Denyhost 安裝配置，抵禦暴力破解

時間 2020-11-30

標籤 python vim app python2.7 ssh tcp ide spa .net 欄目 Python 简体版

原文原文鏈接

denyhosts是python語言程序，借用tcp_wrapper程序來進行主機防禦，它會自動把登錄失敗次數超出限制的主機ip加入到/etc/hosts.deny 藉此來屏蔽該主機。python

程序官網地址：http://denyhosts.sourceforge.net/ vim

一、安裝app

tar -zxvf DenyHosts-2.6.tar.gzpython2.7

cd DenyHosts-2.6ssh

python2.7 setup.py installtcp

默認是安裝到/usr/share/denyhosts目錄ide

二、配置ui

cd /usr/share/denyhosts/
cp denyhosts.cfg-dist denyhosts.cfg
vi denyhosts.cfgspa

配置文件相關參數.net

############ THESE SETTINGS ARE REQUIRED ############

SECURE_LOG = /var/log/secure

HOSTS_DENY = /etc/hosts.deny

PURGE_DENY = 1w #過多久後清除已經禁止的，其中w表明周，d表明天，h表明小時，s表明秒，m表明分鐘

BLOCK_SERVICE = sshd

DENY_THRESHOLD_INVALID = 3 #容許無效用戶失敗的次數

DENY_THRESHOLD_VALID = 5 #容許普通用戶登錄失敗的次數

DENY_THRESHOLD_ROOT = 5 #容許root登錄失敗的次數

DENY_THRESHOLD_RESTRICTED = 1

WORK_DIR = /usr/share/denyhosts/data

SUSPICIOUS_LOGIN_REPORT_ALLOWED_HOSTS=YES

HOSTNAME_LOOKUP=YES

LOCK_FILE = /var/lock/subsys/denyhosts

############ THESE SETTINGS ARE OPTIONAL ############

ADMIN_EMAIL = denyhosts@163.com #如有ip被禁用發郵件通知

SMTP_HOST = localhost

SMTP_PORT = 25

SMTP_FROM = DenyHosts <192.168.0.1@localhost>

SMTP_SUBJECT = DenyHosts Report

AGE_RESET_VALID=1d #有效用戶登陸失敗計數歸零的時間

AGE_RESET_ROOT=1d #root用戶登陸失敗計數歸零的時間

AGE_RESET_RESTRICTED=1d

AGE_RESET_INVALID=10d #無效用戶登陸失敗計數歸零的時間

######### THESE SETTINGS ARE SPECIFIC TO DAEMON MODE ##########

DAEMON_LOG = /var/log/denyhosts

DAEMON_SLEEP = 30s

DAEMON_PURGE = 1h

三、設置啓動腳本

cp daemon-control-dist daemon-control

cp daemon-control-dist /etc/init.d/denyhost

chmod 700 /etc/init.d/denyhost

chkconfig --add denyhosts

chkconfig denyhosts on

啓動服務

/etc/init.d/denyhost start

denyhos使用

若是不想讓主機拒絕某一個ip，作法以下：

vi /etc/hosts.allow

sshd： 192.168.0.1 #容許192.168.0.1訪問該主機的ssh服務

若是想拒絕某一個ip一樣使用vi /etc/hosts.deny添加就Ok

遇到的錯誤

一、#service denyhost startstarting DenyHosts: /usr/bin/env python /usr/bin/denyhosts.py --daemon --config=/usr/share/denyhosts/denyhosts.cfg

python: can't open file '/usr/bin/denyhosts.py': [Errno 2] No such file or directory

這個錯誤很明顯是找不到'/usr/bin/denyhosts.py' 文件，使用which 找出文件的真實路徑，而後打開啓動腳本把默認的路徑替換掉便可。

vim /etc/init.d/denyhost

DENYHOSTS_BIN = "/usr/local/python27/bin/denyhosts.py"

DENYHOSTS_LOCK = "/var/lock/subsys/denyhosts"

DENYHOSTS_CFG = "/usr/share/denyhosts/denyhosts.cfg"

二、/etc/init.d/denyhost start

starting DenyHosts: /usr/bin/env python /usr/local/python27/bin/denyhosts.py --daemon --config=/usr/share/denyhosts/denyhosts.cfg

Traceback (most recent call last):

File "/usr/local/python27/bin/denyhosts.py", line 5, in ?

import DenyHosts.python_version

ImportError: No module named DenyHosts.python_version

錯誤顯示是找不到DenyHost的模塊，載入失敗。這是因爲系統上有兩個python版本引發的，此係統上默認rpm包安裝有python2.6 還有後面手動編譯的python2.7，咱們上面是手動使用python2.7安裝Denyhost，因此該模塊也安裝在了python2.7下，然而系統默認使用的是python2.6。解決的辦法就是：編輯啓動腳本，修改解釋器路徑爲python2.7便可。

下面用紅色標出已修改的行

#!/usr/local/python27/bin/python2.7

###############################################

#### Edit these to suit your configuration ####

###############################################

DENYHOSTS_BIN = "/usr/local/python27/bin/denyhosts.py"

DENYHOSTS_LOCK = "/var/lock/subsys/denyhosts"

DENYHOSTS_CFG = "/usr/share/denyhosts/denyhosts.cfg"

PYTHON_BIN = "/usr/local/python27/bin/python2.7"