denyhosts是python语言程序,借用tcp_wrapper程序来进行主机防护,它会自动把登陆失败次数超出限制的主机ip加入到/etc/hosts.deny 借此来屏蔽该主机。
程序官网地址:http://denyhosts.sourceforge.net/
1、安装
tar -zxvf DenyHosts-2.6.tar.gz
cd DenyHosts-2.6
python2.7 setup.py install
默认是安装到/usr/share/denyhosts目录
2、配置
cd /usr/share/denyhosts/
cp denyhosts.cfg-dist denyhosts.cfg
vi denyhosts.cfg
配置文件相关参数
############ THESE SETTINGS ARE REQUIRED ############
SECURE_LOG = /var/log/secure
HOSTS_DENY = /etc/hosts.deny
PURGE_DENY = 1w #过多久后清除已经禁止的,其中w代表周,d代表天,h代表小时,s代表秒,m代表分钟
BLOCK_SERVICE = sshd
DENY_THRESHOLD_INVALID = 3 #允许无效用户失败的次数
DENY_THRESHOLD_VALID = 5 #允许普通用户登陆失败的次数
DENY_THRESHOLD_ROOT = 5 #允许root登陆失败的次数
DENY_THRESHOLD_RESTRICTED = 1
WORK_DIR = /usr/share/denyhosts/data
SUSPICIOUS_LOGIN_REPORT_ALLOWED_HOSTS=YES
HOSTNAME_LOOKUP=YES
LOCK_FILE = /var/lock/subsys/denyhosts
############ THESE SETTINGS ARE OPTIONAL ############
ADMIN_EMAIL = denyhosts@163.com #若有ip被禁用发邮件通知
SMTP_HOST = localhost
SMTP_PORT = 25
SMTP_FROM = DenyHosts <192.168.0.1@localhost>
SMTP_SUBJECT = DenyHosts Report
AGE_RESET_VALID=1d #有效用户登录失败计数归零的时间
AGE_RESET_ROOT=1d #root用户登录失败计数归零的时间
AGE_RESET_RESTRICTED=1d
AGE_RESET_INVALID=10d #无效用户登录失败计数归零的时间
######### THESE SETTINGS ARE SPECIFIC TO DAEMON MODE ##########
DAEMON_LOG = /var/log/denyhosts
DAEMON_SLEEP = 30s
DAEMON_PURGE = 1h
3、设置启动脚本
cp daemon-control-dist daemon-control
cp daemon-control-dist /etc/init.d/denyhost
chmod 700 /etc/init.d/denyhost
chkconfig --add denyhosts
chkconfig denyhosts on
启动服务
/etc/init.d/denyhost start
denyhos使用
如果不想让主机拒绝某一个ip,做法如下:
vi /etc/hosts.allow
sshd: 192.168.0.1 #允许192.168.0.1访问该主机的ssh服务
如果想拒绝某一个ip同样使用vi /etc/hosts.deny添加就Ok
遇到的错误
1、#service denyhost startstarting DenyHosts: /usr/bin/env python /usr/bin/denyhosts.py --daemon --config=/usr/share/denyhosts/denyhosts.cfg
python: can't open file '/usr/bin/denyhosts.py': [Errno 2] No such file or directory
这个错误很明显是找不到'/usr/bin/denyhosts.py' 文件,使用which 找出文件的真实路径,然后打开启动脚本把默认的路径替换掉即可。
vim /etc/init.d/denyhost
DENYHOSTS_BIN = "/usr/local/python27/bin/denyhosts.py"
DENYHOSTS_LOCK = "/var/lock/subsys/denyhosts"
DENYHOSTS_CFG = "/usr/share/denyhosts/denyhosts.cfg"
2、/etc/init.d/denyhost start
starting DenyHosts: /usr/bin/env python /usr/local/python27/bin/denyhosts.py --daemon --config=/usr/share/denyhosts/denyhosts.cfg
Traceback (most recent call last):
File "/usr/local/python27/bin/denyhosts.py", line 5, in ?
import DenyHosts.python_version
ImportError: No module named DenyHosts.python_version
错误显示是找不到DenyHost的模块,载入失败。 这是由于系统上有两个python版本引起的,此系统上默认rpm包安装有python2.6 还有后面手动编译的python2.7,我们上面是手动使用python2.7安装Denyhost,所以该模块也安装在了python2.7下,然而系统默认使用的是python2.6。 解决的办法就是:编辑启动脚本,修改解释器路径为python2.7即可。
下面用红色标出已修改的行
#!/usr/local/python27/bin/python2.7
###############################################
#### Edit these to suit your configuration ####
###############################################
DENYHOSTS_BIN = "/usr/local/python27/bin/denyhosts.py"
DENYHOSTS_LOCK = "/var/lock/subsys/denyhosts"
DENYHOSTS_CFG = "/usr/share/denyhosts/denyhosts.cfg"
PYTHON_BIN = "/usr/local/python27/bin/python2.7"
本文转自qw87112 51CTO博客,原文链接:http://blog.51cto.com/tchuairen/1709071
