DenyHosts介绍
当你的linux服务器暴露在外网当中时,服务器就极有可能会遭到互联网上的扫描软件进行扫描,然后试图连接ssh端口进行暴力破解(穷举扫描)。如果遇到这个问题,一款非常有用的工具DenyHosts可以阻止试图猜测SSH登录口令。DenyHosts是用Python写的一个程序,它会分析SSHD的日志文件(Redhat为/var/log/secure等),当发现同一IP在进行多次SSH密码尝试时就会记录IP到/etc/hosts.deny文件,从而达到自动屏蔽该IP的目的。
DenyHost的官方网址为http://denyhosts.sourceforge.net/ 官方的介绍如下:
What is DenyHosts?
DenyHosts is a Python script that analyzes the sshd server log messages to determine what hosts are attempting to hack into your system. It also determines what user accounts are being targeted. It keeps track of the frequency of attempts from each host.
Additionally, upon discovering a repeated attack host, the /etc/hosts.deny file is updated to prevent future break-in attempts from that host.
An email report can be sent to a system admin.
DenyHosts安装
1:下载DenyHosts安装包。
[root@mylnx04 ~]# wget http://imcat.in/down/DenyHosts-2.6.tar.gz
2:解压DenyHosts安装包
[root@mylnx04 ~]# tar -zxvf DenyHosts-2.6.tar.gz
3:开始DenyHosts的安装
安装DenyHosts前必须安装Python,当然现在绝大部分Linux主机应该都默认安装了Python。
[root@mylnx04 ~]# cd DenyHosts-2.6/
[root@mylnx04 DenyHosts-2.6]# python setup.py install
DenyHosts配置
1:复制配置文件denyhosts.cfg
[root@mylnx04 DenyHosts-2.6]# cp /usr/share/denyhosts/denyhosts.cfg-dist /usr/share/denyhosts/denyhosts.cfg
2:设置/usr/share/denyhosts/denyhosts.cfg相关参数.下面对主要的参数做一些介绍。
SECURE_LOG
sshd日志文件,如下所示,配置文件里面都有详细介绍。根本不用做详细介绍。
如果是Redhat/Fedora Core系统,记录sshd日志信息的是/var/log/secure日志文件。
如果是Mandrake, FreeBSD, OpenBSD系统,记录sshd 日志信息的是/var/log/auth.log日志文件
如果是SuSE系统,记录sshd日志信息的是/var/log/messages日志文件
.........................................
HOSTS_DENY = /etc/hosts.deny
控制用户登陆的文件(记录屏蔽的IP文件)。大部分操作系统为/etc/hosts.deny BSD Unix为/etc/hosts.allow
PURGE_DENY
多久清除屏蔽的IP的记录。
########################################################################
#
# PURGE_DENY: removed HOSTS_DENY entries that are older than this time
# when DenyHosts is invoked with the --purge flag
#
# format is: i[dhwmy]
# Where 'i' is an integer (eg. 7)
# 'm' = minutes #分钟
# 'h' = hours #小时
# 'd' = days #天
# 'w' = weeks #周
# 'y' = years #年
#
# never purge:
PURGE_DENY = #表示所有条目永远不删除(这里才是实际的设置)
#
# purge entries older than 1 week
#PURGE_DENY = 1w #表示删除记录超过一周的条目
#
# purge entries older than 5 days
#PURGE_DENY = 5d #表示删除记录超过5天的条目
#######################################################################
PURGE_THRESHOLD
定义某个host最多被清除几次。 超过PURGE_THRESHOLD值就不会被清理了。
#######################################################################
#
# PURGE_THRESHOLD: defines the maximum times a host will be purged.
# Once this value has been exceeded then this host will not be purged.
# Setting this parameter to 0 (the default) disables this feature.
#
# default: a denied host can be purged/re-added indefinitely
#PURGE_THRESHOLD = 0
#
# a denied host will be purged at most 2 times.
#PURGE_THRESHOLD = 2
#
#######################################################################
BLOCK_SERVICE 表示阻止的服务名。
默认为sshd,也可以设置FTP、SMPT等。
#######################################################################
#
# BLOCK_SERVICE: the service name that should be blocked in HOSTS_DENY
#
# man 5 hosts_access for details
#
# eg. sshd: 127.0.0.1 # will block sshd logins from 127.0.0.1
#
# To block all services for the offending host:
#BLOCK_SERVICE = ALL
# To block only sshd:
BLOCK_SERVICE = sshd #禁止的服务名,当然DenyHost不仅仅用于SSH服务,还可用于SMTP等等。
# To only record the offending host and nothing else (if using
# an auxilary file to list the hosts). Refer to:
# http://denyhosts.sourceforge.net/faq.html#aux
#BLOCK_SERVICE =
#
#######################################################################
DENY_THRESHOLD_INVALID
允许无效用户登录失败的次数
#######################################################################
#
# DENY_THRESHOLD_INVALID: block each host after the number of failed login
# attempts has exceeded this value. This value applies to invalid
# user login attempts (eg. non-existent user accounts)
#
DENY_THRESHOLD_INVALID = 1 #允许无效用户登录失败的次数
#
#######################################################################
DENY_THRESHOLD_VALID
允许有效(普通用户)用户登陆失败的次数
#######################################################################
#
# DENY_THRESHOLD_VALID: block each host after the number of failed
# login attempts has exceeded this value. This value applies to valid
# user login attempts (eg. user accounts that exist in /etc/passwd) except
# for the "root" user
#
DENY_THRESHOLD_VALID = 5 #允许普通用户登陆失败的次数
#
#######################################################################
DENY_THRESHOLD_ROOT
允许root登录失败的次数。
#######################################################################
#
# DENY_THRESHOLD_ROOT: block each host after the number of failed
# login attempts has exceeded this value. This value applies to
# "root" user login attempts only.
#
DENY_THRESHOLD_ROOT = 1 #允许root登陆失败的次数
#
#######################################################################
DENY_THRESHOLD_RESTRICTED 设定DenyHost 写入到该资料夹
#######################################################################
#
# DENY_THRESHOLD_RESTRICTED: block each host after the number of failed
# login attempts has exceeded this value. This value applies to
# usernames that appear in the WORK_DIR/restricted-usernames file only.
#
DENY_THRESHOLD_RESTRICTED = 1
#
#######################################################################
WORK_DIR
#######################################################################
#
# WORK_DIR: the path that DenyHosts will use for writing data to
# (it will be created if it does not already exist).
#
# Note: it is recommended that you use an absolute pathname
# for this value (eg. /home/foo/denyhosts/data)
#
WORK_DIR = /usr/share/denyhosts/data
#
#######################################################################
#######################################################################
#
# SUSPICIOUS_LOGIN_REPORT_ALLOWED_HOSTS
#
# SUSPICIOUS_LOGIN_REPORT_ALLOWED_HOSTS=YES|NO
# If set to YES, if a suspicious login attempt results from an allowed-host
# then it is considered suspicious. If this is NO, then suspicious logins
# from allowed-hosts will not be reported. All suspicious logins from
# ip addresses that are not in allowed-hosts will always be reported.
#
SUSPICIOUS_LOGIN_REPORT_ALLOWED_HOSTS=YES
######################################################################
######################################################################
#
# HOSTNAME_LOOKUP
#
# HOSTNAME_LOOKUP=YES|NO
# If set to YES, for each IP address that is reported by Denyhosts,
# the corresponding hostname will be looked up and reported as well
# (if available).
#
HOSTNAME_LOOKUP=YES
#
######################################################################
DAEMON_PURGE
表示DenyHosts在守护进程模式下运行的频率,运行清除机制清除HOSTS_DENY中的过期的记录
如果PURGE_DENY为空,这没有任何效果。
#######################################################################
#
# DAEMON_PURGE: How often should DenyHosts, when run in daemon mode,
# run the purge mechanism to expire old entries in HOSTS_DENY
# This has no effect if PURGE_DENY is blank.
#
DAEMON_PURGE = 1h
#
#######################################################################
#######################################################################
#
# ADMIN_EMAIL: if you would like to receive emails regarding newly
# restricted hosts and suspicious logins, set this address to
# match your email address. If you do not want to receive these reports
# leave this field blank (or run with the --noemail option)
#
# Multiple email addresses can be delimited by a comma, eg:
# ADMIN_EMAIL = foo@bar.com, bar@foo.com, etc@foobar.com
#
ADMIN_EMAIL =konglb@xxxx.com
#
#######################################################################
#######################################################################
#
# SMTP_HOST and SMTP_PORT: if DenyHosts is configured to email
# reports (see ADMIN_EMAIL) then these settings specify the
# email server address (SMTP_HOST) and the server port (SMTP_PORT)
#
#
SMTP_HOST = xxx.xxx.xxx.xxx
SMTP_PORT = 25
#
#######################################################################
#######################################################################
#
# SMTP_USERNAME and SMTP_PASSWORD: set these parameters if your
# smtp email server requires authentication
#
#SMTP_USERNAME=foo
#SMTP_PASSWORD=bar
#
######################################################################
#######################################################################
#
# SMTP_FROM: you can specify the "From:" address in messages sent
# from DenyHosts when it reports thwarted abuse attempts
#
SMTP_FROM = xxxx<xxxx@xxxxx.com>
#
#######################################################################
#######################################################################
#
# SMTP_SUBJECT: you can specify the "Subject:" of messages sent
# by DenyHosts when it reports thwarted abuse attempts
SMTP_SUBJECT = DenyHosts Report
#
######################################################################
######################################################################
#
# SMTP_DATE_FORMAT: specifies the format used for the "Date:" header
# when sending email messages.
#
# for possible values for this parameter refer to: man strftime
#
# the default:
#
#SMTP_DATE_FORMAT = %a, %d %b %Y %H:%M:%S %z
#
######################################################################
######################################################################
#
# SYSLOG_REPORT
#
# SYSLOG_REPORT=YES|NO
# If set to yes, when denied hosts are recorded the report data
# will be sent to syslog (syslog must be present on your system).
# The default is: NO
#
#SYSLOG_REPORT=NO
#
#SYSLOG_REPORT=YES
#
######################################################################
3: 从模板copydaemon-control并授予相关权限,然后设置Denyhosts开机自启动
[root@mylnx04 ~]# cp /usr/share/denyhosts/daemon-control-dist /usr/share/denyhosts/daemon-control
[root@mylnx04 ~]# chown root /usr/share/denyhosts/daemon-control
[root@mylnx04 ~]# chmod 755 /usr/share/denyhosts/daemon-control
[root@mylnx04 ~]# ln -s /usr/share/denyhosts/daemon-control /etc/init.d/denyhosts
[root@mylnx04 ~]# chkconfig --level 345 denyhosts on
4:启动或重启DenyHosts服务
#/sbin/service denyhosts restart
或
#service denyhosts restart
[root@mylnx04 ~]# service denyhosts start
starting DenyHosts: /usr/bin/env python /usr/bin/denyhosts.py --daemon --config=/usr/share/denyhosts/denyhosts.cfg
如果事态紧急,启动服务前建议执行命令:echo "" > /var/log/secure && service rsyslog restart 清空以前的日志并重启一下rsyslog 。否则,如果日志里面有大量记录的话,你要等非常久才能启动服务。
5:检查DenyHosts是否启动
[root@mylnx04 ~]# ps -ef | grep deny
下面是我遇到一台被人SSH扫描的主机,/etc/hosts.deny文件里面记录的信息。
DenyHosts测试
测试中也遇到一些小问题:
1: 设置PURGE_DENY = 5m,但是5分钟后,/etc/hosts.deny中的ip记录并没有被清除。其实这个也受参数DAEMON_PURGE影响。因为DAEMON_PURGE默认为1h,而DenyHosts在daemon mode的时候,解禁IP的时间以DAEMON_PURGE为准,默认是1小时。所以你最好将PURGE_DENY和DAEMON_PURGE设置成一致,另外你测试的值可能受DAEMON_SLEEP的影响,有所偏差。当然默认情况下DAEMON_SLEEP的值是很小的。
测试总结归纳
在实际环境中测试、验证了一下DenyHost。确实非常有效,但是使用DenyHost防止主机sshd被人爆破也是一个非常被动的方法,其实有更好的方法解决问题。例如配置堡垒机跳板机,只允许从堡垒机 跳板机通过ssh访问服务器。
参考资料:
