登入密码错误次数达到所设置的量,
将禁止 IP 一个设置的时间
1. 安装
$ su
Ubuntu
$ apt install denyhosts
Fedora
$ dnf install denyhosts
CentOS
$ yum install http://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
$ yum install denyhosts
其它 Linux
$ git clone https://github.com/denyhosts/denyhosts.git
网站中已将安装方法写得很仔细
2. 设置
$ gedit /etc/denyhosts.conf
SECURE_LOG = /var/log/secure
HOSTS_DENY = /etc/hosts.deny
# 过多久后清除已经禁止的, 其中w代表周, d代表天, h代表小时, s代表秒, m代表分钟
PURGE_DENY = 5m
BLOCK_SERVICE = sshd
# 允许无效用户 (在/etc/passwd未列出) 登录失败次数, 允许无效用户登录失败的次数
DENY_THRESHOLD_INVALID = 5
# 允许普通用户登录失败的次数
DENY_THRESHOLD_VALID = 5
# 允许root登录失败的次数
DENY_THRESHOLD_ROOT = 5
# 设定 deny host 写入到该资料夹
DENY_THRESHOLD_RESTRICTED = 1
# 将deny的host或ip纪录到 Work_dir 中
WORK_DIR = /var/lib/denyhosts
ETC_DIR = /etc
SUSPICIOUS_LOGIN_REPORT_ALLOWED_HOSTS = YES
HOSTNAME_LOOKUP=YES
# 将 DenyHosts 启动的 pid 纪录到 LOCK_FILE 中, 已确保服务正确启动, 防止同时启动多个服务
LOCK_FILE = /var/lock/subsys/denyhosts
ADMIN_EMAIL = denyhosts@email.com
SMTP_HOST = localhost
SMTP_PORT = 25
SMTP_FROM = DenyHosts <nobody@localhost>
SMTP_SUBJECT = DenyHosts Report
ALLOWED_HOSTS_HOSTNAME_LOOKUP=NO
# 有效用户登录失败计数归零的时间
AGE_RESET_VALID=1d
# root用户登录失败计数归零的时间
AGE_RESET_ROOT=1d
# 用户的失败登录计数重置为0的时间
AGE_RESET_RESTRICTED=5d
# 无效用户登录失败计数归零的时间
AGE_RESET_INVALID=10d
DAEMON_LOG = /var/log/denyhosts
DAEMON_SLEEP = 30s
# 该项与 PURGE_DENY 设置成一样, 也是清除hosts.deniedssh 用户的时间
DAEMON_PURGE = 5m
SYNC_UPLOAD = no
SYNC_DOWNLOAD = no
3. 手动释放一个被禁止的 IP 192.168.1.123
3.1) 停止
$ systemctl stop denyhosts
3.2) 检查以下的文件, 一个个删除文件中的 IP 记录
$ grep 192.168.1.123 /etc/hosts.deny
$ gedit /etc/hosts.deny
$ grep 192.168.1.123 /var/lib/denyhosts/*
$ gedit /var/lib/denyhosts/hosts
$ gedit /var/lib/denyhosts/hosts-restricted
$ gedit /var/lib/denyhosts/hosts-root
$ gedit /var/lib/denyhosts/hosts-valid
$ gedit /var/lib/denyhosts/users-hosts
3.3) 添加你想允许的 IP 到
$ gedit /var/lib/denyhosts/allowed-hosts
127.0.0.1
192.168.1.*
3.4) 启动
$ systemctl start denyhosts
$ yum install denyhosts
其它 Linux
$ git clone https://github.com/denyhosts/denyhosts.git
网站中已将安装方法写得很仔细
2. 设置
$ gedit /etc/denyhosts.conf
SECURE_LOG = /var/log/secure
HOSTS_DENY = /etc/hosts.deny
# 过多久后清除已经禁止的, 其中w代表周, d代表天, h代表小时, s代表秒, m代表分钟
PURGE_DENY = 5m
BLOCK_SERVICE = sshd
# 允许无效用户 (在/etc/passwd未列出) 登录失败次数, 允许无效用户登录失败的次数
DENY_THRESHOLD_INVALID = 5
# 允许普通用户登录失败的次数
DENY_THRESHOLD_VALID = 5
# 允许root登录失败的次数
DENY_THRESHOLD_ROOT = 5
# 设定 deny host 写入到该资料夹
DENY_THRESHOLD_RESTRICTED = 1
# 将deny的host或ip纪录到 Work_dir 中
WORK_DIR = /var/lib/denyhosts
ETC_DIR = /etc
SUSPICIOUS_LOGIN_REPORT_ALLOWED_HOSTS = YES
HOSTNAME_LOOKUP=YES
# 将 DenyHosts 启动的 pid 纪录到 LOCK_FILE 中, 已确保服务正确启动, 防止同时启动多个服务
LOCK_FILE = /var/lock/subsys/denyhosts
ADMIN_EMAIL = denyhosts@email.com
SMTP_HOST = localhost
SMTP_PORT = 25
SMTP_FROM = DenyHosts <nobody@localhost>
SMTP_SUBJECT = DenyHosts Report
ALLOWED_HOSTS_HOSTNAME_LOOKUP=NO
# 有效用户登录失败计数归零的时间
AGE_RESET_VALID=1d
# root用户登录失败计数归零的时间
AGE_RESET_ROOT=1d
# 用户的失败登录计数重置为0的时间
AGE_RESET_RESTRICTED=5d
# 无效用户登录失败计数归零的时间
AGE_RESET_INVALID=10d
DAEMON_LOG = /var/log/denyhosts
DAEMON_SLEEP = 30s
# 该项与 PURGE_DENY 设置成一样, 也是清除hosts.deniedssh 用户的时间
DAEMON_PURGE = 5m
SYNC_UPLOAD = no
SYNC_DOWNLOAD = no
3. 手动释放一个被禁止的 IP 192.168.1.123
3.1) 停止
$ systemctl stop denyhosts
3.2) 检查以下的文件, 一个个删除文件中的 IP 记录
$ grep 192.168.1.123 /etc/hosts.deny
$ gedit /etc/hosts.deny
$ grep 192.168.1.123 /var/lib/denyhosts/*
$ gedit /var/lib/denyhosts/hosts
$ gedit /var/lib/denyhosts/hosts-restricted
$ gedit /var/lib/denyhosts/hosts-root
$ gedit /var/lib/denyhosts/hosts-valid
$ gedit /var/lib/denyhosts/users-hosts
3.3) 添加你想允许的 IP 到
$ gedit /var/lib/denyhosts/allowed-hosts
127.0.0.1
192.168.1.*
3.4) 启动
$ systemctl start denyhosts
没有评论:
发表评论