DenyHosts的安装与配置Centos7/6
2021/4/27 7:25:07
本文主要是介绍DenyHosts的安装与配置Centos7/6,对大家解决编程问题具有一定的参考价值,需要的程序猿们随着小编来一起学习吧!
DenyHosts的安装与配置
- 使用DenyHosts避免密码暴力破解SSH
DenyHosts是一个python写的脚本,占用资源特别小,常用来限制SSH登陆,通过监控系统日志,将超过错误次数的IP放入TCP Wrappers中禁止登陆。UNIX Review杂志评选的2005年8月的月度工具。除了基础的屏蔽IP功能,还有邮件通知,插件,同步等功能。
安装
wget https://github.com/denyhosts/denyhosts/archive/v2.10.tar.gz tar xf v2.10.tar.gz cd denyhosts-2.10 python setup.py install
或者直接点击下载:denyhosts-2.10.tar.gz
下载完重命名为denyhosts-2.10.tar.gz
配置
##线上直接配置替换 sed -i 's#^SECURE_LOG.*#SECURE_LOG = /var/log/secure#' /etc/denyhosts.conf sed -i 's#^HOSTS_DENY.*#HOSTS_DENY = /etc/hosts.deny#' /etc/denyhosts.conf sed -i 's#^DENY_THRESHOLD_VALID.*#DENY_THRESHOLD_VALID = 5#' /etc/denyhosts.conf sed -i 's#^DENY_THRESHOLD_ROOT.*#DENY_THRESHOLD_ROOT = 5#' /etc/denyhosts.conf sed -i 's$IPTABLES = /sbin/iptables$#IPTABLES = /sbin/iptables$' /etc/denyhosts.conf sed -i 's$^ADMIN_EMAIL.*$ADMIN_EMAIL = $' /etc/denyhosts.conf
##完整的配置文件 cat > /etc/denyhosts.conf <<EOF SECURE_LOG = /var/log/secure HOSTS_DENY = /etc/hosts.deny PURGE_DENY = BLOCK_SERVICE = sshd DENY_THRESHOLD_INVALID = 5 DENY_THRESHOLD_VALID = 5 DENY_THRESHOLD_ROOT = 5 DENY_THRESHOLD_RESTRICTED = 1 WORK_DIR = /var/lib/denyhosts ETC_DIR = /etc SUSPICIOUS_LOGIN_REPORT_ALLOWED_HOSTS=YES HOSTNAME_LOOKUP=NO LOCK_FILE = /var/run/denyhosts.pid ADMIN_EMAIL = SMTP_HOST = localhost SMTP_PORT = 25 SMTP_FROM = DenyHosts <nobody@localhost> SMTP_SUBJECT = DenyHosts Report ALLOWED_HOSTS_HOSTNAME_LOOKUP=NO AGE_RESET_VALID=5d AGE_RESET_ROOT=25d AGE_RESET_RESTRICTED=25d AGE_RESET_INVALID=10d DAEMON_LOG = /var/log/denyhosts DAEMON_SLEEP = 30s DAEMON_PURGE = 1h SYNC_UPLOAD = no SYNC_DOWNLOAD = no EOF
- 配置文件重要解析
#ssh 日志文件 #redhat系列根据/var/log/secure文件来判断 SECURE_LOG = /var/log/secure #控制用户登陆的文件,封禁的ip HOSTS_DENY = /etc/hosts.deny #默认情况下,永远不会清理长期被禁止的IP,建议保持默认 PURGE_DENY = #禁止的服务名,当然DenyHost不仅仅用于SSH服务 BLOCK_SERVICE = sshd #允许无效用户失败的次数 DENY_THRESHOLD_INVALID = 5 #允许普通用户登陆失败的次数 DENY_THRESHOLD_VALID = 5 #允许root登陆失败的次数 DENY_THRESHOLD_ROOT = 5 #默认情况下,会调用iptables禁止IP建立连接,可以关闭该功能,centos7 #IPTABLES = /sbin/iptables #默认情况下会发送email到root@localhost,可以关闭该功能 ADMIN_EMAIL =
修改白名单配置
# vi /etc/hosts.allow #sshd: ALL 注释掉sshd: ALL这一行 # sed -i '/^sshd: ALL/d' /etc/hosts.allow
centos7启动脚本
cp denyhosts.service /etc/systemd/system/ systemctl daemon-reload systemctl enable denyhosts systemctl start denyhosts
centos6启动脚本
cp daemon-control-dist /etc/init.d/denyhosts sed -i 's#/usr/sbin/denyhosts#/usr/bin/denyhosts.py#' /etc/init.d/denyhosts sed -i 's#/run/denyhosts.pid#/var/run/denyhosts.pid#' /etc/init.d/denyhosts /etc/init.d/denyhosts start chkconfig --add denyhosts chkconfig denyhosts on
解封IP
- 例如解封:192.168.1.160
方法一:
systemctl stop denyhosts ##/etc/init.d/denyhosts stop vi /etc/hosts.deny ###删除/etc/hosts.deny中相关IP cd /var/lib/denyhosts/ && find . -type f|xargs sed -i "/192.168.1.160/d" systemctl start denyhosts ##/etc/init.d/denyhosts start
方法二:
echo "sshd:192.168.1.160:allow" >>/etc/hosts.allow systemctl restart denyhosts ##/etc/init.d/denyhosts restart
这篇关于DenyHosts的安装与配置Centos7/6的文章就介绍到这儿,希望我们推荐的文章对大家有所帮助,也希望大家多多支持为之网!
- 2024-05-29Elasticsearch慢查询日志配置
- 2024-05-29揭秘华为如此多成功项目的产品关键——Charter模板
- 2024-05-29海外IDC业务拓展的7大挑战
- 2024-05-29InLine Chat功能优化对标Github Copilot,CodeGeeX带来更高效、更直观的编程体验!
- 2024-05-29CodeGeeX 智能编程助手 6 项功能升级,在Visual Studio插件市场霸榜2周!
- 2024-05-29AutoMQ 生态集成 Apache Doris
- 2024-05-292024年IDC行业的深度挖掘:机遇、挑战与未来展望
- 2024-05-29五款扩展组件齐发 —— Volcano、Keda、Crane-scheduler 等,邀你体验
- 2024-05-29AutoMQ 对象存储数据高效组织的秘密: Compaction
- 2024-05-29活动预告|来 GIAC 大会听大数据降本利器:AutoMQ 基于云原生重新设计的 Kafka
