Denyhost 安装配置，抵御暴力破解

时间 2020-11-30

标签 python vim app python2.7 ssh tcp ide spa .net 栏目 Python 繁體版

原文原文链接

denyhosts是python语言程序，借用tcp_wrapper程序来进行主机防御，它会自动把登录失败次数超出限制的主机ip加入到/etc/hosts.deny 借此来屏蔽该主机。python

程序官网地址：http://denyhosts.sourceforge.net/ vim

一、安装app

tar -zxvf DenyHosts-2.6.tar.gzpython2.7

cd DenyHosts-2.6ssh

python2.7 setup.py installtcp

默认是安装到/usr/share/denyhosts目录ide

二、配置ui

cd /usr/share/denyhosts/
cp denyhosts.cfg-dist denyhosts.cfg
vi denyhosts.cfgspa

配置文件相关参数.net

############ THESE SETTINGS ARE REQUIRED ############

SECURE_LOG = /var/log/secure

HOSTS_DENY = /etc/hosts.deny

PURGE_DENY = 1w #过多久后清除已经禁止的，其中w表明周，d表明天，h表明小时，s表明秒，m表明分钟

BLOCK_SERVICE = sshd

DENY_THRESHOLD_INVALID = 3 #容许无效用户失败的次数

DENY_THRESHOLD_VALID = 5 #容许普通用户登录失败的次数

DENY_THRESHOLD_ROOT = 5 #容许root登录失败的次数

DENY_THRESHOLD_RESTRICTED = 1

WORK_DIR = /usr/share/denyhosts/data

SUSPICIOUS_LOGIN_REPORT_ALLOWED_HOSTS=YES

HOSTNAME_LOOKUP=YES

LOCK_FILE = /var/lock/subsys/denyhosts

############ THESE SETTINGS ARE OPTIONAL ############

ADMIN_EMAIL = denyhosts@163.com #如有ip被禁用发邮件通知

SMTP_HOST = localhost

SMTP_PORT = 25

SMTP_FROM = DenyHosts <192.168.0.1@localhost>

SMTP_SUBJECT = DenyHosts Report

AGE_RESET_VALID=1d #有效用户登陆失败计数归零的时间

AGE_RESET_ROOT=1d #root用户登陆失败计数归零的时间

AGE_RESET_RESTRICTED=1d

AGE_RESET_INVALID=10d #无效用户登陆失败计数归零的时间

######### THESE SETTINGS ARE SPECIFIC TO DAEMON MODE ##########

DAEMON_LOG = /var/log/denyhosts

DAEMON_SLEEP = 30s

DAEMON_PURGE = 1h

三、设置启动脚本

cp daemon-control-dist daemon-control

cp daemon-control-dist /etc/init.d/denyhost

chmod 700 /etc/init.d/denyhost

chkconfig --add denyhosts

chkconfig denyhosts on

启动服务

/etc/init.d/denyhost start

denyhos使用

若是不想让主机拒绝某一个ip，作法以下：

vi /etc/hosts.allow

sshd： 192.168.0.1 #容许192.168.0.1访问该主机的ssh服务

若是想拒绝某一个ip一样使用vi /etc/hosts.deny添加就Ok

遇到的错误

一、#service denyhost startstarting DenyHosts: /usr/bin/env python /usr/bin/denyhosts.py --daemon --config=/usr/share/denyhosts/denyhosts.cfg

python: can't open file '/usr/bin/denyhosts.py': [Errno 2] No such file or directory

这个错误很明显是找不到'/usr/bin/denyhosts.py' 文件，使用which 找出文件的真实路径，而后打开启动脚本把默认的路径替换掉便可。

vim /etc/init.d/denyhost

DENYHOSTS_BIN = "/usr/local/python27/bin/denyhosts.py"

DENYHOSTS_LOCK = "/var/lock/subsys/denyhosts"

DENYHOSTS_CFG = "/usr/share/denyhosts/denyhosts.cfg"

二、/etc/init.d/denyhost start

starting DenyHosts: /usr/bin/env python /usr/local/python27/bin/denyhosts.py --daemon --config=/usr/share/denyhosts/denyhosts.cfg

Traceback (most recent call last):

File "/usr/local/python27/bin/denyhosts.py", line 5, in ?

import DenyHosts.python_version

ImportError: No module named DenyHosts.python_version

错误显示是找不到DenyHost的模块，载入失败。这是因为系统上有两个python版本引发的，此系统上默认rpm包安装有python2.6 还有后面手动编译的python2.7，咱们上面是手动使用python2.7安装Denyhost，因此该模块也安装在了python2.7下，然而系统默认使用的是python2.6。解决的办法就是：编辑启动脚本，修改解释器路径为python2.7便可。

下面用红色标出已修改的行

#!/usr/local/python27/bin/python2.7

###############################################

#### Edit these to suit your configuration ####

###############################################

DENYHOSTS_BIN = "/usr/local/python27/bin/denyhosts.py"

DENYHOSTS_LOCK = "/var/lock/subsys/denyhosts"

DENYHOSTS_CFG = "/usr/share/denyhosts/denyhosts.cfg"

PYTHON_BIN = "/usr/local/python27/bin/python2.7"