SSH防暴力破解的解决方法
2015-08-20 15:45
567 查看
SSH防暴力破解的解决方法:
1、禁止root用户ssh登陆;
1.1、修改PermitRootLogin项:
[root@localhost ~]# vi /etc/ssh/sshd_config [root@localhost ~]# grep Root /etc/ssh/sshd_config PermitRootLogin no ### 将默认的 #PermitRootLogin yes 修改成这样的 ### # the setting of "PermitRootLogin without-password".
1.2、重启sshd服务
Stopping sshd: [ OK ] Starting sshd: [ OK ]
2、修改ssh默认端口22;
2.1、将默认端口22修改为自定义的2020端口
[root@localhost ~]# vi /etc/ssh/sshd_config [root@localhost ~]# grep Port /etc/ssh/sshd_config Port 2020 #GatewayPorts no
2.2、在防火墙中加入2020端口的策略
[root@localhost ~]# vi /etc/sysconfig/iptables [root@localhost ~]# grep 2020 /etc/sysconfig/iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 2020 -j ACCEPT
2.3、重启防火墙策略
[root@localhost ~]# /etc/init.d/iptables restart iptables: Setting chains to policy ACCEPT: nat filter [ OK ] iptables: Flushing firewall rules: [ OK ] iptables: Unloading modules: [ OK ] iptables: Applying firewall rules: [ OK ]
2.4、重启sshd服务
[root@localhost ~]# /etc/init.d/sshd restart
Stopping sshd: [ OK ] Starting sshd: [ OK ]
重点介绍第三个方法:denyhosts
3、使用denyhosts进程限制ssh嗅探;
3.1、开启一个终端,root登陆
login as: root root@192.168.10.131's password: Last login: Tue Jul 21 18:54:57 2015 from 192.168.10.101 [root@localhost ~]# cat /etc/issue CentOS release 6.5 (Final) Kernel \r on an \m
3.2、增加系统用户
[root@localhost ~]# useradd leekwen [root@localhost ~]# passwd leekwen Changing password for user leekwen. New password: BAD PASSWORD: it is based on a dictionary word Retype new password: passwd: all authentication tokens updated successfully.
3.3、开启另一终端,非root登陆
login as: leekwen leekwen@192.168.10.131's password: Last login: Tue Apr 28 21:27:26 2015 from 192.168.10.100
3.4、切换为root账号
[leekwen@localhost ~]$ su - root Password:
3.5、下载DenyHosts文件
[root@localhost ~]# wget -c http://nchc.dl.sourceforge.net/project/denyhosts/denyhosts/2.6/DenyHosts-2.6.tar.gz [root@localhost ~]# ls DenyHosts-2.6.tar.gz DenyHosts-2.6.tar.gz
3.6、解压并安装
[root@localhost ~]# tar zxf DenyHosts-2.6.tar.gz [root@localhost ~]# cd DenyHosts-2.6 [root@localhost DenyHosts-2.6]# python setup.py install [root@localhost DenyHosts-2.6]# cd /usr/share/denyhosts/ [root@localhost denyhosts]# ls CHANGELOG.txt denyhosts.cfg-dist plugins scripts daemon-control-dist LICENSE.txt README.txt setup.py
3.7、修改DenyHosts启动所需的文件(进程文件及配置文件)
3.7.1、生成denyhosts.cfg配置文件:
[root@localhost denyhosts]# cat denyhosts.cfg-dist |grep -v "#" |grep -v "^$" > denyhosts.cfg
3.7.2、修改对应策略denyhosts.cfg文件:
[root@localhost denyhosts]# cat denyhosts.cfg SECURE_LOG = /var/log/secure HOSTS_DENY = /etc/hosts.deny PURGE_DENY = 20m BLOCK_SERVICE = sshd DENY_THRESHOLD_INVALID = 1 DENY_THRESHOLD_VALID = 10 DENY_THRESHOLD_ROOT = 5 DENY_THRESHOLD_RESTRICTED = 1 WORK_DIR = /usr/share/denyhosts/data SUSPICIOUS_LOGIN_REPORT_ALLOWED_HOSTS=YES HOSTNAME_LOOKUP=NO LOCK_FILE = /var/lock/subsys/denyhosts ADMIN_EMAIL = leekwen@126.com SMTP_HOST = localhost SMTP_PORT = 25 SMTP_FROM = DenyHosts <nobody@localhost> SMTP_SUBJECT = DenyHosts Report AGE_RESET_VALID=5d AGE_RESET_ROOT=25d AGE_RESET_RESTRICTED=25d AGE_RESET_INVALID=10d DAEMON_LOG = /var/log/denyhosts DAEMON_SLEEP = 30s DAEMON_PURGE = 1h
[root@localhost denyhosts]# mkdir -p /etc/denyhosts/ [root@localhost denyhosts]# cp denyhosts.cfg /etc/denyhosts/
3.7.3、修改denyhosts进程文件:
修改权限后,并指定配置文件指定到/etc/denyhosts目录下[root@localhost denyhosts]# cp daemon-control-dist daemon-control [root@localhost denyhosts]# chown root daemon-control [root@localhost denyhosts]# chmod 700 daemon-control [root@localhost denyhosts]# vi daemon-control [root@localhost ~]# grep DENYHOSTS_CFG daemon-control DENYHOSTS_CFG = "/etc/denyhosts/denyhosts.cfg" args.append("--config=%s" % DENYHOSTS_CFG)
3.8、将denyhosts作为系统服务启动:
[root@localhost denyhosts]# cp daemon-control /etc/init.d/denyhosts [root@localhost denyhosts]# chkconfig --add denyhosts [root@localhost denyhosts]# chkconfig denyhosts on [root@localhost denyhosts]# /etc/init.d/denyhosts start starting DenyHosts: /usr/bin/env python /usr/bin/denyhosts.py --daemon --config=/usr/share/denyhosts/denyhosts.cfg
3.9、查看黑名单中的主机IP地址:
[root@localhost denyhosts]# cd [root@localhost ~]# tail -n 2 /etc/hosts.deny # DenyHosts: Thu Aug 20 14:45:00 2015 | sshd: 118.187.17.119 sshd: 118.187.17.119
3.10、为主机增加白名单地址:
如果你需要将特定的IP增加为白名单的话,那么请修改/etc/hosts.allow。例:我在自己的hosts.allow文件中增加202.101.172.46地址到我系统的白名单中:
[root@localhost ~]# echo "sshd: 202.101.172.46" >> /etc/hosts.allow
第一点:
相关文章推荐
- android的view和viewgroup分析
- Javascript(二)-06-(原型练习)
- XP系统开启3389多用户登录
- 算法的评价标准
- Java socket通信
- 影响单元测试成效的重要决定(中)
- SUSE 11sp3镜像制作
- This nav in addition to in search of your best check out can have also been never ever so simple in addition to at ease
- 笔试面试题分享
- jsonp解决ajax跨域问题!
- Linux Shell脚本之通过json判断应用程序内部运行状态
- Quartz(二)整合Spring容器中bean及动态调度任务
- SSDB:快速取代redis的nosql
- SuperMemo学习记录和课程的备份(UX/iPhone/Android)
- xcode配置svn
- 一次输入多重日期转换
- Javascript(二)-05-(常见对象-String-原型属性prototype)
- PIL+pytesser引用路径
- Eclipse一直进debuger模式时
- 《少年王》片尾曲《白》——吴奇隆(简谱)