DenyHosts介紹
當你的linux服務器暴露在外網當中時,服務器就極有可能會遭到互聯網上的掃描軟件進行掃描,然后試圖連接ssh端口進行暴力破解(窮舉掃描)。如果遇到這個問題,一款非常有用的工具DenyHosts可以阻止試圖猜測SSH登錄口令。DenyHosts是用Python寫的一個程序,它會分析SSHD的日志文件(Redhat為/var/log/secure等),當發現同一IP在進行多次SSH密碼嘗試時就會記錄IP到/etc/hosts.deny文件,從而達到自動屏蔽該IP的目的。
DenyHost的官方網址為http://denyhosts.sourceforge.net/ 官方的介紹如下:
What is DenyHosts?
DenyHosts is a Python script that analyzes the sshd server log messages to determine what hosts are attempting to hack into your system. It also determines what user accounts are being targeted. It keeps track of the frequency of attempts from each host.
Additionally, upon discovering a repeated attack host, the /etc/hosts.deny file is updated to prevent future break-in attempts from that host.
An email report can be sent to a system admin.
DenyHosts安裝
1:下載DenyHosts安裝包。
[root@mylnx04 ~]# wget http://imcat.in/down/DenyHosts-2.6.tar.gz
2:解壓DenyHosts安裝包
[root@mylnx04 ~]# tar -zxvf DenyHosts-2.6.tar.gz
3:開始DenyHosts的安裝
安裝DenyHosts前必須安裝Python,當然現在絕大部分Linux主機應該都默認安裝了Python。
[root@mylnx04 ~]# cd DenyHosts-2.6/
[root@mylnx04 DenyHosts-2.6]# python setup.py install
DenyHosts配置
1:復制配置文件denyhosts.cfg
[root@mylnx04 DenyHosts-2.6]# cp /usr/share/denyhosts/denyhosts.cfg-dist /usr/share/denyhosts/denyhosts.cfg
2:設置/usr/share/denyhosts/denyhosts.cfg相關參數.下面對主要的參數做一些介紹。
SECURE_LOG
sshd日志文件,如下所示,配置文件里面都有詳細介紹。根本不用做詳細介紹。
如果是Redhat/Fedora Core系統,記錄sshd日志信息的是/var/log/secure日志文件。
如果是Mandrake, FreeBSD, OpenBSD系統,記錄sshd 日志信息的是/var/log/auth.log日志文件
如果是SuSE系統,記錄sshd日志信息的是/var/log/messages日志文件
.........................................
HOSTS_DENY = /etc/hosts.deny
控制用戶登陸的文件(記錄屏蔽的IP文件)。大部分操作系統為/etc/hosts.deny BSD Unix為/etc/hosts.allow
PURGE_DENY
多久清除屏蔽的IP的記錄。
########################################################################
#
# PURGE_DENY: removed HOSTS_DENY entries that are older than this time
# when DenyHosts is invoked with the --purge flag
#
# format is: i[dhwmy]
# Where 'i' is an integer (eg. 7)
# 'm' = minutes #分鍾
# 'h' = hours #小時
# 'd' = days #天
# 'w' = weeks #周
# 'y' = years #年
#
# never purge:
PURGE_DENY = #表示所有條目永遠不刪除(這里才是實際的設置)
#
# purge entries older than 1 week
#PURGE_DENY = 1w #表示刪除記錄超過一周的條目
#
# purge entries older than 5 days
#PURGE_DENY = 5d #表示刪除記錄超過5天的條目
#######################################################################
PURGE_THRESHOLD
定義某個host最多被清除幾次。 超過PURGE_THRESHOLD值就不會被清理了。
#######################################################################
#
# PURGE_THRESHOLD: defines the maximum times a host will be purged.
# Once this value has been exceeded then this host will not be purged.
# Setting this parameter to 0 (the default) disables this feature.
#
# default: a denied host can be purged/re-added indefinitely
#PURGE_THRESHOLD = 0
#
# a denied host will be purged at most 2 times.
#PURGE_THRESHOLD = 2
#
#######################################################################
BLOCK_SERVICE 表示阻止的服務名。
默認為sshd,也可以設置FTP、SMPT等。
#######################################################################
#
# BLOCK_SERVICE: the service name that should be blocked in HOSTS_DENY
#
# man 5 hosts_access for details
#
# eg. sshd: 127.0.0.1 # will block sshd logins from 127.0.0.1
#
# To block all services for the offending host:
#BLOCK_SERVICE = ALL
# To block only sshd:
BLOCK_SERVICE = sshd #禁止的服務名,當然DenyHost不僅僅用於SSH服務,還可用於SMTP等等。
# To only record the offending host and nothing else (if using
# an auxilary file to list the hosts). Refer to:
# http://denyhosts.sourceforge.net/faq.html#aux
#BLOCK_SERVICE =
#
#######################################################################
DENY_THRESHOLD_INVALID
允許無效用戶登錄失敗的次數
#######################################################################
#
# DENY_THRESHOLD_INVALID: block each host after the number of failed login
# attempts has exceeded this value. This value applies to invalid
# user login attempts (eg. non-existent user accounts)
#
DENY_THRESHOLD_INVALID = 1 #允許無效用戶登錄失敗的次數
#
#######################################################################
DENY_THRESHOLD_VALID
允許有效(普通用戶)用戶登陸失敗的次數
#######################################################################
#
# DENY_THRESHOLD_VALID: block each host after the number of failed
# login attempts has exceeded this value. This value applies to valid
# user login attempts (eg. user accounts that exist in /etc/passwd) except
# for the "root" user
#
DENY_THRESHOLD_VALID = 5 #允許普通用戶登陸失敗的次數
#
#######################################################################
DENY_THRESHOLD_ROOT
允許root登錄失敗的次數。
#######################################################################
#
# DENY_THRESHOLD_ROOT: block each host after the number of failed
# login attempts has exceeded this value. This value applies to
# "root" user login attempts only.
#
DENY_THRESHOLD_ROOT = 1 #允許root登陸失敗的次數
#
#######################################################################
DENY_THRESHOLD_RESTRICTED 設定DenyHost 寫入到該資料夾
#######################################################################
#
# DENY_THRESHOLD_RESTRICTED: block each host after the number of failed
# login attempts has exceeded this value. This value applies to
# usernames that appear in the WORK_DIR/restricted-usernames file only.
#
DENY_THRESHOLD_RESTRICTED = 1
#
#######################################################################
WORK_DIR
#######################################################################
#
# WORK_DIR: the path that DenyHosts will use for writing data to
# (it will be created if it does not already exist).
#
# Note: it is recommended that you use an absolute pathname
# for this value (eg. /home/foo/denyhosts/data)
#
WORK_DIR = /usr/share/denyhosts/data
#
#######################################################################
#######################################################################
#
# SUSPICIOUS_LOGIN_REPORT_ALLOWED_HOSTS
#
# SUSPICIOUS_LOGIN_REPORT_ALLOWED_HOSTS=YES|NO
# If set to YES, if a suspicious login attempt results from an allowed-host
# then it is considered suspicious. If this is NO, then suspicious logins
# from allowed-hosts will not be reported. All suspicious logins from
# ip addresses that are not in allowed-hosts will always be reported.
#
SUSPICIOUS_LOGIN_REPORT_ALLOWED_HOSTS=YES
######################################################################
######################################################################
#
# HOSTNAME_LOOKUP
#
# HOSTNAME_LOOKUP=YES|NO
# If set to YES, for each IP address that is reported by Denyhosts,
# the corresponding hostname will be looked up and reported as well
# (if available).
#
HOSTNAME_LOOKUP=YES
#
######################################################################
DAEMON_PURGE
表示DenyHosts在守護進程模式下運行的頻率,運行清除機制清除HOSTS_DENY中的過期的記錄
如果PURGE_DENY為空,這沒有任何效果。
#######################################################################
#
# DAEMON_PURGE: How often should DenyHosts, when run in daemon mode,
# run the purge mechanism to expire old entries in HOSTS_DENY
# This has no effect if PURGE_DENY is blank.
#
DAEMON_PURGE = 1h
#
#######################################################################
#######################################################################
#
# ADMIN_EMAIL: if you would like to receive emails regarding newly
# restricted hosts and suspicious logins, set this address to
# match your email address. If you do not want to receive these reports
# leave this field blank (or run with the --noemail option)
#
# Multiple email addresses can be delimited by a comma, eg:
# ADMIN_EMAIL = foo@bar.com, bar@foo.com, etc@foobar.com
#
ADMIN_EMAIL =konglb@xxxx.com
#
#######################################################################
#######################################################################
#
# SMTP_HOST and SMTP_PORT: if DenyHosts is configured to email
# reports (see ADMIN_EMAIL) then these settings specify the
# email server address (SMTP_HOST) and the server port (SMTP_PORT)
#
#
SMTP_HOST = xxx.xxx.xxx.xxx
SMTP_PORT = 25
#
#######################################################################
#######################################################################
#
# SMTP_USERNAME and SMTP_PASSWORD: set these parameters if your
# smtp email server requires authentication
#
#SMTP_USERNAME=foo
#SMTP_PASSWORD=bar
#
######################################################################
#######################################################################
#
# SMTP_FROM: you can specify the "From:" address in messages sent
# from DenyHosts when it reports thwarted abuse attempts
#
SMTP_FROM = xxxx<xxxx@xxxxx.com>
#
#######################################################################
#######################################################################
#
# SMTP_SUBJECT: you can specify the "Subject:" of messages sent
# by DenyHosts when it reports thwarted abuse attempts
SMTP_SUBJECT = DenyHosts Report
#
######################################################################
######################################################################
#
# SMTP_DATE_FORMAT: specifies the format used for the "Date:" header
# when sending email messages.
#
# for possible values for this parameter refer to: man strftime
#
# the default:
#
#SMTP_DATE_FORMAT = %a, %d %b %Y %H:%M:%S %z
#
######################################################################
######################################################################
#
# SYSLOG_REPORT
#
# SYSLOG_REPORT=YES|NO
# If set to yes, when denied hosts are recorded the report data
# will be sent to syslog (syslog must be present on your system).
# The default is: NO
#
#SYSLOG_REPORT=NO
#
#SYSLOG_REPORT=YES
#
######################################################################
3: 從模板copydaemon-control並授予相關權限,然后設置Denyhosts開機自啟動
[root@mylnx04 ~]# cp /usr/share/denyhosts/daemon-control-dist /usr/share/denyhosts/daemon-control
[root@mylnx04 ~]# chown root /usr/share/denyhosts/daemon-control
[root@mylnx04 ~]# chmod 755 /usr/share/denyhosts/daemon-control
[root@mylnx04 ~]# ln -s /usr/share/denyhosts/daemon-control /etc/init.d/denyhosts
[root@mylnx04 ~]# chkconfig --level 345 denyhosts on
4:啟動或重啟DenyHosts服務
#/sbin/service denyhosts restart
或
#service denyhosts restart
[root@mylnx04 ~]# service denyhosts start
starting DenyHosts: /usr/bin/env python /usr/bin/denyhosts.py --daemon --config=/usr/share/denyhosts/denyhosts.cfg
如果事態緊急,啟動服務前建議執行命令:echo "" > /var/log/secure && service rsyslog restart 清空以前的日志並重啟一下rsyslog 。否則,如果日志里面有大量記錄的話,你要等非常久才能啟動服務。
5:檢查DenyHosts是否啟動
[root@mylnx04 ~]# ps -ef | grep deny
下面是我遇到一台被人SSH掃描的主機,/etc/hosts.deny文件里面記錄的信息。
DenyHosts測試
測試中也遇到一些小問題:
1: 設置PURGE_DENY = 5m,但是5分鍾后,/etc/hosts.deny中的ip記錄並沒有被清除。其實這個也受參數DAEMON_PURGE影響。因為DAEMON_PURGE默認為1h,而DenyHosts在daemon mode的時候,解禁IP的時間以DAEMON_PURGE為准,默認是1小時。所以你最好將PURGE_DENY和DAEMON_PURGE設置成一致,另外你測試的值可能受DAEMON_SLEEP的影響,有所偏差。當然默認情況下DAEMON_SLEEP的值是很小的。
測試總結歸納
在實際環境中測試、驗證了一下DenyHost。確實非常有效,但是使用DenyHost防止主機sshd被人爆破也是一個非常被動的方法,其實有更好的方法解決問題。例如配置堡壘機跳板機,只允許從堡壘機 跳板機通過ssh訪問服務器。
參考資料: