DenyHosts安装及配置详解
DenyHosts是由python编写的脚本,占用资源特别小,常用来限制SSH登陆,防止ssh尝试登陆。通过监控系统日志,将超过错误次数的IP放入TCP Wrappers中禁止登陆。除了基础的屏蔽IP功能,还有邮件通知,插件,同步等功能。
denyhosts主要通过tcp_wrappers,将要禁止的ip加入/etc/hosts.deny;还有添加iptables规则来实现禁止ip访问。
注意:
denyhosts依赖 tcp_wrappers,而CentOS 8(部分CentOS 7,新内核)默认配置的ssh已经去除了tcp_wrappers。会导致denyhosts将封禁ip加入/etc/hosts.deny后,封禁ip还能访问。CentOS 8及以上版本不是很推荐用denyhosts来实现。
如何查看自己的服务器系统ssh支不支持tcp_wrappers,可以查看”附录1、denyhosts对于tcp_wrappers的依赖”。
用python2的,可以使用denyhosts-2,denyhosts-3。 用python3,就要使用denyhosts-3了,denyhosts-3增加了对python3的支持。
官网:
官网(旧):http://www.denyhosts.net/
官网(新):http://denyhosts.sourceforge.net/
官网下载:https://sourceforge.net/projects/denyhosts/files/
安装:
# cd /data/software
# wget https://versaweb.dl.sourceforge.net/project/denyhosts/denyhosts/3.0/denyhosts-3.0.tar.gz
# tar zxvf denyhosts-3.0.tar.gz
# cd denyhosts-3.0
# python setup.py install ##或者用python3 setup.py install
配置:
1、修改denyhosts配置,改为以下配置
# vim /etc/denyhosts.conf
# Redhat or Fedora Core:
SECURE_LOG = /var/log/secure
# Debian and Ubuntu
#SECURE_LOG = /var/log/auth.log
DENY_THRESHOLD_INVALID = 5
DENY_THRESHOLD_VALID = 20
DENY_THRESHOLD_ROOT = 10
DENY_THRESHOLD_RESTRICTED = 5
#IPTABLES = /sbin/iptables
#ADMIN_EMAIL = root@localhost
2、配置文件说明
#ssh 日志文件 #redhat系列根据/var/log/secure文件来判断
SECURE_LOG = /var/log/secure
#控制用户登陆的文件,封禁的ip
HOSTS_DENY = /etc/hosts.deny
#默认情况下,永远不会清理长期被禁止的IP,建议保持默认
PURGE_DENY =
#禁止的服务名,当然DenyHost不仅仅用于SSH服务
BLOCK_SERVICE = sshd
#允许无效用户失败的次数
DENY_THRESHOLD_INVALID = 5
#允许普通用户登陆失败的次数
DENY_THRESHOLD_VALID = 20
#允许root登陆失败的次数
DENY_THRESHOLD_ROOT = 10
#默认情况下,会调用iptables禁止IP建立连接。禁用iptables一方面,是因为使用的云上的安全组,所以关闭这个功能,另一方面,是因为denyhost是针对攻击ip都封禁,不是针对ip:port进行限制,这限制得太广了。具体可以看“附录3、denyhosts针对ip进行拦截”
#IPTABLES = /sbin/iptables
#默认情况下会发送email到root@localhost,可以关闭该功能
#ADMIN_EMAIL =
开机自启
Centos7启动脚本
# cp /data/software/denyhosts-3.0/denyhosts.service /etc/systemd/system/
检查denyhosts.py是否为实际地址,如果不知道的话,可以通过find / -name denyhosts.py查找。正常是不用修改。
# vim /etc/systemd/system/denyhosts.service
[Unit]
Description=SSH log watcher
Before=sshd.service
[Service]
Type=forking
ExecStartPre=/bin/rm -f /var/run/denyhosts.pid
ExecStart=/usr/bin/denyhosts.py --daemon --config=/etc/denyhosts.conf
PIDFile=/var/run/denyhosts.pid
[Install]
WantedBy=multi-user.target
设置开机自启及启动denyhosts
重新加载开机启动配置
# systemctl daemon-reload
设置开机启动
# systemctl enable denyhosts.service
项目denyhosts
# systemctl start denyhosts.service
Centos6启动脚本,未测试
# cp daemon-control-dist /etc/init.d/denyhosts
# sed -i 's#/usr/sbin/denyhosts#/usr/bin/denyhosts.py#' /etc/init.d/denyhosts
# sed -i 's#/run/denyhosts.pid#/var/run/denyhosts.pid#' /etc/init.d/denyhosts
# /etc/init.d/denyhosts start
# chkconfig --add denyhosts
# chkconfig denyhosts on
测试封禁ip:
查看/etc/hosts.deny ,此时hosts.deny是空的
# cat /etc/hosts.deny
#
# hosts.deny This file contains access rules which are used to
# deny connections to network services that either use
# the tcp_wrappers library or that have been
# started through a tcp_wrappers-enabled xinetd.
#
# The rules in this file can also be set up in
# /etc/hosts.allow with a 'deny' option instead.
#
# See 'man 5 hosts_options' and 'man 5 hosts_access'
# for information on rule syntax.
# See 'man tcpd' for information on tcp_wrappers
#
尝试多次登陆,故意输入错误密码
可以看到最后,ssh: connect to host 127.0.0.1 port 22: Connection timed out。服务器已经禁止127.0.0.1登陆
[root@66office ~]# ssh root@127.0.0.1 root@127.0.0.1's password: Permission denied, please try again. root@127.0.0.1's password: Permission denied, please try again. root@127.0.0.1's password: Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password). .... [root@66office ~]# ssh root@127.0.0.1 root@127.0.0.1's password: Permission denied, please try again. root@127.0.0.1's password: Permission denied, please try again. root@127.0.0.1's password: Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password). [root@66office ~]# ssh root@127.0.0.1 ssh: connect to host 127.0.0.1 port 22: Connection timed out
再次查看/etc/hosts.deny ,此时hosts.deny已经添加了127.0.0.1,禁止127.0.0.1登陆
# cat /etc/hosts.deny # # hosts.deny This file contains access rules which are used to # deny connections to network services that either use # the tcp_wrappers library or that have been # started through a tcp_wrappers-enabled xinetd. # # The rules in this file can also be set up in # /etc/hosts.allow with a 'deny' option instead. # # See 'man 5 hosts_options' and 'man 5 hosts_access' # for information on rule syntax. # See 'man tcpd' for information on tcp_wrappers # sshd: 127.0.0.1
解封IP
删除/etc/hosts.deny中要解封的IP # vi /etc/hosts.deny 删除iptables里要解封的IP里drop相关规则 如果/etc/denyhosts.conf里有配置iptables的话。这里我是配置关闭了,所以不需要删除。 删除denyhosts中要解封的IP。 正常只要删除/etc/hosts.deny里的IP,删除iptables,就能正常访问了。 要删除denyhosts里的ip的原因,是这里不删除的话,只要再错误访问1、2次,这个ip又会被封了。因为denyhosts还记录了这个ip的异常访问记录,只要再多访问1、2次,又会触发denyhosts配置的阈值。 # cd /var/lib/denyhosts/ && find . -type f|xargs sed -i "/127.0.0.1/d" 重启denyhosts # systemctl restart denyhosts ##或是/etc/init.d/denyhosts restart
附录:
附录1、denyhosts对于tcp_wrappers的依赖
http://denyhosts.sourceforge.net/ssh_config.html
TCP Wrappers核心是libwrap库,可以通过命令查看系统是否支持
如果有类似下面的输出,说明ssh安装的时候有支持TCP Wrappers。如果什么都没有输出,就是没有的。这时候就需要移除旧ssh,下载旧版本ssh,手动编译,编译的时候,添加TCP Wrappers
# ldd /usr/sbin/sshd | grep libwrap
libwrap.so.0 => /lib64/libwrap.so.0 (0x00007fc6590f1000)
https://fedoraproject.org/wiki/Changes/Deprecate_TCP_wrappers
附录3、denyhosts针对ip进行拦截
可以看到这条,DROP all -- 127.0.0.1 0.0.0.0/0,denyhosts是针对ip进行拦截的,这个封禁范围太大了。
# iptables -L -n
Chain INPUT (policy ACCEPT)
target prot opt source destination
DROP all -- 127.0.0.1 0.0.0.0/0
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:53
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:67
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:67
————————————————
声明:本文由 66办公「66office.com」原创,欢迎转载,转载请保留链接。
