返回顶部

DenyHos黑白名单防ssh攻击

DenyHos黑白名单防ssh攻击

DenyHosts是Python语言写的一个程序,它会分析sshd的日志文件(/var/log/secure),当发现重 复的攻击时就会记录IP到/etc/hosts.deny文件,从而达到自动屏IP的功能。

官网下载DenyHosts

DenyHosts官网:http://denyhosts.sourceforge.net/

https://github.com/denyhosts/denyhosts

https://nchc.dl.sourceforge.net/project/denyhosts/denyhosts/2.10/denyhosts-2.10.zip

安装部署

yum安装

#yum install repe-release denyhosts -y

#systemctl enable --now denyhosts 

# cat /usr/lib/systemd/system/denyhosts.service 
[Unit]
Description=SSH log watcher
Before=sshd.service

[Service]
Type=forking
ExecStartPre=/bin/rm -f /var/run/denyhosts.pid
ExecStart=/usr/bin/denyhosts.py --daemon --config=/etc/denyhosts.conf
PIDFile=/var/run/denyhosts.pid

[Install]
WantedBy=multi-user.target
$systemctl enable denyhosts.service

相关配置文件

$rpm -ql denyhosts
##  该目录中主要存放计划任务,日志压缩 以及 chkconfig 和 service 启动的文档
/etc/cron.d/denyhosts
/etc/denyhosts.conf
/etc/logrotate.d/denyhosts
/etc/rc.d/init.d/denyhosts
/etc/sysconfig/denyhosts
/usr/bin/denyhosts-control
/usr/bin/denyhosts.py

## 该目录中主要存放 denyhosts 所拒绝及允许的一些主机信息
/var/lib/denyhosts
/var/lib/denyhosts/allowed-hosts
/var/lib/denyhosts/allowed-warned-hosts
/var/lib/denyhosts/hosts
/var/lib/denyhosts/hosts-restricted
/var/lib/denyhosts/hosts-root
/var/lib/denyhosts/hosts-valid
/var/lib/denyhosts/offset
/var/lib/denyhosts/suspicious-logins
/var/lib/denyhosts/sync-hosts
/var/lib/denyhosts/users-hosts
/var/lib/denyhosts/users-invalid
/var/lib/denyhosts/users-valid
/var/log/denyhosts

 denyhosts配置说明

############ THESE SETTINGS ARE REQUIRED ############
# 系统安全日志文件,主要获取ssh信息
SECURE_LOG = /var/log/secure
# 拒绝写入IP文件 hosts.deny
HOSTS_DENY = /etc/hosts.deny
# #过多久后清除已经禁止的,其中w代表周,d代表天,h代表小时,s代表秒,m代表分钟
PURGE_DENY = 4w
# denyhosts所要阻止的服务名称
BLOCK_SERVICE  = sshd
# 允许无效用户登录失败的次数
DENY_THRESHOLD_INVALID = 3
# 允许普通用户登录失败的次数
DENY_THRESHOLD_VALID = 10
# 允许ROOT用户登录失败的次数
DENY_THRESHOLD_ROOT = 6
# 设定 deny host 写入到该资料夹
DENY_THRESHOLD_RESTRICTED = 1
# 将deny的host或ip纪录到Work_dir中
WORK_DIR = /var/lib/denyhosts
SUSPICIOUS_LOGIN_REPORT_ALLOWED_HOSTS=YES
# 是否做域名反解
HOSTNAME_LOOKUP=YES
# 将DenyHOts启动的pid纪录到LOCK_FILE中,已确保服务正确启动,防止同时启动多个服务
LOCK_FILE = /var/lock/subsys/denyhosts
       ############ THESE SETTINGS ARE OPTIONAL ############
# 管理员Mail地址
ADMIN_EMAIL = root
SMTP_HOST = localhost
SMTP_PORT = 25
SMTP_FROM = DenyHosts <nobody@localhost>
SMTP_SUBJECT = DenyHosts Report from $[HOSTNAME]
# 有效用户登录失败计数归零的时间
AGE_RESET_VALID=5d
# ROOT用户登录失败计数归零的时间
AGE_RESET_ROOT=25d
# 用户的失败登录计数重置为0的时间(/usr/share/denyhosts/restricted-usernames)
AGE_RESET_RESTRICTED=25d
# 无效用户登录失败计数归零的时间
AGE_RESET_INVALID=10d
   ######### THESE SETTINGS ARE SPECIFIC TO DAEMON MODE  ##########
# denyhosts log文件
DAEMON_LOG = /var/log/denyhosts
DAEMON_SLEEP = 30s
# 该项与PURGE_DENY 设置成一样,也是清除hosts.deniedssh 用户的时间
DAEMON_PURGE = 4w

 

黑白名单

]# cat /etc/hosts.allow
#
# hosts.allow    This file contains access rules which are used to
#        allow or deny connections to network services that
#        either use the tcp_wrappers library or that have been
#        started through a tcp_wrappers-enabled xinetd.
#
#        See 'man 5 hosts_options' and 'man 5 hosts_access'
#        for information on rule syntax.
#        See 'man tcpd' for information on tcp_wrappers
#
sshd:*.*.*.*   #表示允许所有


]# head -18  /etc/hosts.deny
#
# hosts.deny    This file contains access rules which are used to
#        deny connections to network services that either use
#        the tcp_wrappers library or that have been
#        started through a tcp_wrappers-enabled xinetd.
#
#        The rules in this file can also be set up in
#        /etc/hosts.allow with a 'deny' option instead.
#
#        See 'man 5 hosts_options' and 'man 5 hosts_access'
#        for information on rule syntax.
#        See 'man tcpd' for information on tcp_wrappers
#
# DenyHosts: Fri Jan  6 14:59:19 2023 | sshd: 200.148.153.172
sshd: 200.148.153.172
# DenyHosts: Fri Jan  6 14:59:19 2023 | sshd: 159.223.229.158
sshd: 159.223.229.158
# DenyHosts: Fri Jan  6 14:59:19 2023 | sshd: 41.79.235.36

编译安装

# wget http://imcat.in/down/DenyHosts-2.6.tar.gz
# du -sh DenyHosts-2.6.tar.gz
# tar xvf DenyHosts-2.6.tar.gz -C /usr/local/
# cd /usr/local/DenyHosts-2.6/
# python setup.py install


#cp /usr/share/denyhosts/denyhosts.cfg-dist /usr/share/denyhosts/denyhosts.cfg 

# egrep -v '^#|^$' /usr/share/denyhosts/denyhosts.cfg
       ############ THESE SETTINGS ARE REQUIRED ############
SECURE_LOG = /var/log/secure
HOSTS_DENY = /etc/hosts.deny
PURGE_DENY = 1h
BLOCK_SERVICE  = sshd
DENY_THRESHOLD_INVALID = 5
DENY_THRESHOLD_VALID = 10
DENY_THRESHOLD_ROOT = 1
DENY_THRESHOLD_RESTRICTED = 1
WORK_DIR = /usr/share/denyhosts/data
SUSPICIOUS_LOGIN_REPORT_ALLOWED_HOSTS=YES
HOSTNAME_LOOKUP=YES
LOCK_FILE = /var/lock/subsys/denyhosts
       ############ THESE SETTINGS ARE OPTIONAL ############
ADMIN_EMAIL =
SMTP_HOST = localhost
SMTP_PORT = 25
SMTP_FROM = DenyHosts <nobody@localhost>
SMTP_SUBJECT = DenyHosts Report
AGE_RESET_VALID=5d
AGE_RESET_ROOT=25d
AGE_RESET_RESTRICTED=25d
AGE_RESET_INVALID=10d
   ######### THESE SETTINGS ARE SPECIFIC TO DAEMON MODE  ##########
DAEMON_LOG = /var/log/denyhosts

DAEMON_SLEEP = 30s
DAEMON_PURGE = 1h
   #########   THESE SETTINGS ARE SPECIFIC TO     ##########
   #########       DAEMON SYNCHRONIZATION         ##########


# cp /usr/share/denyhosts/daemon-control-dist /usr/share/denyhosts/daemon-control //启动文件
# chown root /usr/share/denyhosts/daemon-control
# chmod 754 /usr/share/denyhosts/daemon-control
# ln -s /usr/share/denyhosts/daemon-control /etc/init.d/denyhosts
# chkconfig --level 345 denyhosts on
# /sbin/service denyhosts restart
# /sbin/service denyhosts stop
# /sbin/service denyhosts status

 

 

 

 ####或开启启动方式

# vi /etc/rc.local
/usr/share/denyhosts/daemon-control start

 

 denyhosts配置说明

 ############ THESE SETTINGS ARE REQUIRED ############
# format is: i[dhwmy]
# Where i is an integer (eg. 7)
# m = minutes
# h = hours
# d = days
# w = weeks
# y = years
PURGE_DENY = 50m               #过多久后清除已阻止IP
HOSTS_DENY = /etc/hosts.deny   #将阻止IP写入到hosts.deny
BLOCK_SERVICE = sshd           #阻止服务名
PURGE_THRESHOLD =              #定义了某一IP最多被解封多少次。某IP暴力破解SSH密码被阻止/解封达到了PURGE_THRESHOLD次,则会被永久禁止;
DENY_THRESHOLD_INVALID = 1     #允许无效用户登录失败的次数
DENY_THRESHOLD_VALID = 10      #允许普通用户登录失败的次数
DENY_THRESHOLD_ROOT = 5        #允许root登录失败的次数
WORK_DIR = /usr/local/share/denyhosts/data #将deny的host或ip纪录到Work_dir中
DENY_THRESHOLD_RESTRICTED = 1 #设定 deny host 写入到该资料夹
LOCK_FILE = /var/lock/subsys/denyhosts #将DenyHOts启动的pid纪录到LOCK_FILE中,已确保服务正确启动,防止同时启动多个服务。
HOSTNAME_LOOKUP=NO            #是否做域名反解
ADMIN_EMAIL =                 #设置管理员邮件地址
DAEMON_LOG = /var/log/denyhosts #DenyHosts日志位置

 示例配置

# egrep -v '^#|^$' /usr/share/denyhosts/denyhosts.cfg
       ############ THESE SETTINGS ARE REQUIRED ############
SECURE_LOG = /var/log/secure
HOSTS_DENY = /etc/hosts.deny
PURGE_DENY = 4w
BLOCK_SERVICE  = sshd
DENY_THRESHOLD_INVALID = 5
DENY_THRESHOLD_VALID = 10
DENY_THRESHOLD_ROOT = 1
DENY_THRESHOLD_RESTRICTED = 1
WORK_DIR = /usr/share/denyhosts/data
SUSPICIOUS_LOGIN_REPORT_ALLOWED_HOSTS=YES
HOSTNAME_LOOKUP=YES
LOCK_FILE = /var/lock/subsys/denyhosts
       ############ THESE SETTINGS ARE OPTIONAL ############
ADMIN_EMAIL =
SMTP_HOST = localhost
SMTP_PORT = 25
SMTP_FROM = DenyHosts <nobody@localhost>
SMTP_SUBJECT = DenyHosts Report
AGE_RESET_VALID=5d
AGE_RESET_ROOT=25d
AGE_RESET_RESTRICTED=25d
AGE_RESET_INVALID=10d
   ######### THESE SETTINGS ARE SPECIFIC TO DAEMON MODE  ##########
DAEMON_LOG = /var/log/denyhosts

DAEMON_SLEEP = 30s
DAEMON_PURGE = 4w
   #########   THESE SETTINGS ARE SPECIFIC TO     ##########
   #########       DAEMON SYNCHRONIZATION         ##########

一键安装脚本

#!/bin/bash
#****************************************************************************************
#Author:                 wei
#***************************************************************************************
. /etc/rc.d/init.d/functions
install_package () {
    [ -f DenyHosts-2.6.tar.gz ] ||wget https://static-resource-1302962335.cos.ap-shanghai.myqcloud.com/DenyHosts-2.6.tar.gz
    tar xf DenyHosts-2.6.tar.gz -C /usr/local/
    rm -f DenyHosts-2.6.tar.gz
    cd /usr/local/DenyHosts-2.6/
    python setup.py install
    cp /usr/share/denyhosts/daemon-control-dist /usr/share/denyhosts/daemon-control
    chown root /usr/share/denyhosts/daemon-control
    chmod 754 /usr/share/denyhosts/daemon-control
    ln -s /usr/share/denyhosts/daemon-control /etc/init.d/denyhosts
    cat > /usr/share/denyhosts/denyhosts.cfg <<EOF
       ############ THESE SETTINGS ARE REQUIRED ############
SECURE_LOG = /var/log/secure
HOSTS_DENY = /etc/hosts.deny
PURGE_DENY = 4w
BLOCK_SERVICE  = sshd
DENY_THRESHOLD_INVALID = 5
DENY_THRESHOLD_VALID = 10
DENY_THRESHOLD_ROOT = 1
DENY_THRESHOLD_RESTRICTED = 1
WORK_DIR = /usr/share/denyhosts/data
SUSPICIOUS_LOGIN_REPORT_ALLOWED_HOSTS=YES
HOSTNAME_LOOKUP=YES
LOCK_FILE = /var/lock/subsys/denyhosts
       ############ THESE SETTINGS ARE OPTIONAL ############
ADMIN_EMAIL =
SMTP_HOST = localhost
SMTP_PORT = 25
SMTP_FROM = DenyHosts <nobody@localhost>
SMTP_SUBJECT = DenyHosts Report
AGE_RESET_VALID=5d
AGE_RESET_ROOT=25d
AGE_RESET_RESTRICTED=25d
AGE_RESET_INVALID=10d
   ######### THESE SETTINGS ARE SPECIFIC TO DAEMON MODE  ##########
DAEMON_LOG = /var/log/denyhosts

DAEMON_SLEEP = 30s
DAEMON_PURGE = 4w
   #########   THESE SETTINGS ARE SPECIFIC TO     ##########
   #########       DAEMON SYNCHRONIZATION         ##########
EOF
    chkconfig --level 345 denyhosts on
    /sbin/service denyhosts restart
    /sbin/service denyhosts status && action "安装成功!" ||  action "安装失败!" false
}

install_package

 

posted @ 2023-01-06 16:14  九尾cat  阅读(80)  评论(0编辑  收藏  举报