linux下使用denyhosts防止ssh暴力破解

1.DenyHosts介紹

DenyHosts是Python語言寫的一個程序，它會分析sshd的日誌文件（/var/log/secure），當發現重 復的攻擊時就會記錄IP到/etc/hosts.deny文件，從而達到自動屏IP的功能。

DenyHosts官方網站爲：http://denyhosts.sourceforge.net

2. 安裝DenyHosts

wget "downloads.sourceforge.net/project/denyhosts/denyhosts/2.6/DenyHosts-2.6.tar.gz"
tar -xzf DenyHosts-2.6.tar.gz 
cd DenyHosts-2.6
python setup.py install

DenyHosts默認安裝到/usr/share/denyhosts目錄

3.配置

cd /usr/share/denyhosts/
cp denyhosts.cfg-dist denyhosts.cfg
vim denyhosts.cfg

修改以下：

PURGE_DENY = 1h #過多久後清除已阻止IP
HOSTS_DENY = /etc/hosts.deny #將阻止IP寫入到hosts.deny
BLOCK_SERVICE = sshd #阻止服務名
DENY_THRESHOLD_INVALID = 1 #容許無效用戶登陸失敗的次數
DENY_THRESHOLD_VALID = 10 #容許普通用戶登陸失敗的次數
DENY_THRESHOLD_ROOT = 5 #容許root登陸失敗的次數
WORK_DIR = /usr/share/denyhosts/data #將deny的host或ip紀錄到Work_dir中
DENY_THRESHOLD_RESTRICTED = 1 #設定 deny host 寫入到該資料夾
LOCK_FILE = /var/lock/subsys/denyhosts #將DenyHOts啓動的pid紀錄到LOCK_FILE中，已確保服務正確啓動，防止同時啓動多個服務。
HOSTNAME_LOOKUP=NO #是否作域名反解
ADMIN_EMAIL = #設置管理員郵件地址
DAEMON_LOG = /var/log/denyhosts #本身的日誌文件
DAEMON_PURGE = 1h #該項與PURGE_DENY 設置成同樣，也是清除hosts.deniedssh 用戶的時間

4.設置啓動腳本

使DenyHosts每次重起後自動啓動:

cp daemon-control-dist daemon-control
ln -s /usr/share/denyhosts/daemon-control /etc/init.d/denyhosts
chkconfig --add denyhosts
chkconfig denyhosts on
service denyhosts start

5.查看屏蔽IP

[root@localhost ~]# cat /etc/hosts.deny
#
# hosts.deny    This file contains access rules which are used to
#        deny connections to network services that either use
#        the tcp_wrappers library or that have been
#        started through a tcp_wrappers-enabled xinetd.
#
#        The rules in this file can also be set up in
#        /etc/hosts.allow with a 'deny' option instead.
#
#        See 'man 5 hosts_options' and 'man 5 hosts_access'
#        for information on rule syntax.
#        See 'man tcpd' for information on tcp_wrappers
#
# DenyHosts: Mon Mar  7 16:04:00 2016 | sshd: 123.30.135.177
sshd: 123.30.135.177
# DenyHosts: Mon Mar  7 16:25:31 2016 | sshd: 125.88.177.95
sshd: 125.88.177.95