SSH防暴力破解的解决方法

SSH防暴力破解的解决方法：

1、禁止root用户ssh登陆；

1.1、修改PermitRootLogin项：

[root@localhost ~]# vi /etc/ssh/sshd_config
[root@localhost ~]# grep Root /etc/ssh/sshd_config
PermitRootLogin no      ### 将默认的  #PermitRootLogin yes 修改成这样的 ###
# the setting of "PermitRootLogin without-password".

1.2、重启sshd服务

Stopping sshd:                                   [  OK  ]
Starting sshd:                                   [  OK  ]

2、修改ssh默认端口22；

2.1、将默认端口22修改为自定义的2020端口

[root@localhost ~]# vi /etc/ssh/sshd_config
[root@localhost ~]# grep Port /etc/ssh/sshd_config
Port 2020
#GatewayPorts no

2.2、在防火墙中加入2020端口的策略

[root@localhost ~]# vi /etc/sysconfig/iptables
[root@localhost ~]# grep 2020 /etc/sysconfig/iptables
-A INPUT -p tcp -m state --state NEW -m tcp --dport 2020 -j ACCEPT

2.3、重启防火墙策略

[root@localhost ~]# /etc/init.d/iptables restart
iptables: Setting chains to policy ACCEPT: nat filter      [  OK  ]
iptables: Flushing firewall rules:                         [  OK  ]
iptables: Unloading modules:                               [  OK  ]
iptables: Applying firewall rules:                         [  OK  ]

2.4、重启sshd服务

[root@localhost ~]# /etc/init.d/sshd restart
Stopping sshd:                                   [  OK  ]
Starting sshd:                                   [  OK  ]

3、使用denyhosts进程限制ssh嗅探；

3.1、开启一个终端，root登陆

login as: root
root@192.168.10.131's password:
Last login: Tue Jul 21 18:54:57 2015 from 192.168.10.101
[root@localhost ~]# cat /etc/issue
CentOS release 6.5 (Final)
Kernel \r on an \m

3.2、增加系统用户

[root@localhost ~]# useradd leekwen
[root@localhost ~]# passwd leekwen
Changing password for user leekwen.
New password:
BAD PASSWORD: it is based on a dictionary word
Retype new password:
passwd: all authentication tokens updated successfully.

3.3、开启另一终端，非root登陆

login as: leekwen
leekwen@192.168.10.131's password:
Last login: Tue Apr 28 21:27:26 2015 from 192.168.10.100

3.4、切换为root账号

[leekwen@localhost ~]$ su - root
Password:

3.5、下载DenyHosts文件

[root@localhost ~]# wget -c http://nchc.dl.sourceforge.net/project/denyhosts/denyhosts/2.6/DenyHosts-2.6.tar.gz [root@localhost ~]# ls DenyHosts-2.6.tar.gz
DenyHosts-2.6.tar.gz

3.6、解压并安装

[root@localhost ~]# tar zxf DenyHosts-2.6.tar.gz
[root@localhost ~]# cd DenyHosts-2.6
[root@localhost DenyHosts-2.6]# python setup.py install
[root@localhost DenyHosts-2.6]# cd /usr/share/denyhosts/
[root@localhost denyhosts]# ls
CHANGELOG.txt        denyhosts.cfg-dist  plugins     scripts
daemon-control-dist  LICENSE.txt         README.txt  setup.py

3.7、修改DenyHosts启动所需的文件（进程文件及配置文件）

3.7.1、生成denyhosts.cfg配置文件：

[root@localhost denyhosts]# cat denyhosts.cfg-dist |grep -v "#" |grep -v "^$" > denyhosts.cfg

3.7.2、修改对应策略denyhosts.cfg文件：

[root@localhost denyhosts]# cat denyhosts.cfg
SECURE_LOG = /var/log/secure
HOSTS_DENY = /etc/hosts.deny
PURGE_DENY = 20m
BLOCK_SERVICE  = sshd
DENY_THRESHOLD_INVALID = 1
DENY_THRESHOLD_VALID = 10
DENY_THRESHOLD_ROOT = 5
DENY_THRESHOLD_RESTRICTED = 1
WORK_DIR = /usr/share/denyhosts/data
SUSPICIOUS_LOGIN_REPORT_ALLOWED_HOSTS=YES
HOSTNAME_LOOKUP=NO
LOCK_FILE = /var/lock/subsys/denyhosts
ADMIN_EMAIL = leekwen@126.com
SMTP_HOST = localhost
SMTP_PORT = 25
SMTP_FROM = DenyHosts <nobody@localhost>
SMTP_SUBJECT = DenyHosts Report
AGE_RESET_VALID=5d
AGE_RESET_ROOT=25d
AGE_RESET_RESTRICTED=25d
AGE_RESET_INVALID=10d
DAEMON_LOG = /var/log/denyhosts
DAEMON_SLEEP = 30s
DAEMON_PURGE = 1h

[root@localhost denyhosts]# mkdir -p /etc/denyhosts/
[root@localhost denyhosts]# cp denyhosts.cfg /etc/denyhosts/

3.7.3、修改denyhosts进程文件：

[root@localhost denyhosts]# cp daemon-control-dist daemon-control
[root@localhost denyhosts]# chown root daemon-control
[root@localhost denyhosts]# chmod 700 daemon-control
[root@localhost denyhosts]# vi daemon-control
[root@localhost ~]# grep DENYHOSTS_CFG daemon-control
DENYHOSTS_CFG   = "/etc/denyhosts/denyhosts.cfg"
args.append("--config=%s" % DENYHOSTS_CFG)

3.8、将denyhosts作为系统服务启动：

[root@localhost denyhosts]# cp daemon-control /etc/init.d/denyhosts
[root@localhost denyhosts]# chkconfig --add denyhosts
[root@localhost denyhosts]# chkconfig denyhosts on
[root@localhost denyhosts]# /etc/init.d/denyhosts start
starting DenyHosts:    /usr/bin/env python /usr/bin/denyhosts.py --daemon --config=/usr/share/denyhosts/denyhosts.cfg

3.9、查看黑名单中的主机IP地址：

[root@localhost denyhosts]# cd
[root@localhost ~]# tail -n 2 /etc/hosts.deny
# DenyHosts: Thu Aug 20 14:45:00 2015 | sshd: 118.187.17.119
sshd: 118.187.17.119

3.10、为主机增加白名单地址：

[root@localhost ~]# echo "sshd: 202.101.172.46" >> /etc/hosts.allow