最後更新: 2019-10-03

介紹

對比起 fail2ban, DenyHosts 是專為保護 ssh 而設

它是 python script 來

Can be run from the cli, cron or as a daemon

Upon each run, the script will load the previously saved data and re-use it to append new failures.

Version

denyhosts --version

DenyHosts version: 2.6

設定

/etc/denyhosts.conf

# HOSTS_DENY
HOSTS_DENY = /etc/hosts.deny

# BLOCK_SERVICE
BLOCK_SERVICE  = sshd

# the log file that contains sshd logging info(Debian)
SECURE_LOG = /var/log/auth.log

# Unit:
#    s: seconds
#    m: minutes
#    h: hours
#    d: days
#    w: weeks
#    y: years

####################################

# 幾耐 polling 一次 SECURE_LOG 去決定 Block 邊個
DAEMON_SLEEP = 30s

####################################

# 當不是 DAEMON 時, 相當於行cmd "denyhosts --purge" 一次
# 設定 DAEMON 幾耐清一次
DAEMON_PURGE = 1h
# 每次清幾耐次前的 record
PURGE_DENY = 1h

####################################

# failed login (invalid user login attempts)
DENY_THRESHOLD_INVALID = 3

# failed login (valid login, except "root")
DENY_THRESHOLD_VALID = 10

# applies to "root"
DENY_THRESHOLD_ROOT = 3

# Block WORK_DIR/restricted-usernames file 內的 user 登入次數
DENY_THRESHOLD_RESTRICTED = 5

# WORK_DIR
WORK_DIR = /var/lib/denyhosts

####################################

# 幾耐失憶唔記得之前的 fail
AGE_RESET_INVALID=1h
AGE_RESET_VALID=1h
AGE_RESET_ROOT=1h
AGE_RESET_RESTRICTED=1h
# The default is RESET_ON_SUCCESS = no
RESET_ON_SUCCESS = yes

# if a suspicious login attempt results from an allowed-host then it is considered suspicious.

SUSPICIOUS_LOGIN_REPORT_ALLOWED_HOSTS=YES

HOSTNAME_LOOKUP=NO

ALLOWED_HOSTS

WORK_DIR/allowed-hosts

#1.1.1.1
#1.1.1.*
# 1.1.1.6 to 1.1.1.23
#1.1.1.[6-23]
# host
#foo

Daemon Mode

執行:

ps aux | grep denyhosts

python /usr/sbin/denyhosts --daemon --purge --config=/etc/denyhosts.conf

• daemon mode (--daemon flag)

log:

/var/log/denyhosts

設定:

# DAEMON 有開的設定
DAEMON_SLEEP = 30s
DAEMON_PURGE = 1h