在Debian上使用电子邮件通知设置DenyHosts
时间:2020-03-21 11:47:04 来源:igfitidea点击:
DenyHosts是一个Python脚本,用于监视服务器的访问日志以防止暴力攻击。
该脚本通过将条目添加到'/etc/hosts.deny'中来自动阻止SSH攻击。
安装
安装DenyHosts:
# apt-get update && apt-get install denyhosts
在撰写本文时,最新版本的DenyHosts v2.6不支持TLS/SSL进行SMTP身份验证。
但是,应将TLS/SSL支持添加到v2.7.
为了安全地登录到我们的电子邮件服务器,我们将使用Stunell。
如前所述,Stunnel是一个旨在用作SSL加密包装程序的程序,可用于向DenyHosts添加SSL功能。
# apt-get install stunnel4
Stunell配置
使用适当的SSMTP设置创建“ /etc/stunnel/stunnel.conf”文件:
# cat > /etc/stunnel/stunnel.conf <<EOF [ssmtp] client = yes accept = 25 connect = mail.example.com:465 EOF
打开“/etc/default/stunnel4”并将“启用”字段值从“ 0”更改为“ 1”,以使隧道在系统引导时自动启动。
然后,文件应如下所示:
# cat /etc/default/stunnel4 ENABLED=1 FILES="/etc/stunnel/*.conf" OPTIONS="" PPP_RESTART=0
重新启动stunnel守护程序:
# /etc/init.d/stunnel4 restart
与netstat一起检查stunnel是否正在侦听端口25:
# netstat -nltp | grep :25 tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN 24687/stunnel4
DenyHosts配置
将自己的IP列入白名单
首先要做的是将那些我们无法承受的私有/公共IP列入白名单,这样我们就不会被锁定在自己的服务器之外。
这些IP需要添加到'/etc/hosts.allow'中,例如:
# echo "ALL: 10.32.1.10" >>/etc/hosts.allow
自定义DenyHosts
下一步是备份默认的“ /etc/denyhosts.conf”配置文件:
# cp /etc/denyhosts.conf /etc/denyhosts.conf.backup
由于我们将提供SMTP凭据,因此明智的做法是仅将文件访问权限限制为root用户:
# chmod 0600 /etc/denyhosts.conf
现在,我们可以开始自定义DenyHosts。
当然,以下是我们的配置文件的内容,并附带了一些方便的注释。
# cat /etc/denyhosts.conf
############ THESE SETTINGS ARE REQUIRED ############
# Debian sshd logs
SECURE_LOG = /var/log/auth.log
# The file which contains restricted host access information
HOSTS_DENY = /etc/hosts.deny
# Remove HOSTS_DENY entries that are older than 1 day
PURGE_DENY = 1d
# The service name that should be blocked in HOSTS_DENY
BLOCK_SERVICE = sshd
# Block each host after 2 failed invalid login attempts
# This value applies to invalid (non-existent) user login attempts
DENY_THRESHOLD_INVALID = 2
# Block each host after 10 failed valid login attempts
# This value applies to valid user logins (except the root user)
DENY_THRESHOLD_VALID = 10
# Block each host after 1 failed root login attempt
DENY_THRESHOLD_ROOT = 1
# Block each host after 1 failed login attempt
# This value applies to usernames that appear in the
# WORK_DIR/restricted-usernames file only
DENY_THRESHOLD_RESTRICTED = 1
# The full path that DenyHosts will use for writing data to
WORK_DIR = /var/lib/denyhosts
# Do not report suspicious login attemps from allowed-hosts
SUSPICIOUS_LOGIN_REPORT_ALLOWED_HOSTS = NO
# Do not do hostname lookups
HOSTNAME_LOOKUP = NO
# Lock file on Debian
LOCK_FILE = /run/denyhosts.pid
############ THESE SETTINGS ARE OPTIONAL ############
# Email to get notifications about restrictd hosts
ADMIN_EMAIL = Hyman@theitroad
# Using Stunnel on localhost
SMTP_HOST = localhost
SMTP_PORT = 25
# SMTP login credentials
SMTP_USERNAME = Hyman@theitroad
SMTP_PASSWORD = password
# Specifies "From:" address in messages sent from DenyHosts
SMTP_FROM = DenyHosts <Hyman@theitroad>
# Specifies the "Subject:" of messages sent by DenyHosts
SMTP_SUBJECT = DenyHosts Report
# Reset failed valid user login attemps count to 0 after 5 days
AGE_RESET_VALID = 5d
# Reset failed root login attemps count to 0 after 5 days
AGE_RESET_ROOT = 5d
# Reset failed restricted login attemps count to 0 after 5 days
# This applies to all entries found in the WORK_DIR/restricted-usernames
AGE_RESET_RESTRICTED = 5d
# Reset failed invalid login attemps count to 0 after 5 days
AGE_RESET_INVALID = 5d
# Set failed count to 0 if the login is successful
RESET_ON_SUCCESS = yes
######### THESE SETTINGS ARE SPECIFIC TO DAEMON MODE ##########
# The logfile that DenyHosts uses to report its status
DAEMON_LOG = /var/log/denyhosts
# The amount of time DenyHosts will sleep between polling the SECURE_LOG
DAEMON_SLEEP = 30s
# Run purge mechanism to expire old entries in HOSTS_DENY every 1h
DAEMON_PURGE = 1h
最后要做的是重新启动DenyHosts守护程序:
# /etc/init.d/denyhosts restart
