linux vps 中添加DenyHosts 防止ssh密码防爆( Centos )

自己的服务器老是呗别人一直在试着登陆ssh。每天都有邮件过来。而且ip地址也不规律。如果直接iptable也不方便、hostloc里面有人说这个比较不错,就找相关文档来在自己服务器上配置了一下!

DenyHosts官方网站为:http://denyhosts.sourceforge.net

1、首先判断系统安装的sshd是否支持tcp_wrappers(默认都支持)

# ldd /usr/sbin/sshd
[root@localhost 03]# python -V
Python 2.4.3 (Centos 5.5 默认是2.43)

2、安装DenyHosts

# cd /usr/local/src
# wget http://jaist.dl.sourceforge.net/sourceforge/denyhosts/DenyHosts-2.6.tar.gz
# tar zxf DenyHosts-2.6.tar.gz
# cd DenyHosts-2.6
# python setup.py install

等一系列文件写入完成之后

[root@fyhqy ~]# cd /usr/share/denyhosts/       // 进入denyhosts目录
[root@fyhqy denyhosts]# cp denyhosts.cfg-dist denyhosts.cfg   //拷贝一份denyhosts.cfg
[root@fyhqy denyhosts]# vi denyhosts.cfg   //编辑denyhosts 的主配置文件

denyhosts 的主配置文件

大家只要配置下面的主要配置就可以了。其他的可以忽略了

SECURE_LOG = /var/log/secure      //ssh日志文件
HOSTS_DENY = /etc/hosts.deny   //将阻止IP写入到hosts.deny
PURGE_DENY =30m              //过多久后清除已阻止IP
BLOCK_SERVICE  = sshd         //阻止服务名
DENY_THRESHOLD_INVALID = 5       //允许无效用户(在/etc/passwd未列出)登录失败次数,允许无效用户登录失败的次数.
DENY_THRESHOLD_VALID = 10      //允许普通用户登录失败的次数
DENY_THRESHOLD_ROOT = 1        //允许root登录失败的次数
DENY_THRESHOLD_RESTRICTED = 1     //设定 deny host 写入到该资料夹   
WORK_DIR = /usr/share/denyhosts/data     //将deny的host或ip纪录到Work_dir中
HOSTNAME_LOOKUP=no      //是否做域名反解   
LOCK_FILE = /var/lock/subsys/denyhosts //将DenyHOts启动的pid纪录到LOCK_FILE中,已确保服务正确启动,防止同时启动多个服务。
ADMIN_EMAIL = admin@fyhqy.com  //设置管理员邮件地址
SMTP_HOST = localhost
SMTP_PORT = 25
SMTP_FROM = DenyHosts 
SMTP_SUBJECT = DenyHosts Report
AGE_RESET_VALID=5d
AGE_RESET_ROOT=25d
AGE_RESET_RESTRICTED=25d
AGE_RESET_INVALID=10d
DAEMON_LOG = /var/log/denyhosts         //自己的日志文件  
DAEMON_SLEEP = 30s
DAEMON_PURGE = 1h       //该项与PURGE_DENY 设置成一样,也是清除hosts.deniedssh 用户的时间

DenyHosts启动文件配置

[root@fyhqy denyhosts]# cp daemon-control-dist daemon-control   //cp一个启动文件
[root@fyhqy denyhosts]# chown root daemon-control   // 改变启动文件为root所有
[root@fyhqy denyhosts]# chmod 700 daemon-control   // 改变启动文件权限为700,只要执行权限

查看 DenyHosts启动选项

[root@fyhqy denyhosts]# ./daemon-control

然后可以看到有下面这些参数可用

Usage: ./daemon-control {start [args...] | stop | restart [args...] | status | debug | condrestart [args...] }

For a list of valid 'args' refer to:
$ denyhosts.py --help

[root@fyhqy denyhosts]# ./daemon-control start  //启动DenyHosts
 starting DenyHosts:    /usr/bin/env python /usr/bin/denyhosts.py --daemon --config=/usr/share/denyhosts/denyhosts.cfg  //这是启动标示

配置DenyHosts开机启动

用 chkconfig 方法:

[root@fyhqy denyhosts]# ln -s /usr/share/denyhosts/daemon-control /etc/init.d/denyhosts   
  //建立符号链接
[root@fyhqy denyhosts]# chkconfig --add denyhosts      //增加denyhosts服务进程
[root@fyhqy denyhosts]# chkconfig  denyhosts on        //设置开机启动denyhosts
[root@fyhqy denyhosts]# chkconfig --list denyhosts
denyhosts       0:off   1:off   2:on    3:on    4:on    5:on    6:off

或者修改/etc/rc.local文件:
 

	[root@fyhqy denyhosts]# vi /etc/rc.local

加入下面这条命令

echo "/usr/share/denyhosts/daemon-control start">>/etc/rc.local

相关文章

已有 7 条评论
  1. d3 gold

    Iˇve learn a few excellent stuff here. Certainly worth bookmarking for revisiting. I surprise how much attempt you put to make this type of excellent informative site.

    d3 gold 回复
  2. buy wow gold

    I intended to send you a tiny remark in order to give thanks once again regarding the spectacular principles you've shared above. It is certainly surprisingly generous of you to grant openly precisely what a lot of people could have sold as an e-book to get some money for their own end, most notably given that you could have done it if you desired. These ideas in addition worked to provide a easy way to understand that the rest have similar dream just as mine to understand more and more when it comes to this matter. I believe there are many more pleasant moments ahead for people who scan through your site.

    buy wow gold 回复
  3. 广州摄影工作室

    这个做得可以!

    广州摄影工作室 回复
  4. 拉菲红酒

    基本上我是看不懂。

    拉菲红酒 回复
  5. 象牙塔

    不错,收藏咯~

    象牙塔 回复
    1. 枫叶红秋雨

      @象牙塔

      @象牙塔 嘎嘎!你得站不错啊!

      枫叶红秋雨 回复
  6. 九道食品

    好好研究研究,这个真是有用的。

    九道食品 回复
发表新评论