denyhosts是python語言程序,借用tcp_wrapper程序來進行主機防護,它會自動把登陸失敗次數超出限制的主機ip加入到/etc/hosts.deny 藉此來屏蔽該主機。
程序官網地址:http://denyhosts.sourceforge.net/
1、安裝
tar -zxvf DenyHosts-2.6.tar.gz
cd DenyHosts-2.6
python2.7 setup.py install
默認是安裝到/usr/share/denyhosts目錄
2、配置
cd /usr/share/denyhosts/
cp denyhosts.cfg-dist denyhosts.cfg
vi denyhosts.cfg
配置文件相關參數
############ THESE SETTINGS ARE REQUIRED ############
SECURE_LOG = /var/log/secure
HOSTS_DENY = /etc/hosts.deny
PURGE_DENY = 1w #過多久後清除已經禁止的,其中w代表周,d代表天,h代表小時,s代表秒,m代表分鐘
BLOCK_SERVICE = sshd
DENY_THRESHOLD_INVALID = 3 #允許無效用戶失敗的次數
DENY_THRESHOLD_VALID = 5 #允許普通用戶登陸失敗的次數
DENY_THRESHOLD_ROOT = 5 #允許root登陸失敗的次數
DENY_THRESHOLD_RESTRICTED = 1
WORK_DIR = /usr/share/denyhosts/data
SUSPICIOUS_LOGIN_REPORT_ALLOWED_HOSTS=YES
HOSTNAME_LOOKUP=YES
LOCK_FILE = /var/lock/subsys/denyhosts
############ THESE SETTINGS ARE OPTIONAL ############
ADMIN_EMAIL = [email protected] #若有ip被禁用發郵件通知
SMTP_HOST = localhost
SMTP_PORT = 25
SMTP_FROM = DenyHosts <192.168.0.1@localhost>
SMTP_SUBJECT = DenyHosts Report
AGE_RESET_VALID=1d #有效用戶登錄失敗計數歸零的時間
AGE_RESET_ROOT=1d #root用戶登錄失敗計數歸零的時間
AGE_RESET_RESTRICTED=1d
AGE_RESET_INVALID=10d #無效用戶登錄失敗計數歸零的時間
######### THESE SETTINGS ARE SPECIFIC TO DAEMON MODE ##########
DAEMON_LOG = /var/log/denyhosts
DAEMON_SLEEP = 30s
DAEMON_PURGE = 1h
3、設置啓動腳本
cp daemon-control-dist daemon-control
cp daemon-control-dist /etc/init.d/denyhost
chmod 700 /etc/init.d/denyhost
chkconfig --add denyhosts
chkconfig denyhosts on
啓動服務
/etc/init.d/denyhost start
denyhos使用
如果不想讓主機拒絕某一個ip,做法如下:
vi /etc/hosts.allow
sshd: 192.168.0.1 #允許192.168.0.1訪問該主機的ssh服務
如果想拒絕某一個ip同樣使用vi /etc/hosts.deny添加就Ok
遇到的錯誤
1、#service denyhost startstarting DenyHosts: /usr/bin/env python /usr/bin/denyhosts.py --daemon --config=/usr/share/denyhosts/denyhosts.cfg
python: can't open file '/usr/bin/denyhosts.py': [Errno 2] No such file or directory
這個錯誤很明顯是找不到'/usr/bin/denyhosts.py' 文件,使用which 找出文件的真實路徑,然後打開啓動腳本把默認的路徑替換掉即可。
vim /etc/init.d/denyhost
DENYHOSTS_BIN = "/usr/local/python27/bin/denyhosts.py"
DENYHOSTS_LOCK = "/var/lock/subsys/denyhosts"
DENYHOSTS_CFG = "/usr/share/denyhosts/denyhosts.cfg"
2、/etc/init.d/denyhost start
starting DenyHosts: /usr/bin/env python /usr/local/python27/bin/denyhosts.py --daemon --config=/usr/share/denyhosts/denyhosts.cfg
Traceback (most recent call last):
File "/usr/local/python27/bin/denyhosts.py", line 5, in ?
import DenyHosts.python_version
ImportError: No module named DenyHosts.python_version
錯誤顯示是找不到DenyHost的模塊,載入失敗。 這是由於系統上有兩個python版本引起的,此係統上默認rpm包安裝有python2.6 還有後面手動編譯的python2.7,我們上面是手動使用python2.7安裝Denyhost,所以該模塊也安裝在了python2.7下,然而系統默認使用的是python2.6。 解決的辦法就是:編輯啓動腳本,修改解釋器路徑爲python2.7即可。
下面用紅色標出已修改的行
#!/usr/local/python27/bin/python2.7
###############################################
#### Edit these to suit your configuration ####
###############################################
DENYHOSTS_BIN = "/usr/local/python27/bin/denyhosts.py"
DENYHOSTS_LOCK = "/var/lock/subsys/denyhosts"
DENYHOSTS_CFG = "/usr/share/denyhosts/denyhosts.cfg"
PYTHON_BIN = "/usr/local/python27/bin/python2.7"