Linux下檢測SSH暴力破解***與防護功能

網絡上無聊的人一大堆，SSH端口密碼掃描破解的人也很多，如果你的VPS被攻破那麼會被用來***別人（如DDOS***），那麼遇到嚴格的服務商，那麼就會被關閉或者永久關閉，下面微飯給大家推薦個檢測SSH破解及防護方法。

SSH暴力破解檢測方法
如果你CPU/內存異常爆表，連接速度極慢，有異常進程等情況，有可能你的VPS被人掃描破解或者已經淪陷。。
可以用此方法檢測下多少人在“盯着”你的VPS

# cat /var/log/secure | awk '/Failed/{print $(NF-3)}' | sort | uniq -c | awk '{print $2" = "$1;}'

1	# cat /var/log/secure | awk '/Failed/{print $(NF-3)}' | sort | uniq -c | awk '{print $2" = "$1;}'

通過上面的命令可以查看有哪些IP嘗試過連接和破解次數，如下所示：

109.74.209.197 = 9113.195.145.70 = 740113.195.145.85 = 1038115.197.42.232 = 3115.239.212.132 = 19115.239.212.133 = 14115.239.212.134 = 17115.239.212.135 = 18115.239.212.136 = 16115.239.212.137 = 23115.239.212.138 = 16115.239.212.139 = 14115.47.26.53 = 10117.245.5.85 = 6118.69.223.246 = 28121.247.3.54 = 4123.141.29.11 = 31125.211.222.103 = 32128.199.84.180 = 771138.94.87.253 = 614.140.241.75 = 114.177.108.180 = 1158.69.195.20 = 74161.202.147.197 = 15161.202.41.20 = 15169.229.3.91 = 1177.220.212.90 = 131.85.21.39 = 31.85.62.39 = 24186.215.198.163 = 5187.110.243.90 = 1187.210.107.242 = 32188.130.145.134 = 18189.28.243.113 = 3191.243.17.43 = 1193.104.41.54 = 9193.189.117.120 = 1193.95.84.205 = 32198.251.79.54 = 38202.126.93.18 = 32202.198.129.78 = 32218.57.241.59 = 1218.98.39.43 = 30220.225.7.31 = 1221.232.129.51 = 61222.186.21.113 = 20222.186.50.141 = 1222.21.43.56 = 1227.254.67.185 = 227.75.167.208 = 837.58.97.4 = 1543.229.53.12 = 794743.229.53.50 = 5004346.146.220.219 = 146.161.40.34 = 650.57.160.46 = 27451.254.142.83 = 455.140.213.177 = 158.185.2.22 = 9785.8.66.101 = 359.29.245.226 = 3259.45.79.116 = 1050679.60.38.244 = 580.82.64.109 = 1780.82.78.57 = 181.18.133.246 = 182.138.1.118 = 3285.93.5.64 = 285.93.5.65 = 285.93.5.66 = 189.23.194.194 = 491.211.132.9 = 2493.190.143.30 = 1293.95.214.120 = 494.102.49.125 = 15

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75

109.74.209.197 = 9 113.195.145.70 = 740 113.195.145.85 = 1038 115.197.42.232 = 3 115.239.212.132 = 19 115.239.212.133 = 14 115.239.212.134 = 17 115.239.212.135 = 18 115.239.212.136 = 16 115.239.212.137 = 23 115.239.212.138 = 16 115.239.212.139 = 14 115.47.26.53 = 10 117.245.5.85 = 6 118.69.223.246 = 28 121.247.3.54 = 4 123.141.29.11 = 31 125.211.222.103 = 32 128.199.84.180 = 771 138.94.87.253 = 6 14.140.241.75 = 1 14.177.108.180 = 1 158.69.195.20 = 74 161.202.147.197 = 15 161.202.41.20 = 15 169.229.3.91 = 1 177.220.212.90 = 13 1.85.21.39 = 3 1.85.62.39 = 24 186.215.198.163 = 5 187.110.243.90 = 1 187.210.107.242 = 32 188.130.145.134 = 18 189.28.243.113 = 3 191.243.17.43 = 1 193.104.41.54 = 9 193.189.117.120 = 1 193.95.84.205 = 32 198.251.79.54 = 38 202.126.93.18 = 32 202.198.129.78 = 32 218.57.241.59 = 1 218.98.39.43 = 30 220.225.7.31 = 1 221.232.129.51 = 61 222.186.21.113 = 20 222.186.50.141 = 1 222.21.43.56 = 12 27.254.67.185 = 2 27.75.167.208 = 8 37.58.97.4 = 15 43.229.53.12 = 7947 43.229.53.50 = 50043 46.146.220.219 = 1 46.161.40.34 = 6 50.57.160.46 = 274 51.254.142.83 = 45 5.140.213.177 = 1 58.185.2.22 = 978 5.8.66.101 = 3 59.29.245.226 = 32 59.45.79.116 = 10506 79.60.38.244 = 5 80.82.64.109 = 17 80.82.78.57 = 1 81.18.133.246 = 1 82.138.1.118 = 32 85.93.5.64 = 2 85.93.5.65 = 2 85.93.5.66 = 1 89.23.194.194 = 4 91.211.132.9 = 24 93.190.143.30 = 12 93.95.214.120 = 4 94.102.49.125 = 15

DenyHosts安裝與配置演示:
1、下載DenyHosts 並解壓

# wget http://soft.vpser.net/security/denyhosts/DenyHosts-2.6.tar.gz# tar zxvf DenyHosts-2.6.tar.gz# cd DenyHosts-2.6

1 2 3

# wget http://soft.vpser.net/security/denyhosts/DenyHosts-2.6.tar.gz # tar zxvf DenyHosts-2.6.tar.gz # cd DenyHosts-2.6

2、安裝、配置和啓動

安裝前建議執行：

echo "" > /var/log/secure && service rsyslog restart # 清空以前的日誌並重啓一下rsyslog

1	echo "" > /var/log/secure && service rsyslog restart # 清空以前的日誌並重啓一下rsyslog

# python setup.py install

1	# python setup.py install

因爲DenyHosts是基於python的，所以要已安裝python，大部分Linux發行版一般都有。默認是安裝到/usr/share/denyhosts/目錄的,進入相應的目錄修改配置文件

# cd /usr/share/denyhosts/# cp denyhosts.cfg-dist denyhosts.cfg# cp daemon-control-dist daemon-control

1 2 3

# cd /usr/share/denyhosts/ # cp denyhosts.cfg-dist denyhosts.cfg # cp daemon-control-dist daemon-control

默認的設置已經可以適合centos系統環境，你們可以使用vi

命令查看一下denyhosts.cfg和daemon-control，裏面有詳細的解釋
接着使用下面命令啓動denyhosts程序

# chown root daemon-control# chmod 700 daemon-control# ./daemon-control start

1 2 3

# chown root daemon-control # chmod 700 daemon-control # ./daemon-control start

如果要使DenyHosts每次重起後自動啓動還需做如下設置：

# ln -sf /usr/share/denyhosts/daemon-control /etc/init.d/denyhosts# chkconfig --add denyhosts# chkconfig --level 2345 denyhosts on

1 2 3

# ln -sf /usr/share/denyhosts/daemon-control /etc/init.d/denyhosts # chkconfig --add denyhosts # chkconfig --level 2345 denyhosts on

或者執行下面的命令加入開機啓動，將會修改/etc/rc.local文件：

# echo "/usr/share/denyhosts/daemon-control start" >> /etc/rc.local

1	# echo "/usr/share/denyhosts/daemon-control start" >> /etc/rc.local

DenyHosts配置文件/usr/share/denyhosts/denyhosts.cfg說明：

SECURE_LOG = /var/log/secure#sshd日誌文件，它是根據這個文件來判斷的，不同的操作系統，文件名稍有不同。HOSTS_DENY = /etc/hosts.deny#控制用戶登陸的文件PURGE_DENY = 5mDAEMON_PURGE = 5m#過多久後清除已經禁止的IP，如5m（5分鐘）、5h（5小時）、5d（5天）、5w（5周）、1y（一年）BLOCK_SERVICE = sshd#禁止的服務名，可以只限制不允許訪問ssh服務，也可以選擇ALLDENY_THRESHOLD_INVALID = 5#允許無效用戶失敗的次數DENY_THRESHOLD_VALID = 10#允許普通用戶登陸失敗的次數DENY_THRESHOLD_ROOT = 5#允許root登陸失敗的次數HOSTNAME_LOOKUP=NO#是否做域名反解DAEMON_LOG = /var/log/denyhosts

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26

SECURE_LOG = /var/log/secure #sshd日誌文件，它是根據這個文件來判斷的，不同的操作系統，文件名稍有不同。   HOSTS_DENY = /etc/hosts.deny #控制用戶登陸的文件   PURGE_DENY = 5m DAEMON_PURGE = 5m #過多久後清除已經禁止的IP，如5m（5分鐘）、5h（5小時）、5d（5天）、5w（5周）、1y（一年）   BLOCK_SERVICE = sshd #禁止的服務名，可以只限制不允許訪問ssh服務，也可以選擇ALL   DENY_THRESHOLD_INVALID = 5 #允許無效用戶失敗的次數   DENY_THRESHOLD_VALID = 10 #允許普通用戶登陸失敗的次數   DENY_THRESHOLD_ROOT = 5 #允許root登陸失敗的次數   HOSTNAME_LOOKUP=NO #是否做域名反解   DAEMON_LOG = /var/log/denyhosts

爲 防止自己的IP被屏蔽，可以：echo “你的IP” >> /usr/share/denyhosts/allowed-hosts 將你的IP加入白名單，再重啓DenyHosts：/etc/init.d/denyhosts ，如果已經被封，需要先按下面的命令刪除被封IP後再加白名單。

如有IP被誤封，可以執行下面的命令解封：wget http://soft.vpser.net/security/denyhosts/denyhosts_removeip.sh && bash denyhost_removeip.sh 要解封的IP

查看***ip 記錄

# cat /etc/hosts.deny

1	# cat /etc/hosts.deny