SSH如何防破解

时间：2010-09-03 来源：hgdxzhj

SSH如何防破解

- 当你的linux服务器暴露在互联网之中，该服务器将会遭到互联网上的扫描软件进行骚描，并试图猜测SSH登录口令。你会发现，每天会有多条SSH登录失败纪录。那些扫描工具将对你的服务器构成威胁，你必须设置复杂登录口令，并将尝试多次登录失败的IP给阻止掉，让其在一段时间内不能访问该服务器。用DenyHosts可以阻止试图猜测SSH登录口令，它会分析/var/log/secure等日志文件，当发现同一IP在进行多次SSH密码尝试时就会记录IP到/etc/hosts.deny文件，从而达到自动屏蔽该IP的目的。 DenyHosts官方网站为：http://denyhosts.sourceforge.net DenyHosts安装 [root@switch DenyHost]# ls -l 总用量 44 -rw------- 1 root root 42667 8月 5 19:23 DenyHosts-2.6.tar.gz [root@switch DenyHost]# tar -zxvf DenyHosts-2.6.tar.gz DenyHosts-2.6/ DenyHosts-2.6/PKG-INFO DenyHosts-2.6/denyhosts.py DenyHosts-2.6/denyhosts.cfg-dist DenyHosts-2.6/setup.py DenyHosts-2.6/DenyHosts/ DenyHosts-2.6/DenyHosts/prefs.py DenyHosts-2.6/DenyHosts/report.py DenyHosts-2.6/DenyHosts/lockfile.py DenyHosts-2.6/DenyHosts/__init__.py DenyHosts-2.6/DenyHosts/plugin.py DenyHosts-2.6/DenyHosts/denyfileutil.py DenyHosts-2.6/DenyHosts/deny_hosts.py DenyHosts-2.6/DenyHosts/regex.py DenyHosts-2.6/DenyHosts/sync.py DenyHosts-2.6/DenyHosts/counter.py DenyHosts-2.6/DenyHosts/old-daemon.py DenyHosts-2.6/DenyHosts/util.py DenyHosts-2.6/DenyHosts/daemon.py DenyHosts-2.6/DenyHosts/python_version.py DenyHosts-2.6/DenyHosts/allowedhosts.py DenyHosts-2.6/DenyHosts/filetracker.py DenyHosts-2.6/DenyHosts/loginattempt.py DenyHosts-2.6/DenyHosts/restricted.py DenyHosts-2.6/DenyHosts/purgecounter.py DenyHosts-2.6/DenyHosts/version.py DenyHosts-2.6/DenyHosts/constants.py DenyHosts-2.6/CHANGELOG.txt DenyHosts-2.6/LICENSE.txt DenyHosts-2.6/daemon-control-dist DenyHosts-2.6/plugins/ DenyHosts-2.6/plugins/README.contrib DenyHosts-2.6/plugins/shorewall_allow.sh DenyHosts-2.6/plugins/shorewall_deny.sh DenyHosts-2.6/plugins/test_deny.py DenyHosts-2.6/scripts/ DenyHosts-2.6/scripts/restricted_from_invalid.py DenyHosts-2.6/scripts/restricted_from_passwd.py DenyHosts-2.6/README.txt DenyHosts-2.6/MANIFEST.in [root@switch DenyHost]# cd DenyHosts-2.6 [root@switch DenyHosts-2.6]# ls CHANGELOG.txt DenyHosts denyhosts.py MANIFEST.in plugins scripts daemon-control-dist denyhosts.cfg-dist LICENSE.txt PKG-INFO README.txt setup.py [root@switch DenyHosts-2.6]# python setup.py install running install running build running build_py creating build creating build/lib creating build/lib/DenyHosts copying DenyHosts/deny_hosts.py -> build/lib/DenyHosts copying DenyHosts/denyfileutil.py -> build/lib/DenyHosts copying DenyHosts/version.py -> build/lib/DenyHosts copying DenyHosts/__init__.py -> build/lib/DenyHosts copying DenyHosts/util.py -> build/lib/DenyHosts copying DenyHosts/constants.py -> build/lib/DenyHosts copying DenyHosts/restricted.py -> build/lib/DenyHosts copying DenyHosts/plugin.py -> build/lib/DenyHosts copying DenyHosts/sync.py -> build/lib/DenyHosts copying DenyHosts/prefs.py -> build/lib/DenyHosts copying DenyHosts/report.py -> build/lib/DenyHosts copying DenyHosts/filetracker.py -> build/lib/DenyHosts copying DenyHosts/python_version.py -> build/lib/DenyHosts copying DenyHosts/loginattempt.py -> build/lib/DenyHosts copying DenyHosts/allowedhosts.py -> build/lib/DenyHosts copying DenyHosts/regex.py -> build/lib/DenyHosts copying DenyHosts/purgecounter.py -> build/lib/DenyHosts copying DenyHosts/old-daemon.py -> build/lib/DenyHosts copying DenyHosts/daemon.py -> build/lib/DenyHosts copying DenyHosts/counter.py -> build/lib/DenyHosts copying DenyHosts/lockfile.py -> build/lib/DenyHosts running build_scripts creating build/scripts-2.3 copying and adjusting denyhosts.py -> build/scripts-2.3 changing mode of build/scripts-2.3/denyhosts.py from 644 to 755 running install_lib creating /usr/lib/python2.3/site-packages/DenyHosts copying build/lib/DenyHosts/deny_hosts.py -> /usr/lib/python2.3/site-packages/DenyHosts copying build/lib/DenyHosts/denyfileutil.py -> /usr/lib/python2.3/site-packages/DenyHosts copying build/lib/DenyHosts/version.py -> /usr/lib/python2.3/site-packages/DenyHosts copying build/lib/DenyHosts/__init__.py -> /usr/lib/python2.3/site-packages/DenyHosts copying build/lib/DenyHosts/util.py -> /usr/lib/python2.3/site-packages/DenyHosts copying build/lib/DenyHosts/constants.py -> /usr/lib/python2.3/site-packages/DenyHosts copying build/lib/DenyHosts/restricted.py -> /usr/lib/python2.3/site-packages/DenyHosts copying build/lib/DenyHosts/plugin.py -> /usr/lib/python2.3/site-packages/DenyHosts copying build/lib/DenyHosts/sync.py -> /usr/lib/python2.3/site-packages/DenyHosts copying build/lib/DenyHosts/prefs.py -> /usr/lib/python2.3/site-packages/DenyHosts copying build/lib/DenyHosts/report.py -> /usr/lib/python2.3/site-packages/DenyHosts copying build/lib/DenyHosts/filetracker.py -> /usr/lib/python2.3/site-packages/DenyHosts copying build/lib/DenyHosts/python_version.py -> /usr/lib/python2.3/site-packages/DenyHosts copying build/lib/DenyHosts/loginattempt.py -> /usr/lib/python2.3/site-packages/DenyHosts copying build/lib/DenyHosts/allowedhosts.py -> /usr/lib/python2.3/site-packages/DenyHosts copying build/lib/DenyHosts/regex.py -> /usr/lib/python2.3/site-packages/DenyHosts copying build/lib/DenyHosts/purgecounter.py -> /usr/lib/python2.3/site-packages/DenyHosts copying build/lib/DenyHosts/old-daemon.py -> /usr/lib/python2.3/site-packages/DenyHosts copying build/lib/DenyHosts/daemon.py -> /usr/lib/python2.3/site-packages/DenyHosts copying build/lib/DenyHosts/counter.py -> /usr/lib/python2.3/site-packages/DenyHosts copying build/lib/DenyHosts/lockfile.py -> /usr/lib/python2.3/site-packages/DenyHosts byte-compiling /usr/lib/python2.3/site-packages/DenyHosts/deny_hosts.py to deny_hosts.pyc byte-compiling /usr/lib/python2.3/site-packages/DenyHosts/denyfileutil.py to denyfileutil.pyc byte-compiling /usr/lib/python2.3/site-packages/DenyHosts/version.py to version.pyc byte-compiling /usr/lib/python2.3/site-packages/DenyHosts/__init__.py to __init__.pyc byte-compiling /usr/lib/python2.3/site-packages/DenyHosts/util.py to util.pyc byte-compiling /usr/lib/python2.3/site-packages/DenyHosts/constants.py to constants.pyc byte-compiling /usr/lib/python2.3/site-packages/DenyHosts/restricted.py to restricted.pyc byte-compiling /usr/lib/python2.3/site-packages/DenyHosts/plugin.py to plugin.pyc byte-compiling /usr/lib/python2.3/site-packages/DenyHosts/sync.py to sync.pyc byte-compiling /usr/lib/python2.3/site-packages/DenyHosts/prefs.py to prefs.pyc byte-compiling /usr/lib/python2.3/site-packages/DenyHosts/report.py to report.pyc byte-compiling /usr/lib/python2.3/site-packages/DenyHosts/filetracker.py to filetracker.pyc byte-compiling /usr/lib/python2.3/site-packages/DenyHosts/python_version.py to python_version.pyc byte-compiling /usr/lib/python2.3/site-packages/DenyHosts/loginattempt.py to loginattempt.pyc byte-compiling /usr/lib/python2.3/site-packages/DenyHosts/allowedhosts.py to allowedhosts.pyc byte-compiling /usr/lib/python2.3/site-packages/DenyHosts/regex.py to regex.pyc byte-compiling /usr/lib/python2.3/site-packages/DenyHosts/purgecounter.py to purgecounter.pyc byte-compiling /usr/lib/python2.3/site-packages/DenyHosts/old-daemon.py to old-daemon.pyc byte-compiling /usr/lib/python2.3/site-packages/DenyHosts/daemon.py to daemon.pyc byte-compiling /usr/lib/python2.3/site-packages/DenyHosts/counter.py to counter.pyc byte-compiling /usr/lib/python2.3/site-packages/DenyHosts/lockfile.py to lockfile.pyc running install_scripts copying build/scripts-2.3/denyhosts.py -> /usr/bin changing mode of /usr/bin/denyhosts.py to 755 running install_data creating /usr/share/denyhosts copying denyhosts.cfg-dist -> /usr/share/denyhosts copying setup.py -> /usr/share/denyhosts copying daemon-control-dist -> /usr/share/denyhosts copying CHANGELOG.txt -> /usr/share/denyhosts copying README.txt -> /usr/share/denyhosts creating /usr/share/denyhosts/scripts copying scripts/restricted_from_invalid.py -> /usr/share/denyhosts/scripts copying scripts/restricted_from_passwd.py -> /usr/share/denyhosts/scripts creating /usr/share/denyhosts/plugins copying plugins/test_deny.py -> /usr/share/denyhosts/plugins copying plugins/README.contrib -> /usr/share/denyhosts/plugins copying plugins/shorewall_deny.sh -> /usr/share/denyhosts/plugins copying plugins/shorewall_allow.sh -> /usr/share/denyhosts/plugins copying LICENSE.txt -> /usr/share/denyhosts DenyHosts参数配置 [root@switch DenyHosts-2.6]# cd /usr/share/denyhosts/ #DenyHosts默认安装目录 [root@switch denyhosts]# cp denyhosts.cfg-dist denyhosts.cfg [root@switch denyhosts]# vi denyhosts.cfg #DenyHosts配置文件 SECURE_LOG = /var/log/secure #ssh日志文件 # format is: i[dhwmy] # Where i is an integer (eg. 7) # m = minutes # h = hours # d = days # w = weeks # y = years # # never purge: PURGE_DENY = 50m #过多久后清除已阻止IP HOSTS_DENY = /etc/hosts.deny #将阻止IP写入到hosts.deny BLOCK_SERVICE = sshd #阻止服务名 DENY_THRESHOLD_INVALID = 1 #允许无效用户登录失败的次数 DENY_THRESHOLD_VALID = 10 #允许普通用户登录失败的次数 DENY_THRESHOLD_ROOT = 5 #允许root登录失败的次数 WORK_DIR = /usr/local/share/denyhosts/data #将deny的host或ip纪录到Work_dir中 DENY_THRESHOLD_RESTRICTED = 1 #设定 deny host 写入到该资料夹 LOCK_FILE = /var/lock/subsys/denyhosts #将DenyHOts启动的pid纪录到LOCK_FILE中，已确保服务正确启动，防止同时启动多个服务。 HOSTNAME_LOOKUP=NO #是否做域名反解 ADMIN_EMAIL = [email protected] #设置管理员邮件地址 DAEMON_LOG = /var/log/denyhosts #自己的日志文件 DAEMON_PURGE = 10m #该项与PURGE_DENY 设置成一样，也是清除hosts.deniedssh 用户的时间。 DenyHosts启动文件配置 [root@switch denyhosts]# cp daemon-control-dist daemon-control [root@switch denyhosts]# chown root daemon-control [root@switch denyhosts]# chmod 700 daemon-control [root@switch denyhosts]# ./daemon-control #DenyHosts命令格式 Usage: ./daemon-control {start [args...] | stop | restart [args...] | status | debug | condrestart [args...] } For a list of valid args refer to: $ denyhosts.py --help [root@switch denyhosts]# ./daemon-control start #启动DenyHosts starting DenyHosts: /usr/bin/env python /usr/bin/denyhosts.py --daemon --config=/usr/share/denyhosts/denyhosts.cfg 如果要使DenyHosts每次重起后自动启动还需做如下设置： [root@switch denyhosts]# ln -s /usr/share/denyhosts/daemon-control /etc/init.d/denyhosts [root@switch denyhosts]# chkconfig --add denyhosts [root@switch denyhosts]# chkconfig denyhosts on [root@switch denyhosts]#chkconfig –level 2345 denyhosts on 或者修改/etc/rc.local文件： root@switch denyhosts]# vi /etc/rc.local 加入下面这条命令 /usr/share/denyhosts/daemon-control start [root@switch denyhosts]# tail -f /var/log/secure Aug 5 19:20:51 switch sshd[5831]: Accepted password for root from ::ffff:192.168.1.31 port 1744 ssh2 Aug 5 19:21:00 switch sshd[5831]: Received disconnect from ::ffff:192.168.1.31: 0: Aug 5 19:21:02 switch sshd[5865]: Accepted password for root from ::ffff:192.168.1.31 port 1745 ssh2 Aug 5 19:30:25 switch sshd[5865]: Received disconnect from ::ffff:192.168.1.31: 0: Aug 5 19:33:48 switch sshd[5962]: Failed password for test from ::ffff:192.168.1.31 port 1756 ssh2 Aug 5 19:33:50 switch sshd[5962]: Accepted password for test from ::ffff:192.168.1.31 port 1756 ssh2 Aug 5 19:33:52 switch sshd[5964]: channel_lookup: 0: bad id: channel free Aug 5 19:33:52 switch sshd[5964]: Disconnecting: Received ieof for nonexistent channel 0. Aug 5 19:37:34 switch sshd[5986]: Failed password for test from ::ffff:192.168.1.31 port 1826 ssh2 Aug 5 11:37:35 switch sshd[5987]: Received disconnect from ::ffff:192.168.1.31: 0: ^[[AAug 5 19:38:29 switch sshd[5997]: Failed password for root from ::ffff:192.168.1.31 port 1829 ssh2 Aug 5 11:38:31 switch sshd[5998]: Received disconnect from ::ffff:192.168.1.31: 0: Aug 5 19:38:38 switch sshd[5999]: Failed password for root from ::ffff:192.168.1.31 port 1830 ssh2 Aug 5 11:38:43 switch sshd[6000]: Received disconnect from ::ffff:192.168.1.31: 0: