWED_HOSTS=YES
HOSTNAME_LOOKUP=NO #是否做域名反解 
LOCK_FILE = /var/lock/subsys/denyhosts #将DenyHost启动的pid记录到LOCK_FILE中，已确保服务正确启动，防止同时启动多个服务
       ############ THESE SETTINGS ARE OPTIONAL ############
ADMIN_EMAIL = root@localhost #设置管理员邮件地址  
SMTP_HOST = localhost 
SMTP_PORT = 25
SMTP_FROM = DenyHosts <nobody@localhost>
SMTP_SUBJECT = DenyHosts Report from $[HOSTNAME]
ALLOWED_HOSTS_HOSTNAME_LOOKUP=NO
AGE_RESET_VALID=5d #有效用户登录失败计数归零的时间
AGE_RESET_ROOT=25d #ROOT用户登录失败计数归零的时间
AGE_RESET_RESTRICTED=25d #用户的失败登录计数重置为0的时间
AGE_RESET_INVALID=10d #无效用户登录失败计数归零的时间
   ######### THESE SETTINGS ARE SPECIFIC TO DAEMON MODE  ##########
DAEMON_LOG = /var/log/denyhosts #denyhost服务日志文件
 
DAEMON_SLEEP = 30s
DAEMON_PURGE = 1h #该项与PURGE_DENY 设置成一样，也是清除hosts.deniedssh 用户的时间
   #########   THESE SETTINGS ARE SPECIFIC TO     ##########
   #########       DAEMON SYNCHRONIZATION         ##########
SYNC_UPLOAD = no
SYNC_DOWNLOAD = no

[root@centos opt]# grep -v ^# /etc/denyhosts.conf | grep -v  ^$
       ############ THESE SETTINGS ARE REQUIRED ############
SECURE_LOG = /var/log/secure
HOSTS_DENY = /etc/hosts.deny
PURGE_DENY = 5m
BLOCK_SERVICE  = sshd
DENY_THRESHOLD_INVALID = 8
DENY_THRESHOLD_VALID = 8
DENY_THRESHOLD_ROOT = 8
DENY_THRESHOLD_RESTRICTED = 8
WORK_DIR = /var/lib/denyhosts
ETC_DIR = /etc
SUSPICIOUS_LOGIN_REPORT_ALLOWED_HOSTS=YES
HOSTNAME_LOOKUP=NO
LOCK_FILE = /var/lock/subsys/denyhosts
       ############ THESE SETTINGS ARE OPTIONAL ############
ADMIN_EMAIL = root@localhost
SMTP_HOST = localhost
SMTP_PORT = 25
SMTP_FROM = DenyHosts <nobody@localhost>
SMTP_SUBJECT = DenyHosts Report from $[HOSTNAME]
ALLOWED_HOSTS_HOSTNAME_LOOKUP=NO
AGE_RESET_VALID=3m
AGE_RESET_ROOT=3m
AGE_RESET_RESTRICTED=3m
AGE_RESET_INVALID=3m
   ######### THESE SETTINGS ARE SPECIFIC TO DAEMON MODE  ##########
DAEMON_LOG = /var/log/denyhosts
 
DAEMON_SLEEP =30s
DAEMON_PURGE = 5m
   #########   THESE SETTINGS ARE SPECIFIC TO     ##########
   #########       DAEMON SYNCHRONIZATION         ##########
SYNC_UPLOAD = no
SYNC_DOWNLOAD = no

systemctl enable denyhosts
systemctl start denyhosts

tail -f /var/log/denyhosts