部署DenyHosts防SSH暴力破解

1.查看sshd是否受TcpWrap管理

[root@opensips ~]# ldd /usr/sbin/sshd
 linux-vdso.so.1 =>  (0x00007fff3d1ff000)
 libfipscheck.so.1 => /lib64/libfipscheck.so.1 (0x00007f2f61434000)
 libwrap.so.0 => /lib64/libwrap.so.0 (0x00007f2f61228000)
 libaudit.so.1 => /lib64/libaudit.so.1 (0x00007f2f6100c000)
 libpam.so.0 => /lib64/libpam.so.0 (0x00007f2f60dfe000)
 libdl.so.2 => /lib64/libdl.so.2 (0x00007f2f60bf9000)
 libselinux.so.1 => /lib64/libselinux.so.1 (0x00007f2f609da000)
 libcrypto.so.10 => /usr/lib64/libcrypto.so.10 (0x00007f2f605fa000)
 libutil.so.1 => /lib64/libutil.so.1 (0x00007f2f603f6000)
 libz.so.1 => /lib64/libz.so.1 (0x00007f2f601e0000)
 libnsl.so.1 => /lib64/libnsl.so.1 (0x00007f2f5ffc7000)
 libcrypt.so.1 => /lib64/libcrypt.so.1 (0x00007f2f5fd8f000)
 libresolv.so.2 => /lib64/libresolv.so.2 (0x00007f2f5fb75000)
 libgssapi_krb5.so.2 => /lib64/libgssapi_krb5.so.2 (0x00007f2f5f931000)
 libkrb5.so.3 => /lib64/libkrb5.so.3 (0x00007f2f5f64a000)
 libk5crypto.so.3 => /lib64/libk5crypto.so.3 (0x00007f2f5f41e000)
 libcom_err.so.2 => /lib64/libcom_err.so.2 (0x00007f2f5f21a000)
 libnss3.so => /usr/lib64/libnss3.so (0x00007f2f5eedb000)
 libc.so.6 => /lib64/libc.so.6 (0x00007f2f5eb47000)
 /lib64/ld-linux-x86-64.so.2 (0x0000003212400000)
 libfreebl3.so => /lib64/libfreebl3.so (0x00007f2f5e8cf000)
 libkrb5support.so.0 => /lib64/libkrb5support.so.0 (0x00007f2f5e6c4000)
 libkeyutils.so.1 => /lib64/libkeyutils.so.1 (0x00007f2f5e4c1000)
 libpthread.so.0 => /lib64/libpthread.so.0 (0x00007f2f5e2a3000)
 libnssutil3.so => /usr/lib64/libnssutil3.so (0x00007f2f5e077000)
 libplc4.so => /lib64/libplc4.so (0x00007f2f5de72000)
 libplds4.so => /lib64/libplds4.so (0x00007f2f5dc6d000)
 libnspr4.so => /lib64/libnspr4.so (0x00007f2f5da30000)
 librt.so.1 => /lib64/librt.so.1 (0x00007f2f5d827000)

 2.查看當前python的版本號

[root@opensips ~]# python --version
Python 2.6.6

 3.下載DenyHosts文件

[root@opensips ~]# cd /usr/local/src
[root@opensips src]# wget http://jaist.dl.sourceforge.net/sourceforge/denyhosts/DenyHosts-2.6.tar.gz
--2014-06-17 22:07:41--  http://jaist.dl.sourceforge.net/sourceforge/denyhosts/DenyHosts-2.6.tar.gz
Resolving jaist.dl.sourceforge.net... 150.65.7.130, 2001:df0:2ed:feed::feed
Connecting to jaist.dl.sourceforge.net|150.65.7.130|:80... connected.
HTTP request sent, awaiting response... 302 Found
Location: http://downloads.sourceforge.net/sourceforge/denyhosts/DenyHosts-2.6.tar.gz?download&failedmirror=jaist.dl.sourceforge.net [following]
--2014-06-17 22:07:42--  http://downloads.sourceforge.net/sourceforge/denyhosts/DenyHosts-2.6.tar.gz?download&failedmirror=jaist.dl.sourceforge.net
Resolving downloads.sourceforge.net... 216.34.181.59
Connecting to downloads.sourceforge.net|216.34.181.59|:80... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: http://downloads.sourceforge.net/project/denyhosts/denyhosts/2.6/DenyHosts-2.6.tar.gz?download=&failedmirror=jaist.dl.sourceforge.net [following]
--2014-06-17 22:07:43--  http://downloads.sourceforge.net/project/denyhosts/denyhosts/2.6/DenyHosts-2.6.tar.gz?download=&failedmirror=jaist.dl.sourceforge.net
Reusing existing connection to downloads.sourceforge.net:80.
HTTP request sent, awaiting response... 302 Found
Location: http://nchc.dl.sourceforge.net/project/denyhosts/denyhosts/2.6/DenyHosts-2.6.tar.gz [following]
--2014-06-17 22:07:44--  http://nchc.dl.sourceforge.net/project/denyhosts/denyhosts/2.6/DenyHosts-2.6.tar.gz
Resolving nchc.dl.sourceforge.net... 211.79.60.17, 2001:e10:ffff:1f02::17
Connecting to nchc.dl.sourceforge.net|211.79.60.17|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 42667 (42K) [application/x-gzip]
Saving to: ?.enyHosts-2.6.tar.gz?

100%[=====================================================================================================================================================>] 42,667      43.9K/s   in 0.9s   

2014-06-17 22:07:45 (43.9 KB/s) - ?.enyHosts-2.6.tar.gz?.saved [42667/42667]

4.查看是否下載成功 

[root@opensips src]# ls
DenyHosts-2.6.tar.gz

 5.解壓下載的文件

[root@opensips src]# tar zxvf DenyHosts-2.6.tar.gz
DenyHosts-2.6/
DenyHosts-2.6/PKG-INFO
DenyHosts-2.6/denyhosts.py
DenyHosts-2.6/denyhosts.cfg-dist
DenyHosts-2.6/setup.py
DenyHosts-2.6/DenyHosts/
DenyHosts-2.6/DenyHosts/prefs.py
DenyHosts-2.6/DenyHosts/report.py
DenyHosts-2.6/DenyHosts/lockfile.py
DenyHosts-2.6/DenyHosts/__init__.py
DenyHosts-2.6/DenyHosts/plugin.py
DenyHosts-2.6/DenyHosts/denyfileutil.py
DenyHosts-2.6/DenyHosts/deny_hosts.py
DenyHosts-2.6/DenyHosts/regex.py
DenyHosts-2.6/DenyHosts/sync.py
DenyHosts-2.6/DenyHosts/counter.py
DenyHosts-2.6/DenyHosts/old-daemon.py
DenyHosts-2.6/DenyHosts/util.py
DenyHosts-2.6/DenyHosts/daemon.py
DenyHosts-2.6/DenyHosts/python_version.py
DenyHosts-2.6/DenyHosts/allowedhosts.py
DenyHosts-2.6/DenyHosts/filetracker.py
DenyHosts-2.6/DenyHosts/loginattempt.py
DenyHosts-2.6/DenyHosts/restricted.py
DenyHosts-2.6/DenyHosts/purgecounter.py
DenyHosts-2.6/DenyHosts/version.py
DenyHosts-2.6/DenyHosts/constants.py
DenyHosts-2.6/CHANGELOG.txt
DenyHosts-2.6/LICENSE.txt
DenyHosts-2.6/daemon-control-dist
DenyHosts-2.6/plugins/
DenyHosts-2.6/plugins/README.contrib
DenyHosts-2.6/plugins/shorewall_allow.sh
DenyHosts-2.6/plugins/shorewall_deny.sh
DenyHosts-2.6/plugins/test_deny.py
DenyHosts-2.6/scripts/
DenyHosts-2.6/scripts/restricted_from_invalid.py
DenyHosts-2.6/scripts/restricted_from_passwd.py
DenyHosts-2.6/README.txt
DenyHosts-2.6/MANIFEST.in

 6.安裝DenyHosts

[root@opensips src]# cd DenyHosts-2.6
[root@opensips DenyHosts-2.6]# python setup.py install
running install
running build
running build_py
creating build
creating build/lib
creating build/lib/DenyHosts
copying DenyHosts/regex.py -> build/lib/DenyHosts
copying DenyHosts/denyfileutil.py -> build/lib/DenyHosts
copying DenyHosts/version.py -> build/lib/DenyHosts
copying DenyHosts/deny_hosts.py -> build/lib/DenyHosts
copying DenyHosts/report.py -> build/lib/DenyHosts
copying DenyHosts/python_version.py -> build/lib/DenyHosts
copying DenyHosts/purgecounter.py -> build/lib/DenyHosts
copying DenyHosts/sync.py -> build/lib/DenyHosts
copying DenyHosts/util.py -> build/lib/DenyHosts
copying DenyHosts/prefs.py -> build/lib/DenyHosts
copying DenyHosts/__init__.py -> build/lib/DenyHosts
copying DenyHosts/restricted.py -> build/lib/DenyHosts
copying DenyHosts/counter.py -> build/lib/DenyHosts
copying DenyHosts/filetracker.py -> build/lib/DenyHosts
copying DenyHosts/allowedhosts.py -> build/lib/DenyHosts
copying DenyHosts/old-daemon.py -> build/lib/DenyHosts
copying DenyHosts/lockfile.py -> build/lib/DenyHosts
copying DenyHosts/plugin.py -> build/lib/DenyHosts
copying DenyHosts/constants.py -> build/lib/DenyHosts
copying DenyHosts/loginattempt.py -> build/lib/DenyHosts
copying DenyHosts/daemon.py -> build/lib/DenyHosts
running build_scripts
creating build/scripts-2.6
copying and adjusting denyhosts.py -> build/scripts-2.6
changing mode of build/scripts-2.6/denyhosts.py from 644 to 755
running install_lib
creating /usr/lib/python2.6/site-packages/DenyHosts
copying build/lib/DenyHosts/regex.py -> /usr/lib/python2.6/site-packages/DenyHosts
copying build/lib/DenyHosts/denyfileutil.py -> /usr/lib/python2.6/site-packages/DenyHosts
copying build/lib/DenyHosts/version.py -> /usr/lib/python2.6/site-packages/DenyHosts
copying build/lib/DenyHosts/deny_hosts.py -> /usr/lib/python2.6/site-packages/DenyHosts
copying build/lib/DenyHosts/report.py -> /usr/lib/python2.6/site-packages/DenyHosts
copying build/lib/DenyHosts/python_version.py -> /usr/lib/python2.6/site-packages/DenyHosts
copying build/lib/DenyHosts/purgecounter.py -> /usr/lib/python2.6/site-packages/DenyHosts
copying build/lib/DenyHosts/sync.py -> /usr/lib/python2.6/site-packages/DenyHosts
copying build/lib/DenyHosts/util.py -> /usr/lib/python2.6/site-packages/DenyHosts
copying build/lib/DenyHosts/prefs.py -> /usr/lib/python2.6/site-packages/DenyHosts
copying build/lib/DenyHosts/__init__.py -> /usr/lib/python2.6/site-packages/DenyHosts
copying build/lib/DenyHosts/restricted.py -> /usr/lib/python2.6/site-packages/DenyHosts
copying build/lib/DenyHosts/counter.py -> /usr/lib/python2.6/site-packages/DenyHosts
copying build/lib/DenyHosts/filetracker.py -> /usr/lib/python2.6/site-packages/DenyHosts
copying build/lib/DenyHosts/allowedhosts.py -> /usr/lib/python2.6/site-packages/DenyHosts
copying build/lib/DenyHosts/old-daemon.py -> /usr/lib/python2.6/site-packages/DenyHosts
copying build/lib/DenyHosts/lockfile.py -> /usr/lib/python2.6/site-packages/DenyHosts
copying build/lib/DenyHosts/plugin.py -> /usr/lib/python2.6/site-packages/DenyHosts
copying build/lib/DenyHosts/constants.py -> /usr/lib/python2.6/site-packages/DenyHosts
copying build/lib/DenyHosts/loginattempt.py -> /usr/lib/python2.6/site-packages/DenyHosts
copying build/lib/DenyHosts/daemon.py -> /usr/lib/python2.6/site-packages/DenyHosts
byte-compiling /usr/lib/python2.6/site-packages/DenyHosts/regex.py to regex.pyc
byte-compiling /usr/lib/python2.6/site-packages/DenyHosts/denyfileutil.py to denyfileutil.pyc
byte-compiling /usr/lib/python2.6/site-packages/DenyHosts/version.py to version.pyc
byte-compiling /usr/lib/python2.6/site-packages/DenyHosts/deny_hosts.py to deny_hosts.pyc
byte-compiling /usr/lib/python2.6/site-packages/DenyHosts/report.py to report.pyc
byte-compiling /usr/lib/python2.6/site-packages/DenyHosts/python_version.py to python_version.pyc
byte-compiling /usr/lib/python2.6/site-packages/DenyHosts/purgecounter.py to purgecounter.pyc
byte-compiling /usr/lib/python2.6/site-packages/DenyHosts/sync.py to sync.pyc
byte-compiling /usr/lib/python2.6/site-packages/DenyHosts/util.py to util.pyc
byte-compiling /usr/lib/python2.6/site-packages/DenyHosts/prefs.py to prefs.pyc
byte-compiling /usr/lib/python2.6/site-packages/DenyHosts/__init__.py to __init__.pyc
byte-compiling /usr/lib/python2.6/site-packages/DenyHosts/restricted.py to restricted.pyc
byte-compiling /usr/lib/python2.6/site-packages/DenyHosts/counter.py to counter.pyc
byte-compiling /usr/lib/python2.6/site-packages/DenyHosts/filetracker.py to filetracker.pyc
byte-compiling /usr/lib/python2.6/site-packages/DenyHosts/allowedhosts.py to allowedhosts.pyc
byte-compiling /usr/lib/python2.6/site-packages/DenyHosts/old-daemon.py to old-daemon.pyc
byte-compiling /usr/lib/python2.6/site-packages/DenyHosts/lockfile.py to lockfile.pyc
byte-compiling /usr/lib/python2.6/site-packages/DenyHosts/plugin.py to plugin.pyc
byte-compiling /usr/lib/python2.6/site-packages/DenyHosts/constants.py to constants.pyc
byte-compiling /usr/lib/python2.6/site-packages/DenyHosts/loginattempt.py to loginattempt.pyc
byte-compiling /usr/lib/python2.6/site-packages/DenyHosts/daemon.py to daemon.pyc
running install_scripts
copying build/scripts-2.6/denyhosts.py -> /usr/bin
changing mode of /usr/bin/denyhosts.py to 755
running install_data
creating /usr/share/denyhosts
copying denyhosts.cfg-dist -> /usr/share/denyhosts
copying setup.py -> /usr/share/denyhosts
copying daemon-control-dist -> /usr/share/denyhosts
copying CHANGELOG.txt -> /usr/share/denyhosts
copying README.txt -> /usr/share/denyhosts
creating /usr/share/denyhosts/scripts
copying scripts/restricted_from_passwd.py -> /usr/share/denyhosts/scripts
copying scripts/restricted_from_invalid.py -> /usr/share/denyhosts/scripts
creating /usr/share/denyhosts/plugins
copying plugins/shorewall_deny.sh -> /usr/share/denyhosts/plugins
copying plugins/shorewall_allow.sh -> /usr/share/denyhosts/plugins
copying plugins/test_deny.py -> /usr/share/denyhosts/plugins
copying plugins/README.contrib -> /usr/share/denyhosts/plugins
copying LICENSE.txt -> /usr/share/denyhosts
running install_egg_info
Writing /usr/lib/python2.6/site-packages/DenyHosts-2.6-py2.6.egg-info

 7.查看程序文件

[root@opensips ~]# cd /usr/share/denyhosts/
[root@opensips denyhosts]# ls
CHANGELOG.txt  daemon-control-dist  denyhosts.cfg-dist  LICENSE.txt  plugins  README.txt  scripts  setup.py

 8.配置啓動腳本

[root@opensips denyhosts]# cp daemon-control-dist daemon-control
[root@opensips denyhosts]# chown root daemon-control
[root@opensips denyhosts]# chmod 700 daemon-control

 9.修改配置文件

[root@opensips denyhosts]# grep -v "^#" denyhosts.cfg-dist > denyhosts.cfg
[root@opensips denyhosts]# vim denyhosts.cfg

 

       ############ THESE SETTINGS ARE REQUIRED ############

SECURE_LOG = /var/log/secure

HOSTS_DENY = /etc/hosts.deny

PURGE_DENY = 30m

 

BLOCK_SERVICE  = sshd

DENY_THRESHOLD_INVALID = 5

DENY_THRESHOLD_VALID = 3

DENY_THRESHOLD_ROOT = 3

DENY_THRESHOLD_RESTRICTED = 1

WORK_DIR = /usr/share/denyhosts/data

SUSPICIOUS_LOGIN_REPORT_ALLOWED_HOSTS=YES

HOSTNAME_LOOKUP=YES

LOCK_FILE = /var/lock/subsys/denyhosts

       ############ THESE SETTINGS ARE OPTIONAL ############

ADMIN_EMAIL =

SMTP_HOST = localhost
SMTP_PORT = 25

SMTP_FROM = DenyHosts <nobody@localhost>

 

SMTP_SUBJECT = DenyHosts Report

 

AGE_RESET_VALID=5d

AGE_RESET_ROOT=25d

AGE_RESET_RESTRICTED=25d

AGE_RESET_INVALID=10d

 

  ######### THESE SETTINGS ARE SPECIFIC TO DAEMON MODE  ##########

 

DAEMON_LOG = /var/log/denyhosts

 

DAEMON_SLEEP = 30s

DAEMON_PURGE = 1h

   #########   THESE SETTINGS ARE SPECIFIC TO     ##########
   #########       DAEMON SYNCHRONIZATION         ##########

 10.設置開機啓動腳本
[root@opensips ~]# cd /etc/init.d
[root@opensips init.d]# ln -s /usr/share/denyhosts/daemon-control denyhosts
[root@opensips init.d]# chkconfig --add denyhosts
[root@opensips init.d]# chkconfig --level 35 denyhosts on

11.啓動DenyHosts
[root@opensips ~]# service denyhosts start

starting DenyHosts:    /usr/bin/env python /usr/bin/denyhosts.py --daemon --config=/usr/share/denyhosts/denyhosts.cfg