提示:文章写完后,目录可以自动生成,如何生成可参考右边的帮助文档
前言
今天服务器又被攻击了,防火墙也打开了,由于服务器需要对外提供服务,避免不了开放几个外部端口,所以增强防护才是王道。翻开/var/log/auth.log的日志发现很多外国的ip再请求我的端口,庆幸的是都被拒绝掉了,这应该是反复实验端口并试图找到漏洞。我准备增加denyhosts的服务,自动将一些外部攻击给加到黑名单里面。
一、denyhosts是什么?
DenyHosts has been developed by Phil Schwartz.
The idea of denying access to SSH servers is nothing new and I was inspired by many other scripts that I discovered. However, none of them did things the way I envisioned them to. Also, they were all shell scripts which do not offer the elegance of Python.
Denyhosts provides SSH attack prevention and is used by thousands of users worldwide. You can view DenyHosts synchronization stats.
看不懂没关系,简而言之它就是一个保护你的电脑防止侵害的工具,自动扫描外部攻击并将ip加到拒绝访问里面去。
二、安装denyhosts
现在官网已经推出了3.0版本,所以这篇文章基于denyhosts-3.0版本配置,2.0版本可能有一定的差别,请自行研究安装。
1.下载安装包
Ubuntu官方是没有denyhost的deb包的,我们需要到denyhosts的官网下载压缩包并自行安装。
denyhosts官网连接
点进去之后找到左上角的Download并点进去
会进入一个下载网站,点击下载即可,压缩包很小,才70kb左右。或者一步到位直接点下面的网址连接:压缩包下载链接
之所以导航到官网是因为官网里面有详细的配置可以看,denyhosts的配置项相当多,最好确认之后再打开,否则可能会导致服务器登录不了的情况。
2.安装
安装目前可以确定再Ubuntu-18和Ubuntu-20是行的,其他的暂未测试。
你下载的软件版本可能不是3.0,安装方法一样的。
unzip denyhosts-3.0.zip
cd denyhosts-3.0
sudo python setup.py install
等待安装结束,一定要使用sudo权限,将denyhosts保护起来,防止本身被破坏。
3.配置
配置才是重头戏,因为是全英文的,可以搭配谷歌翻译看下。
每一项都要认真看,不懂得就按默认配置来,不要随意打开(去掉#注释)
下面列出几个重要得配置供参考:
############ THESE SETTINGS ARE REQUIRED ############
########################################################################
#
# SECURE_LOG: the log file that contains sshd logging info
# if you are not sure, grep "sshd:" /var/log/*
#
# The file to process can be overridden with the --file command line
# argument
#
# Redhat or Fedora Core:
#SECURE_LOG = /var/log/secure
#
# Mandrake, FreeBSD or OpenBSD:
#SECURE_LOG = /var/log/auth.log
#
# SuSE or Gentoo:
#SECURE_LOG = /var/log/messages
#
# Mac OS X (v10.4 or greater -
# also refer to: http://www.denyhost.net/faq.html#macos
#SECURE_LOG = /private/var/log/asl.log
#
# Mac OS X (v10.3 or earlier):
#SECURE_LOG=/private/var/log/system.log
#
# Debian and Ubuntu
SECURE_LOG = /var/log/auth.log #Ubuntu保存认证的日志文件,保持默认
########################################################################
########################################################################
#
# HOSTS_DENY: the file which contains restricted host access information
#
# Most operating systems:
HOSTS_DENY = /etc/hosts.deny #写入禁止hosts名录的位置,保持默认
#
# Some BSD (FreeBSD) Unixes:
#HOSTS_DENY = /etc/hosts.allow
#
# Another possibility (also see the next option):
#HOSTS_DENY = /etc/hosts.evil
#######################################################################
########################################################################
#
# PURGE_DENY: removed HOSTS_DENY entries that are older than this time
# when DenyHosts is invoked with the --purge flag
#
# format is: i[dhwmy]
# Where 'i' is an integer (eg. 7)
# 'm' = minutes
# 'h' = hours
# 'd' = days
# 'w' = weeks
# 'y' = years
#
# never purge:
PURGE_DENY = 1h #禁止这个hosts多长时间,超过时间解除禁止,上面的是单位,按照需要配置
#
# purge entries older than 1 week
#PURGE_DENY = 1w #未打开,可选项1星期
#
# purge entries older than 5 days
#PURGE_DENY = 5d #未打开,可选项5天
#######################################################################
#######################################################################
#
# PURGE_THRESHOLD: defines the maximum times a host will be purged.
# Once this value has been exceeded then this host will not be purged.
# Setting this parameter to 0 (the default) disables this feature.
#
# default: a denied host can be purged/re-added indefinitely
#PURGE_THRESHOLD = 0
#
# a denied host will be purged at most 2 times.
#PURGE_THRESHOLD = 2
#
# a denied host will be purged at most 3 times.
PURGE_THRESHOLD = 3 # 事不过3,对于解除禁止的hosts有几次解除机会,超过这个次数永久禁止
#
#######################################################################
#######################################################################
#
# BLOCK_SERVICE: the service name that should be blocked in HOSTS_DENY
#
# man 5 hosts_access for details
#
# eg. sshd: 127.0.0.1 # will block sshd logins from 127.0.0.1
#
# To block all services for the offending host:
#BLOCK_SERVICE = ALL
# To block only sshd:
BLOCK_SERVICE = sshd # 禁止的服务,意思是监控sshd的行为
# To only record the offending host and nothing else (if using
# an auxilary file to list the hosts). Refer to:
# http://denyhost.sourceforge.net/faq.html#aux
#BLOCK_SERVICE =
#
#######################################################################
#######################################################################
#
# DENY_THRESHOLD_INVALID: block each host after the number of failed login
# attempts has exceeded this value. This value applies to invalid
# user login attempts (eg. non-existent user accounts)
#
DENY_THRESHOLD_INVALID = 3 # 允许无效用户登陆失败的次数
#
#######################################################################
#######################################################################
#
# DENY_THRESHOLD_VALID: block each host after the number of failed
# login attempts has exceeded this value. This value applies to valid
# user login attempts (eg. user accounts that exist in /etc/passwd) except
# for the "root" user
#
DENY_THRESHOLD_VALID = 5 # 允许普通用户登录失败的次数
#
#######################################################################
#######################################################################
#
# DENY_THRESHOLD_ROOT: block each host after the number of failed
# login attempts has exceeded this value. This value applies to
# "root" user login attempts only.
#
DENY_THRESHOLD_ROOT = 2 # 允许root用户登录失败的次数
#
#######################################################################
#######################################################################
#
# DENY_THRESHOLD_RESTRICTED: block each host after the number of failed
# login attempts has exceeded this value. This value applies to
# usernames that appear in the WORK_DIR/restricted-usernames file only.
#
DENY_THRESHOLD_RESTRICTED = 1
#
#######################################################################
#######################################################################
#
# WORK_DIR: the path that DenyHosts will use for writing data to
# (it will be created if it does not already exist).
#
# Note: it is recommended that you use an absolute pathname
# for this value (eg. /home/foo/denyhost/data)
#
WORK_DIR = /var/lib/denyhosts # 工作目录,维持默认
#
#######################################################################
#######################################################################
#
# ETC_DIR: the path that DenyHosts will use for reading data when
# we need configuration information.
#
# Note: it is recommended that you use an absolute pathname
# for this value (eg. /etc or /usr/local/etc)
#
ETC_DIR = /etc # 维持默认
#
#######################################################################
#######################################################################
#
# SUSPICIOUS_LOGIN_REPORT_ALLOWED_HOSTS
#
# SUSPICIOUS_LOGIN_REPORT_ALLOWED_HOSTS=YES|NO
# If set to YES, if a suspicious login attempt results from an allowed-host
# then it is considered suspicious. If this is NO, then suspicious logins
# from allowed-hosts will not be reported. All suspicious logins from
# ip addresses that are not in allowed-hosts will always be reported.
#
SUSPICIOUS_LOGIN_REPORT_ALLOWED_HOSTS=YES
######################################################################
######################################################################
#
# HOSTNAME_LOOKUP
#
# HOSTNAME_LOOKUP=YES|NO
# If set to YES, for each IP address that is reported by Denyhosts,
# the corresponding hostname will be looked up and reported as well
# (if available).
#
HOSTNAME_LOOKUP=NO # 域名反解
#
######################################################################
######################################################################
#
# LOCK_FILE
#
# LOCK_FILE=/path/denyhosts
# If this file exists when DenyHosts is run, then DenyHosts will exit
# immediately. Otherwise, this file will be created upon invocation
# and deleted upon exit. This ensures that only one instance is
# running at a time.
#
# Redhat/Fedora:
#LOCK_FILE = /var/lock/subsys/denyhosts
#
# Debian or Gentoo
LOCK_FILE = /var/run/denyhosts.pid # pid文件,维持默认
#
# Misc
#LOCK_FILE = /tmp/denyhosts.lock
#
######################################################################
############ THESE SETTINGS ARE OPTIONAL ############
#######################################################################
#
# IPTABLES: if you would like DenyHost to block incoming connections
# using the Linux firewall IPTABLES, then set the following variable
# to the path of the iptables executable. Typically this is
# /sbin/iptables
# If this option is not set or commented out then the iptables
# firewall is not used.
IPTABLES = /sbin/iptables # 防火墙前端程序,维持默认
#
# Warning: If you are running IPTABLES, please make sure to comment
# out the PFCTL_PATH and the PF_TABLE variables below. PF and
# IPTABLES should not be running together on the same operating system.
#
# By default DenyHost will ask IPTables to block incoming connections
# from an aggressive host on ALL ports. While this is usually a good
# idea, it may prevent some botted machines from being able to access
# services their legitmate users want, like a web server. To only
# block specific ports, enable the following option.
# BLOCKPORT = 22
#
#######################################################################
#######################################################################
#
# On FreeBSD/OpenBSD/TrueOS/PC-BSD/NetBSD/OS X we may want to block incoming
# traffic using the PF firewall instead of the hosts.deny file
# (aka tcp_wrapper).
# The admin can set up a PF table that is persistent
# and DenyHost can add new addresses to be blocked to that table.
# The TrueOS operating system enables this by default, blocking
# all addresses in the "blacklist" table.
#
# To have DenyHost update the blocking PF table in real time, uncomment
# these next two options. Make sure the table name specificed
# is one created in the pf.conf file of your operating system.
# The PFCTL_PATH variable must point to the pfctl extectuable on your OS.
# PFCTL_PATH = /sbin/pfctl
# PF_TABLE = blacklist
# Note, a good rule to have in your pf.conf file to enable the
# blacklist table is:
#
# table <blacklist> persist file "/etc/blacklist"
# block in quick from <blacklist> to any
#
# Warning: If you are using PF, please make sure to disable the
# IPTABLES rule above as these two packet filters should not be
# run together on the same operating system.
# Note: Even if you decide to run DenyHost with PF filtering
# only and no hosts.deny support, please still create an empty
# file called /etc/hosts.deny for backward compatibility.
# Also, please make sure PF is enabled prior to launching
# DenyHosts. To do this run "pfctl -e".
#
# To write all blocked hosts to a PF table file enable this next option.
# This will make hosts added to the PF table persistent across reboots.
# PF_TABLE_FILE = /etc/blacklist
#
#######################################################################
#######################################################################
#
# ADMIN_EMAIL: if you would like to receive emails regarding newly
# restricted hosts and suspicious logins, set this address to
# match your email address. If you do not want to receive these reports
# leave this field blank (or run with the --noemail option)
#
# Multiple email addresses can be delimited by a comma, eg:
# ADMIN_EMAIL = [email protected], [email protected], [email protected]
#
ADMIN_EMAIL = root@localhost # 给管理员发邮件,有需要改,可能需要配置邮件服务
#
#######################################################################
#######################################################################
#
# SMTP_HOST and SMTP_PORT: if DenyHosts is configured to email
# reports (see ADMIN_EMAIL) then these settings specify the
# email server address (SMTP_HOST) and the server port (SMTP_PORT)
#
#
SMTP_HOST = localhost # 邮件相关 host,按照需要配置或维持默认
SMTP_PORT = 25 # 邮件相关 port,按照需要配置或维持默认
#
#######################################################################
#######################################################################
#
# SMTP_USERNAME and SMTP_PASSWORD: set these parameters if your
# smtp email server requires authentication
#
#SMTP_USERNAME=foo # 邮件相关,按照需要配置或维持默认
#SMTP_PASSWORD=bar # 邮件相关,按照需要配置或维持默认
#
######################################################################
#######################################################################
#
# SMTP_FROM: you can specify the "From:" address in messages sent
# from DenyHosts when it reports thwarted abuse attempts
#
SMTP_FROM = DenyHosts <nobody@localhost> # 邮件相关,按照需要配置或维持默认
#
#######################################################################
#######################################################################
#
# SMTP_SUBJECT: you can specify the "Subject:" of messages sent
# by DenyHosts when it reports thwarted abuse attempts
SMTP_SUBJECT = DenyHosts Report # 邮件相关,按照需要配置或维持默认
#
######################################################################
######################################################################
#
# SMTP_DATE_FORMAT: specifies the format used for the "Date:" header
# when sending email messages.
#
# for possible values for this parameter refer to: man strftime
#
# the default:
#
#SMTP_DATE_FORMAT = %a, %d %b %Y %H:%M:%S %z # 邮件相关,按照需要配置或维持默认
#
######################################################################
######################################################################
#
# SYSLOG_REPORT
#
# SYSLOG_REPORT=YES|NO # 是否将事件记录到syslog,denyhosts本身有日志,维持默认
# If set to yes, when denied hosts are recorded the report data
# will be sent to syslog (syslog must be present on your system).
# The default is: NO
#
#SYSLOG_REPORT=NO
#
#SYSLOG_REPORT=YES
#
######################################################################
######################################################################
#
# ALLOWED_HOSTS_HOSTNAME_LOOKUP
#
# ALLOWED_HOSTS_HOSTNAME_LOOKUP=YES|NO
# If set to YES, for each entry in the WORK_DIR/allowed-hosts file,
# the hostname will be looked up. If your versions of tcp_wrappers
# and sshd sometimes log hostnames in addition to ip addresses
# then you may wish to specify this option.
#
ALLOWED_HOSTS_HOSTNAME_LOOKUP=NO # 维持原样
#
######################################################################
######################################################################
#
# AGE_RESET_VALID: Specifies the period of time between failed login
# attempts that, when exceeded will result in the failed count for
# this host to be reset to 0. This value applies to login attempts
# to all valid users (those within /etc/passwd) with the
# exception of root. If not defined, this count will never
# be reset.
#
# See the comments in the PURGE_DENY section (above)
# for details on specifying this value or for complete details
# refer to: http://denyhost.sourceforge.net/faq.html#timespec
#
AGE_RESET_VALID=5d # 维持原样
#
######################################################################
######################################################################
#
# AGE_RESET_ROOT: Specifies the period of time between failed login
# attempts that, when exceeded will result in the failed count for
# this host to be reset to 0. This value applies to all login
# attempts to the "root" user account. If not defined,
# this count will never be reset.
#
# See the comments in the PURGE_DENY section (above)
# for details on specifying this value or for complete details
# refer to: http://denyhost.sourceforge.net/faq.html#timespec
#
AGE_RESET_ROOT=25d # 维持原样
#
######################################################################
######################################################################
#
# AGE_RESET_RESTRICTED: Specifies the period of time between failed login
# attempts that, when exceeded will result in the failed count for
# this host to be reset to 0. This value applies to all login
# attempts to entries found in the WORK_DIR/restricted-usernames file.
# If not defined, the count will never be reset.
#
# See the comments in the PURGE_DENY section (above)
# for details on specifying this value or for complete details
# refer to: http://denyhost.sourceforge.net/faq.html#timespec
#
AGE_RESET_RESTRICTED=25d # 维持原样
#
######################################################################
######################################################################
#
# AGE_RESET_INVALID: Specifies the period of time between failed login
# attempts that, when exceeded will result in the failed count for
# this host to be reset to 0. This value applies to login attempts
# made to any invalid username (those that do not appear
# in /etc/passwd). If not defined, count will never be reset.
#
# See the comments in the PURGE_DENY section (above)
# for details on specifying this value or for complete details
# refer to: http://denyhost.sourceforge.net/faq.html#timespec
#
AGE_RESET_INVALID=10d # 维持原样
#
######################################################################
######################################################################
#
# RESET_ON_SUCCESS: If this parameter is set to "yes" then the
# failed count for the respective ip address will be reset to 0
# if the login is successful.
#
# The default is RESET_ON_SUCCESS = no
#
#RESET_ON_SUCCESS = yes
#
#####################################################################
######################################################################
#
# PLUGIN_DENY: If set, this value should point to an executable
# program that will be invoked when a host is added to the
# HOSTS_DENY file. This executable will be passed the host
# that will be added as its only argument.
#
#PLUGIN_DENY=/usr/bin/true
#
######################################################################
######################################################################
#
# PLUGIN_PURGE: If set, this value should point to an executable
# program that will be invoked when a host is removed from the
# HOSTS_DENY file. This executable will be passed the host
# that is to be purged as it's only argument.
#
#PLUGIN_PURGE=/usr/bin/true
#
######################################################################
######################################################################
#
# USERDEF_FAILED_ENTRY_REGEX: if set, this value should contain
# a regular expression that can be used to identify additional
# hackers for your particular ssh configuration. This functionality
# extends the built-in regular expressions that DenyHosts uses.
# This parameter can be specified multiple times.
# See this faq entry for more details:
# http://denyhost.sf.net/faq.html#userdef_regex
#
#USERDEF_FAILED_ENTRY_REGEX=
#
#
######################################################################
######### THESE SETTINGS ARE SPECIFIC TO DAEMON MODE ##########
#######################################################################
#
# DAEMON_LOG: when DenyHosts is run in daemon mode (--daemon flag)
# this is the logfile that DenyHosts uses to report its status.
# To disable logging, leave blank. (default is: /var/log/denyhosts)
#
DAEMON_LOG = /var/log/denyhosts # denyhosts的事件日志
#
# disable logging:
#DAEMON_LOG =
#
######################################################################
#######################################################################
#
# DAEMON_LOG_TIME_FORMAT: when DenyHosts is run in daemon mode
# (--daemon flag) this specifies the timestamp format of
# the DAEMON_LOG messages (default is the ISO8061 format:
# ie. 2005-07-22 10:38:01,745)
#
# for possible values for this parameter refer to: man strftime
#
# Jan 1 13:05:59
#DAEMON_LOG_TIME_FORMAT = %b %d %H:%M:%S
#
# Jan 1 01:05:59
#DAEMON_LOG_TIME_FORMAT = %b %d %I:%M:%S
#
######################################################################
#######################################################################
#
# DAEMON_LOG_MESSAGE_FORMAT: when DenyHosts is run in daemon mode
# (--daemon flag) this specifies the message format of each logged
# entry. By default the following format is used:
#
# %(asctime)s - %(name)-12s: %(levelname)-8s %(message)s
#
# Where the "%(asctime)s" portion is expanded to the format
# defined by DAEMON_LOG_TIME_FORMAT
#
# This string is passed to python's logging.Formatter contstuctor.
# For details on the possible format types please refer to:
# http://docs.python.org/lib/node357.html
#
# This is the default:
#DAEMON_LOG_MESSAGE_FORMAT = %(asctime)s - %(name)-12s: %(levelname)-8s %(message)s
#
#
######################################################################
#######################################################################
#
# DAEMON_SLEEP: when DenyHosts is run in daemon mode (--daemon flag)
# this is the amount of time DenyHosts will sleep between polling
# the SECURE_LOG. See the comments in the PURGE_DENY section (above)
# for details on specifying this value or for complete details
# refer to: http://denyhost.sourceforge.net/faq.html#timespec
#
#
DAEMON_SLEEP = 30s # 拉取安全日志的时间间隔
#
#######################################################################
#######################################################################
#
# DAEMON_PURGE: How often should DenyHosts, when run in daemon mode,
# run the purge mechanism to expire old entries in HOSTS_DENY
# This has no effect if PURGE_DENY is blank.
#
DAEMON_PURGE = 1h # 多长时间检测一次应当从黑名单剔除的host
#
#######################################################################
######### THESE SETTINGS ARE SPECIFIC TO ##########
######### DAEMON SYNCHRONIZATION ##########
#######################################################################
#
# Synchronization mode allows the DenyHosts daemon the ability
# to periodically send and receive denied host data such that
# DenyHosts daemons worldwide can automatically inform one
# another regarding banned hosts. This mode is disabled by
# default, you must uncomment SYNC_SERVER to enable this mode.
#
# for more information, please refer to:
# http:/denyhost.sourceforge.net/faq.html
#
#######################################################################
#######################################################################
#
# SYNC_SERVER: The central server that communicates with DenyHost
# daemons.
#
# To disable synchronization (the default), do nothing.
#
# To enable synchronization, you must uncomment the following line:
#SYNC_SERVER = http://xmlrpc.denyhosts.net:9911
#
#######################################################################
#######################################################################
#
# SYNC_INTERVAL: the interval of time to perform synchronizations if
# SYNC_SERVER has been uncommented. The default is 1 hour.
#
#SYNC_INTERVAL = 1h
#
#######################################################################
#######################################################################
#
# SYNC_UPLOAD: allow your DenyHosts daemon to transmit hosts that have
# been denied? This option only applies if SYNC_SERVER has
# been uncommented.
# The default is SYNC_UPLOAD = yes
#
SYNC_UPLOAD = no # 上传被禁止的host名录到服务器,需要先配置服务器
#SYNC_UPLOAD = yes
#
#######################################################################
#######################################################################
#
# SYNC_DOWNLOAD: allow your DenyHosts daemon to receive hosts that have
# been denied by others? This option only applies if SYNC_SERVER has
# been uncommented.
# The default is SYNC_DOWNLOAD = yes
#
SYNC_DOWNLOAD = no # 和upload反过来,意思是从其它服务器下载禁止名录
#SYNC_DOWNLOAD = yes
#
#
#
#######################################################################
#######################################################################
#
# SYNC_DOWNLOAD_THRESHOLD: If SYNC_DOWNLOAD is enabled this parameter
# filters the returned hosts to those that have been blocked this many
# times by others. That is, if set to 1, then if a single DenyHosts
# server has denied an ip address then you will receive the denied host.
#
# See also SYNC_DOWNLOAD_RESILIENCY
#
#SYNC_DOWNLOAD_THRESHOLD = 10
#
# The default is SYNC_DOWNLOAD_THRESHOLD = 3
#
#SYNC_DOWNLOAD_THRESHOLD = 3
#
#######################################################################
#######################################################################
#
# SYNC_DOWNLOAD_RESILIENCY: If SYNC_DOWNLOAD is enabled then the
# value specified for this option limits the downloaded data
# to this resiliency period or greater.
#
# Resiliency is defined as the timespan between a hackers first known
# attack and its most recent attack. Example:
#
# If the centralized denyhosts.net server records an attack at 2 PM
# and then again at 5 PM, specifying a SYNC_DOWNLOAD_RESILIENCY = 4h
# will not download this ip address.
#
# However, if the attacker is recorded again at 6:15 PM then the
# ip address will be downloaded by your DenyHosts instance.
#
# This value is used in conjunction with the SYNC_DOWNLOAD_THRESHOLD
# and only hosts that satisfy both values will be downloaded.
# This value has no effect if SYNC_DOWNLOAD_THRESHOLD = 1
#
# The default is SYNC_DOWNLOAD_RESILIENCY = 5h (5 hours)
#
# Only obtain hackers that have been at it for 2 days or more:
#SYNC_DOWNLOAD_RESILIENCY = 2d
#
# Only obtain hackers that have been at it for 5 hours or more:
#SYNC_DOWNLOAD_RESILIENCY = 5h
#
#######################################################################
其实,光前面的参数就够了,后面的属于高级范畴了,有时间可以多研究下。
4.启动
denyhosts服务每次启动会读取/etc/denyhosts.conf里面的配置,启动方式也比较简单。
sudo daemon-control-dist start
等待启动成功,如果报了找不到/usr/sbin/denyhosts的话,执行下面的命令:
sudo ln -s /usr/local/bin/denyhosts.py /usr/sbin/denyhosts
sudo daemon-control-dist start
这下就没有问题了,成功启动。一定要以root用户启动,否则权限不够!
5.测试
我的机器打开了防火墙,所以我找了一台机器去故意输错密码,尝试了3次以后denyhosts会把这个ip禁止掉(分别在iptables创建一个DROP规则和加入到/etc/hosts.deny名录里),至此你这个ip就不能访问ssh了,直到超时解除禁止。
特别注意,denyhosts有一定的后效性,就是反应没有那么快,它是定期轮询SECURE文件来添加禁用规则。
总结
1、总体没那么难,不明白的设置就维持默认
2、有问题的可以评论,我会看到邮件