Denyhosts安裝與錯誤排除
最近查看linux系統日誌,發現有很多陌生的公網ip在不斷對服務器進行暴力破解,企圖猜到系統賬戶和密碼,除了設置一個強壯的密碼之外,可以使用denyhosts來限制這些ip的不友好訪問。
Denyhosts是一個用Python編寫的腳本,它會分析sshd的日誌文件,當發現重複的***時就會記錄IP到/etc/hosts.deny文件,從而達到自動屏IP的功能。具體見原文檔:
What is DenyHosts?
DenyHosts is a script intended to be run by Linux system administrators to help thwart SSH server attacks (also known as dictionary based attacks and brute force attacks).
If you've ever looked at your ssh log (/var/log/secure on Redhat, /var/log/auth.log on Mandrake, etc...) you may be alarmed to see how many hackers attempted to gain access to your server. Hopefully, none of them were successful (but then again, how would you know?). Wouldn't it be better to automatically prevent that attacker from continuing to gain entry into your system?
一、安裝
1. 安裝denyhosts:
這裏我下的版本是DenyHosts-2.6.tar.gz。將文件放到/root/soft下。
安裝步驟:
# cd /root/soft
# tar -zxvf DenyHosts-2.6.tar.gz
# cd DenyHosts-2.6
# python setup.py install
默認安裝到/usr/share/denyhosts目錄下。
2. 配置
首先將denyhosts註冊到服務。
在/usr/share/denyhosts下,
# cp daemon-control-dist daemon-control //提出運行腳本,daemon-control文件
# chown root daemon-control
# chmod 700 daemon-control
進入etc/init.d
# cd /etc/init.d
# ln -s /usr/share/denyhosts/daemon-control denyhost //將腳本文件靜態鏈接到init.d下,並命名爲denyhost
# chkconfig –add denyhost //註冊爲denyhost服務
# chkconfig –level 2345 denyhosts on //讓它自啓動 ,這一步也可以在/etc/rc.local下添加/usr/share/denyhosts/daemon-control start這一行讓他自啓動。
然後修改配置文件:
# cd /usr/share/denyhosts/
# cp denyhosts.cfg-dist denyhosts.cfg
# vi denyhosts.cfg
具體修改如下:
vi /etc/denyhosts.cfg
SECURE_LOG = /var/log/secure
#ssh 日誌文件,它是根據這個文件來判斷的。
HOSTS_DENY = /etc/hosts.deny
#控制用戶登陸的文件
PURGE_DENY = 5m
#過多久後清除已經禁止的
BLOCK_SERVICE = sshd
#禁止的服務名
DENY_THRESHOLD_INVALID = 1
#允許無效用戶失敗的次數
DENY_THRESHOLD_VALID = 10
#允許普通用戶登陸失敗的次數
DENY_THRESHOLD_ROOT = 5
#允許root登陸失敗的次數
HOSTNAME_LOOKUP=NO
#是否做域名反解
ADMIN_EMAIL = 你的郵箱地址
#管理員郵件地址,它會給管理員發郵件
DAEMON_LOG = /var/log/denyhosts
#自己的日誌文件
正常情況下,這麼安裝便可以運行啓動了:service denyhost start
在/etc/hosts.deny裏面有被禁止的ip地址。
二、錯誤排除
在輸入運行命令時,有錯誤提示打不開denyhosts.py文件,沒有這個目錄。如:
#service denyhost start
starting DenyHosts: /usr/bin/env python /usr/bin/denyhosts.py --daemon --config=/usr/share/denyhosts/denyhosts.cfg
python: can't open file '/usr/bin/denyhosts.py': [Errno 2] No such file or directory
經過查找發現denyhosts.py在目錄/usr/local/bin/目錄下,於是修改daemon-control文件
#vi daemon-control
DENYHOSTS_BIN = "/usr/bin/denyhosts.py"
DENYHOSTS_LOCK = "/var/lock/subsys/denyhosts"
DENYHOSTS_CFG = "/usr/share/denyhosts/denyhosts.cfg"
將第一行修改爲DENYHOSTS_BIN = "/usr/local/bin/denyhosts.py"
在運行還會提示錯誤:導入Python版本錯誤的提示。如:
Traceback (most recent call last):
File "/usr/local/bin/denyhosts.py", line 5, in
import DenyHosts.python_version
ImportError: No module named DenyHosts.python_version
到這裏錯誤很明瞭了,經過查詢發現版本不對會導致這個問題。
分析後發現原因在此:以前本機已經有一個python2.4的版本,使用rpm安裝的,默認的路徑是/usr/lib/python2.4,因爲要升級python到2.5,也沒有對卸載這個2.4的版本,使用編譯安裝的python2.5,安裝路徑並沒有配置,這默認安裝到/usr/local/lib/python2.5這個路徑,而目前激活的python環境是2.5的,可能因爲denyhosts安裝時會根據環境查找安裝,因此會在/usr/local/lib/python2.5/site-packages路徑下安裝Denyhosts這個文件夾。當運行denyhosts時,腳本會指定使用的是/usr/lib/python*這個路徑的python裏(暫時沒找到腳本哪個地方指定),因此它無法定位python的版本,會出現這個錯誤。
最快速的解決方法是把/usr/local/lib/python2.5/site-packages路徑下的Denyhosts文件夾整個拷貝到2.4的安裝目錄下即可。
進入/usr/local/lib/python2.5/site-packages/目錄
#cd /usr/local/lib/python2.5/site-packages/
#cp –rp Denyhosts /usr/lib/python2.4/ site-packages/
這樣之後便可以啓動Denyhosts了。
參考:The root cause is that python was upgraded from 2.4 to 2.5. So now denyhosts (and other python scripts) are working from a different directory. Why does this make a difference? The DenyHosts python scripts are located under /usr/lib/python2.4/site-packages/DenyHosts which, unless the script specifies that it is using the old 2.4 environment (DenyHosts doesn’t) then it will look in the new environment location, /usr/lib/python2.5/site-packages/DenyHosts, which of course, doesn’t exist. The quick fix is to cp over the DenyHost directory to the python 2.5 tree.
鏈接:http://www.linuxscope.com/~ptader/?p=232