14. Establish a standalone running environment -- use denyhosts in centos6.4 to prohibit brute-force cracking against Linux sshd

Source: Internet
Author: User

When your Linux server is exposed to the Internet, it will be scanned by scanning software on the Internet, and you will find that, there are multiple SSH logon Failure records every day. Scan tools pose a threat to your server. You must set a complex logon password and block IP addresses that fail to log on multiple times, make it inaccessible to the server within a period of time. You can also modify the port number 22 in a simple way.

Denyhosts can be used to prevent attempts to guess the SSH logon password. It will analyze log files such as/var/log/secure, when you find that the same IP address is used for multiple SSH password attempts, the IP address is recorded in/etc/hosts. deny file to automatically block the IP address. The last command information comes from/var/log/wtmp, which may be deleted by experienced users. However, it still leaves traces. Use the Nmap command to scan the port, NMAP-po-ss ip address, and lsof command to stop unnecessary services and pay more attention to vulnerabilities, configure powerful iptables to protect your system or try to use the chkrootkit application to track rootkit, and try aide to check the integrity of the file system. In addition to the root server, the fewer Linux users, the better. If you have to add the shell to nologin. Denyhosts installation 1. Check the environment: Download the installation environment centos x64 6.4 to the/usr/src directory and check whether the system meets the requirements.
LDD/usr/sbin/sshd | grep libwrap // view the libwrap dynamic link library file. Libwrap. so.0 =>/lib64/libwrap. so.0 (0x00007f4b2a1b9000) Python-V // query version 2.6.5python 2.6.6
2. installation steps:
cd /usr/src 

yum install wget -y

wget http://ncu.dl.sourceforge.net/sourceforge/denyhosts/DenyHosts-2.6.tar.gz

tar -xzvf
CD DenyHosts-2.6

Python setup. py install // install denyhost
3. # Switch the directory to the/usr/share/denyhosts directory.
cd /usr/share/denyhosts/  


4. Copy a copy of denyhosts. cfg.
cp denyhosts.cfg-dist denyhosts.cfg


5. denyhosts parameter configuration

VI denyhosts. cfg

Switch to Command Line Mode
: 1, $ d

Clear the content and enter the following content:

SECURE_LOG = /var/log/secure# format is: i[dhwmy]# Where i is an integer (eg. 7)# m = minutes# h = hours# d = days# w = weeks# y = years## never purge:PURGE_DENY=50mHOSTS_DENY=/etc/hosts.denyBLOCK_SERVICE=sshdDENY_THRESHOLD_INVALID=1DENY_THRESHOLD_VALID=10DENY_THRESHOLD_ROOT=5WORK_DIR=/usr/local/share/denyhosts/dataDENY_THRESHOLD_RESTRICTED =1LOCK_FILE=/var/lock/subsys/denyhostsHOSTNAME_LOOKUP=NOADMIN_EMAIL=10402852@qq.comDAEMON_LOG=/var/log/denyhostsDAEMON_PURGE=10m


Secure_log =/var/log/secure # SSH log file # format is: I [dhwmy] # Where I is an integer (eg. 7) # M = minutes # H = hours # D = days # W = weeks # Y = years # Never purge: purge_deny = 50 m # How long will it take to clear the blocked IP hosts_deny =/etc/hosts. deny # Write the blocked IP address to hosts. deny block_service = sshd # blocked service name failure = 1 # Number of Logon failures allowed by Invalid users deny_threshold_valid = 10 # Number of Logon failures allowed by common users deny_threshold_root = 5 # Number of root logon failures allowed wo Rk_dir =/usr/local/share/denyhosts/data # record the deny host or IP address in work_dir deny_threshold_restricted = 1 # Set the deny host to write to this folder lock_file =/var/lock /subsys/denyhosts # record the PID started by denyhots to lock_file, ensure that the service is correctly started to prevent multiple services from being started at the same time. Hostname_lookup = No # whether to do domain name anti-solution admin_email = 10402852@qq.com # Set administrator email address daemon_log =/var/log/denyhosts # Your own log file daemon_purge = 10 m # Set this item with purge_deny same, also clears hosts. the time of the deniedssh user.

Note: if you cannot paste the configuration file with annotations, an error is returned !!!

5. denyhosts Startup File Configuration
CP daemon-control-Dist daemon-controlchown root daemon-controlchmod 700 daemon-control

./Daemon-control start # Start denyhosts

If You Want To Enable Automatic startup of denyhosts after each restart, you also need to make the following settings:

Ln-S/usr/share/denyhosts/daemon-control/etc/init. d/denyhosts # create a symbolic link
Chkconfig -- add denyhosts # Add denyhosts service process chkconfig denyhosts on # Set denyhostschkconfig -- list denyhosts 0: off 1: off 2: On 3: On 4: On 5: on 6: off 6. view log exception information tail-F/var/log/secure Feb 27 18:43:10 localhost login: pam_unix (login: AUTH): authentication failure; LOGNAME = login uid = 0 EUID = 0 tty = tty1 ruser = rHost = user = test
Feb 27 18:43:12 localhost login: Failed Login 1 from (null) for test, authentication failure
Feb 27 18:43:15 localhost login: Failed Login 2 from (null) for test, authentication failure
Feb 27 18:43:21 localhost login: Failed Login 3 from (null) for test, authentication failure
Feb 27 18:43:26 localhost login: pam_unix (login: session): session opened for user test by login (uid = 0)
Feb 27 18:43:26 localhost login: Login on tty1 by test
Feb 27 18:45:32 localhost su: pam_unix (SU: AUTH): authentication failure; LOGNAME = test uid = 500 EUID = 0 tty = tty1 ruser = test rHost = user = root
Feb 27 18:45:47 localhost su: pam_unix (Su-L: session): session opened for user root by test (uid = 500)
Feb 27 19:00:03 localhost sshd [19861]: accepted password for root from port 4289 SSH2

PortSentry for setting intrusion detection tools


Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.