How to use denyhosts to prevent hacker sshd scan

Environment: Ubuntu Server 12.04

Denyhost is a script written by Python, the latest version of 2.6, can be implemented to automatically find malicious SSH connection, and then add malicious IP to the/etc/hosts.deny file, to achieve security protection of the server

Install Denyhost

# Apt-get Install mailutils//install mail function to implement alert to admin mailbox when there is a hacker attack

# Apt-get Install denyhosts//install denyhost software to enable hacker scans

View and configure DenyHosts

root@node2:~# cat/etc/denyhosts.conf | Grep-v "^$" | Grep-v "^#"

       ############ These settings ARE REQUIRED ############//are required Secure_log =/var/log/auth.log 
Specify the sshd log file, which already has some built-in log file location, just open it, open the method to delete the # number. Hosts_deny =/etc/hosts.deny//Specify the file that can restrict IP address, use/etc/hosts.deny Purge_deny = 5m//Too long        Time, the IP from the/etc/hosts.deny inside clear block_service = sshd//designated protected services, here to protect the sshd Deny_threshold_invalid = 1 Number of failed users allowed, no user in/etc/passwd (excluding root) Deny_threshold_valid = 2//allow normal user to fail the number of users in/etc/passwd (excluding R oot) Deny_threshold_root = 1//allow ROOT user to fail number deny_threshold_restricted = 1//Allowed in $work_dir/hosts-restricted The number of user failures that appear inside Work_dir =/var/lib/denyhosts//Define working directory more highlights in this column: Http://www.bianceng.cnhttp://www.bianceng.cn/Net Work/security/suspicious_login_report_allowed_hosts=yes//If yes, all IP addresses in $work_dir/allowed-host will be considered suspicious, If set to No, all the results in allowd-hosts attempting to log in will not send a warning message! 
All IP addresses that are not in the $work_dir/allowed-host face will send a warning! Hostname_Lookup=yes//Whether the IP address is resolved to the host name, and the host name is used when the alarm is applied. Lock_file =/run/denyhosts.pid//Define the location of the PID file to ensure that only one denyhost process is running ############ these SETTINGS ARE OPTIONAL ############//The setting here is optional admin_email = gm100861@gmail.com//When someone tries to log on to your server, or if an IP is blacklisted, send the email to the designated mailbox here 。 
The premise is that this machine must be able to send mail to the line! Smtp_host = localhost//specify SMTP Server Smtp_port = 25//Specify SMTP port number Smtp_from = Denyh OSTs <nobody@localhost>//Designated Sender Smtp_subject = denyhosts//Specify message subject Age_reset_v ALID=5D//How long, the number of user login failed to be set to 0, here refers to the user defined inside the/etc/passwd, if not, will never be placed 0 age_reset_root=25d//How long 
After the time, the number of root login failures is set to 0, and if you do not, you will never put 0 age_reset_restricted=25d//Users defined in the $work_dir/hosts-restricted time, the number of times the number of failed times counter is placed to 0 AGE_RESET_INVALID=10D//Invalid user (not in/etc/passwd) the number of failures counter, how long is set to 0 reset_on_success = yes//When an IP uses a When a user logs on successfully, the number of user failures for this IP will be set to 0 ######### the SETTINGS ARE specific to DAEMON MODE ########## Daemon_log =/var/log/denyhosts//When Denyhost is running in daemon mode, the location of the log file is stored daemon_sleep = 30s Polling view sshd log interval Daemon_purge = 1h//How long to empty the IP address in $hosts_deny, if Purge_deny is empty, this setting will be invalid ###### ### the SETTINGS ARE specific to ########## ######### DAEMON synchronization ##########

Log in maliciously, and then view the/etc/hosts.deny file

root@node2:~# Cat/etc/hosts.deny #/etc/hosts.deny:list of hosts that are _not_ allowed to access the system. 
# The manual pages hosts_access (5) and Hosts_options (5).  
# # Example:ALL:some.host.name, Some.domain # all EXCEPT in.fingerd:other.host.name,. Other.domain # # If You ' re going to protect the portmapper use the name ' Portmap ' for the # daemon name. Remember can only use the keyword ' all ' and IP # addresses (not host or domain names) for the portmapper, as wel L As for # RPC.MOUNTD (the NFS Mount Daemon). 
Portmap (8) and RPC.MOUNTD (8) # for further information. 
# The paranoid wildcard matches any host whose name does not match's # address. # You'll wish to enable the to-ensure any programs, don ' t # Validate looked up hostnames still leave Understanda BLE logs. 
In past # versions to Debian this has been the default. # all:paranoid # Denyhosts:mon 16 16:46:46 2012 | sshd:1.1.1.254 sshd: 1.1.1.254 

Check the admin mailbox and receive an alert message

This article comes from "Acridine a Pooh" blog, please be sure to keep this source http://gm100861.blog.51cto.com/1930562/932711