用denyhosts来防止ssh攻击

每天服务器都遭受着上千次的SSH失败的尝试:

sshd:
   Authentication Failures:
      root (218.247.185.218): 575 Time(s)
      unknown (218.247.185.218): 224 Time(s)
      unknown (218.247.185.222): 6 Time(s)
      unknown (202.101.72.35): 5 Time(s)
      unknown (202.101.72.36): 5 Time(s)
      unknown (202.101.72.37): 5 Time(s)
      unknown (202.101.72.44): 5 Time(s)
      unknown (202.101.72.32): 4 Time(s)
      unknown (202.101.72.40): 4 Time(s)
      unknown (202.101.72.43): 4 Time(s)
      unknown (202.101.72.45): 4 Time(s)
      unknown (202.101.72.47): 4 Time(s)
      unknown (202.101.72.50): 4 Time(s)
      unknown (202.101.72.53): 4 Time(s)
      unknown (202.101.72.56): 4 Time(s)
      unknown (202.101.72.57): 4 Time(s)
      unknown (202.101.72.60): 4 Time(s)
      unknown (202.101.72.62): 4 Time(s)
      root (218.247.185.222): 3 Time(s)
      unknown (202.101.72.33): 3 Time(s)
      unknown (202.101.72.34): 3 Time(s)
      unknown (202.101.72.38): 3 Time(s)
      unknown (202.101.72.39): 3 Time(s)
      unknown (202.101.72.41): 3 Time(s)
      unknown (202.101.72.48): 3 Time(s)
      unknown (202.101.72.51): 3 Time(s)
      unknown (202.101.72.52): 3 Time(s)
      unknown (202.101.72.54): 3 Time(s)
      unknown (202.101.72.55): 3 Time(s)
      unknown (202.101.72.58): 3 Time(s)
      unknown (202.101.72.61): 3 Time(s)
      unknown (202.101.72.63): 3 Time(s)
      ftp (202.101.72.34): 2 Time(s)
      mail (218.247.185.218): 2 Time(s)
      mysql (218.247.185.218): 2 Time(s)
      news (218.247.185.218): 2 Time(s)
      root (192.168.123.69): 2 Time(s)
      unknown (202.101.72.42): 2 Time(s)
      unknown (202.101.72.46): 2 Time(s)
      unknown (202.101.72.49): 2 Time(s)
      unknown (202.101.72.59): 2 Time(s)
      adm (202.101.72.34): 1 Time(s)
      adm (202.101.72.42): 1 Time(s)
      adm (202.101.72.46): 1 Time(s)
      adm (202.101.72.49): 1 Time(s)
      adm (202.101.72.51): 1 Time(s)
      adm (202.101.72.58): 1 Time(s)
      adm (202.101.72.59): 1 Time(s)
      adm (202.101.72.61): 1 Time(s)
      adm (218.247.185.218): 1 Time(s)
      apache (218.247.185.218): 1 Time(s)
      bin (218.247.185.218): 1 Time(s)
      ftp (202.101.72.33): 1 Time(s)
      ftp (202.101.72.39): 1 Time(s)
      ftp (202.101.72.46): 1 Time(s)
      ftp (202.101.72.58): 1 Time(s)
      ftp (202.101.72.60): 1 Time(s)
      ftp (218.247.185.218): 1 Time(s)
      games (218.247.185.218): 1 Time(s)
      lp (218.247.185.218): 1 Time(s)
      mysql (202.101.72.38): 1 Time(s)
      mysql (202.101.72.39): 1 Time(s)
      mysql (202.101.72.42): 1 Time(s)
      mysql (202.101.72.49): 1 Time(s)
      mysql (202.101.72.51): 1 Time(s)
      mysql (202.101.72.59): 1 Time(s)
      mysql (202.101.72.61): 1 Time(s)
      nobody (218.247.185.218): 1 Time(s)
      operator (218.247.185.218): 1 Time(s)
      postgres (202.101.72.33): 1 Time(s)
      postgres (202.101.72.48): 1 Time(s)
      postgres (202.101.72.49): 1 Time(s)
      postgres (202.101.72.52): 1 Time(s)
      postgres (202.101.72.53): 1 Time(s)
      postgres (202.101.72.54): 1 Time(s)
      rpm (218.247.185.218): 1 Time(s)
      squid (218.247.185.218): 1 Time(s)
      sshd (218.247.185.218): 1 Time(s)
   Invalid Users:
      Unknown Account: 341 Time(s)

今天没事在http://dag.wieers.com/home-made/apt/packages.php看到一个软件denyhosts,正好可以解决这个问题。

先安装一个包,以便用yum直接在dag上取包:

wget http://ftp.belnet.be/packages/dries.ulyssis.org/redhat/el4/en/i386/RPMS.dries/rpmforge-release-0.2-2.2.el4.rf.i386.rpm

rpm -ivh rpmforge-release-0.2-2.2.el4.rf.i386.rpm

这样就可以直接用yum安装denyhosts了:

yum install denyhosts

再进行一下设置:

 cp /usr/share/doc/denyhosts-2.2/daemon-control-dist /etc/init.d/denyhosts

 cp /usr/share/doc/denyhosts-2.2/denyhosts.cfg-dist /etc/denyhosts.cfg

 vi /etc/init.d/denyhosts

 将DENYHOSTS_CFG参数的值改成 "/etc/denyhosts.cfg"

 再增加到services:

 chkconfig –add denyhosts
 chkconfig –level 2345 denyhosts on

再修改一下配置文件:

 vi /etc/denyhosts.cfg

SECURE_LOG = /var/log/secure
#ssh 日志文件,它是根据这个文件来判断的。

HOSTS_DENY = /etc/hosts.deny
#控制用户登陆的文件

PURGE_DENY = 5m
#过多久后清除已经禁止的

BLOCK_SERVICE  = sshd
#禁止的服务名

DENY_THRESHOLD_INVALID = 1
#允许无效用户失败的次数

DENY_THRESHOLD_VALID = 10
#允许普通用户登陆失败的次数

DENY_THRESHOLD_ROOT = 5
#允许root登陆失败的次数

HOSTNAME_LOOKUP=NO
#是否做域名反解

ADMIN_EMAIL = hui@ffccc.com
#管理员邮件地址,它会给管理员发邮件

DAEMON_LOG = /var/log/denyhosts
#自己的日志文件

然后就可以启动了:

service denyhost start

可以看看/etc/hosts.deny内是否有禁止的IP,有的话说明已经成功了。