本文共 1683 字,大约阅读时间需要 5 分钟。
DenyHosts是一个python写的脚本,常用来限制SSH登陆,通过监控系统日志,将超过错误次数的IP放入TCP Wrappers中禁止登陆。UNIX Review杂志评选的2005年8月的月度工具。除了基础的屏蔽IP功能,还有邮件通知,插件,同步等功能。
官方站点:GitHub代码:tar xf DenyHosts-2.6.tar.gzcd DenyHosts-2.6python setup.py installcd /usr/share/denyhosts/cp denyhosts.cfg-dist denyhosts.cfgcp daemon-control-dist daemon-controlchown root daemon-controlchmod 700 daemon-controlln -sv /usr/share/denyhosts/daemon-control /etc/init.d/denyhosts/etc/init.d/denyhosts startchkconfig denyhosts on
#登陆失败次数,无效用户,普通用户,root用户,限制用户
DENY_THRESHOLD_INVALID = 5DENY_THRESHOLD_VALID = 10DENY_THRESHOLD_ROOT = 1 DENY_THRESHOLD_RESTRICTED = 1#登陆失败计数重置时间,普通用户,root用户,限制用户,无效用户
AGE_RESET_VALID=5dAGE_RESET_ROOT=25dAGE_RESET_RESTRICTED=25dAGE_RESET_INVALID=10d#清除已阻止IP时间间隔,定时任务模式,需要--purge,守护进程模式
Stop DenyHosts
Remove the IP address from /etc/hosts.denyEdit WORK_DIR/hosts and remove the lines containing the IP address. Save the file.Edit WORK_DIR/hosts-restricted and remove the lines containing the IP address. Save the file.Edit WORK_DIR/hosts-root and remove the lines containing the IP address. Save the file.Edit WORK_DIR/hosts-valid and remove the lines containing the IP address. Save the file.Edit WORK_DIR/user-hosts and remove the lines containing the IP address. Save the file.(optional) Consider adding the IP address to WORK_DIR/allowed-hostsStart DenyHostscreate a file named allowed-hosts in the WORK_DIR. Simply add an IP address, one per line.支持域名和glob通配
需要添加正则匹配,官方文档有说明。
Fail2Ban,使用iptables
BlockHostsBlacklistPermitRootLogin no
PasswordAuthentication noPort 59922转载于:https://blog.51cto.com/14043491/2309673