CentOS5 安裝 DenyHosts 阻絕 ssh 暴力破解

DenyHosts 是透過登入失敗紀錄的來源 ip 來判別是否自動將此 ip 列入黑名單的工具.

安裝方式

先安裝好 rpmforge
透過 yum install 安裝 DenyHosts
```
yum install denyhosts
```

設定方式

vi /etc/denyhosts/denyhosts.cfg

:
# Redhat or Fedora Core:
SECURE_LOG = /var/log/secure
:
# Most operating systems:
HOSTS_DENY = /etc/hosts.deny
:
# never purge:
PURGE_DENY =
:
# To block only sshd:
BLOCK_SERVICE  = sshd
:
DENY_THRESHOLD_INVALID = 5
:
DENY_THRESHOLD_VALID = 10
:
DENY_THRESHOLD_ROOT = 1
:
DENY_THRESHOLD_RESTRICTED = 1
:
WORK_DIR = /usr/share/denyhosts/data
:
SUSPICIOUS_LOGIN_REPORT_ALLOWED_HOSTS=YES
:
# Redhat/Fedora:
LOCK_FILE = /var/lock/subsys/denyhosts
:
#
# OPTIONAL Setting...
#
ADMIN_EMAIL = [email protected]
SMTP_HOST = localhost
SMTP_PORT = 25
#SMTP_USERNAME=foo
#SMTP_PASSWORD=bar
SMTP_FROM = DenyHosts <nobody@localhost>
SMTP_SUBJECT = DenyHosts Report
#SMTP_DATE_FORMAT = %a, %d %b %Y %H:%M:%S %z
:
SYSLOG_REPORT=YES
#ALLOWED_HOSTS_HOSTNAME_LOOKUP=NO
AGE_RESET_VALID=5d
AGE_RESET_ROOT=25d
AGE_RESET_RESTRICTED=25d
AGE_RESET_INVALID=10d
#RESET_ON_SUCCESS = yes
:
#
DAEMON_LOG = /var/log/denyhosts
#DAEMON_LOG_TIME_FORMAT = %b %d %H:%M:%S
#DAEMON_LOG_MESSAGE_FORMAT = %(asctime)s - %(name)-12s: %(levelname)-8s %(message)s
DAEMON_SLEEP = 30s
DAEMON_PURGE = 1h
:

啟動服務

啟動服務
```
service denyhosts start
```

檢查運作紀錄

tail -f /var/log/denyhosts

[root@xen-server ~]# tail -f /var/log/denyhosts
2012-09-18 15:35:31,685 - denyhosts   : INFO     Processing log file (/var/log/secure) from offset (0)
2012-09-18 15:35:32,042 - denyhosts   : INFO     new denied hosts: ['122.141.234.42', '49.238.238.37']
2012-09-18 15:35:32,146 - denyhosts   : INFO     launching DenyHosts daemon (version 2.6)...
2012-09-18 15:35:32,151 - denyhosts   : INFO     DenyHosts daemon is now running, pid: 17906
2012-09-18 15:35:32,152 - denyhosts   : INFO     send daemon process a TERM signal to terminate cleanly
2012-09-18 15:35:32,152 - denyhosts   : INFO       eg.  kill -TERM 17906
2012-09-18 15:35:32,209 - denyhosts   : INFO     monitoring log: /var/log/secure
2012-09-18 15:35:32,209 - denyhosts   : INFO     sync_time: 3600
2012-09-18 15:35:32,209 - denyhosts   : INFO     purging of /etc/hosts.deny is disabled
2012-09-18 15:35:32,210 - denyhosts   : INFO     denyhosts synchronization disabled

設定白名單

當出現不小心打錯密碼被列入黑名單後, 雖然手動去 /etc/hosts.deny 移除, 但不久又被 denyhosts 自動加回時, 需要處理的程序. Exp. 192.168.0.252 被列入黑名單..

vi /etc/hosts.allow

:
sshd:   192.168.0.252

這樣 192.168.0.252 雖然出現在 /etc/hosts.deny 但仍然可以透過 ssh 連入

參考網址

ssh, 安裝, 資安