aktualizacja 2007.04.07 14:50
najnowsza wersja zawsze tutaj -> http://www.mandrivalinux.eu/showthread.php?t=126619
Ktoś pewnie zapyta po co mi to??? Jeden odpowie: że przecież można zmienić port na którym stoi SSH - zgodzę się:). Kolejna osoba może stwierdzić: ale przecież do mnie nikt nie probuje się włamać. Wiec pytam: jesteś tego pewien ?:)
Kod: Zaznacz cały
mrrobby@Kubuntu-Desktop:/DANE/Gry$ cat /var/log/auth.log |grep invalid
Jan 6 13:55:14 localhost sshd[6868]: Failed password for invalid user test from 196.36.91.7 port 17565 ssh2
Jan 8 00:58:06 localhost sshd[12823]: Failed password for invalid user 64studio from 143.215.250.138 port 53898 ssh2
Jan 8 00:58:09 localhost sshd[12827]: Failed password for invalid user a1 from 143.215.250.138 port 54281 ssh2
Jan 8 00:58:12 localhost sshd[12831]: Failed password for invalid user a2 from 143.215.250.138 port 54720 ssh2
Jan 8 00:58:16 localhost sshd[12835]: Failed password for invalid user aa from 143.215.250.138 port 55109 ssh2
Jan 8 00:58:20 localhost sshd[12839]: Failed password for invalid user aaa from 143.215.250.138 port 55601 ssh2
Jan 8 00:58:23 localhost sshd[12843]: Failed password for invalid user aaron from 143.215.250.138 port 56032 ssh2
Jan 8 00:58:26 localhost sshd[12847]: Failed password for invalid user abbie from 143.215.250.138 port 56420 ssh2
Jan 8 00:58:30 localhost sshd[12851]: Failed password for invalid user abbr from 143.215.250.138 port 56846 ssh2
Kod: Zaznacz cały
mrrobby@Kubuntu-Desktop:/DANE/Gry$ cat /var/log/denyhosts
........
2007-01-08 05:53:11,319 - sync : INFO received 27 new hosts
2007-01-08 05:53:11,319 - denyhosts : INFO received new hosts: ['194.149.121.119', '81.176.214.107', '84.40.11.40', '87.106.13.153', '218.145.53.18', '216.65.122.140', '220.194.56.44', '200.244.147.82', '201.28.34.51', '203.177.89.21', '212.102.0.4', '125.7.203.249', '203.143.119.111', '207.44.186.71', '211.65.63.146', '83.15.224.166', '61.109.208.73', '194.149.213.43', '218.98.194.140', '63.251.239.156', '207.36.160.66', '71.77.214.7', '65.127.181.150', '61.75.77.253', '66.79.168.106', '222.255.69.11', '209.126.131.150']
2007-01-08 06:53:14,180 - sync : INFO received 35 new hosts
2007-01-08 06:53:14,181 - denyhosts : INFO received new hosts: ['65.205.238.12', '217.221.182.69', '83.238.176.169', '207.44.136.31', '209.126.131.150', '88.208.78.94', '203.200.201.165', '61.129.85.230', '67.15.130.21', '212.8.206.47', '24.4.18.171', '210.219.197.210', '196.1.99.8', '217.166.110.203', '195.238.230.201', '71.242.249.122', '200.44.150.123', '88.191.24.38', '85.18.94.112', '211.65.63.146', '83.15.224.166', '61.109.208.73', '194.149.213.43', '218.98.194.140', '63.251.239.156', '207.36.160.66', '71.77.214.7', '65.127.181.150', '61.75.77.253', '66.79.168.106', '222.255.69.11', '212.165.170.72', '212.162.21.21', '83.13.0.194', '218.234.18.106']
2007-01-08 07:53:16,967 - sync : INFO received 29 new hosts
2007-01-08 07:53:16,975 - denyhosts : INFO received new hosts: ['194.6.236.39', '125.248.86.5', '64.251.14.110', '66.178.111.67', '218.234.18.106', '61.80.90.138', '82.103.134.145', '85.25.147.156', '210.219.197.210', '59.124.18.204', '72.158.235.73', '222.33.64.150', '59.106.48.153', '85.25.129.129', '211.65.63.146', '83.15.224.166', '61.109.208.73', '194.149.213.43', '218.98.194.140', '63.251.239.156', '207.36.160.66', '71.77.214.7', '65.127.181.150', '61.75.77.253', '66.79.168.106', '222.255.69.11', '59.188.9.11', '195.187.253.26', '83.11.15.104']
1) Instalujemy program (oczywiście repezytoria z forum)
Kod: Zaznacz cały
mrrobby@server:/$ sudo apt-get install denyhosts
Kod: Zaznacz cały
mrrobby@server:/$ sudo vim /etc/denyhosts.conf
Kod: Zaznacz cały
########################################################################
#
# PURGE_DENY: removed HOSTS_DENY entries that are older than this time
# when DenyHosts is invoked with the --purge flag
#
# format is: i[dhwmy]
# Where 'i' is an integer (eg. 7)
# 'm' = minutes
# 'h' = hours
# 'd' = days
# 'w' = weeks
# 'y' = years
#
# never purge:
PURGE_DENY =
#
# purge entries older than 1 week
#PURGE_DENY = 1w
#
# purge entries older than 5 days
#PURGE_DENY = 5d
#######################################################################
Kod: Zaznacz cały
#######################################################################
#
# BLOCK_SERVICE: the service name that should be blocked in HOSTS_DENY
#
# man 5 hosts_access for details
#
# eg. sshd: 127.0.0.1 # will block sshd logins from 127.0.0.1
#
# To block all services for the offending host:
BLOCK_SERVICE = ALL
# To block only sshd:
#BLOCK_SERVICE = sshd
# To only record the offending host and nothing else (if using
# an auxilary file to list the hosts). Refer to:
# http://denyhosts.sourceforge.net/faq.html#aux
#BLOCK_SERVICE =
#
#######################################################################
Kod: Zaznacz cały
#######################################################################
#
# DENY_THRESHOLD_INVALID: block each host after the number of failed login
# attempts has exceeded this value. This value applies to invalid
# user login attempts (eg. non-existent user accounts)
#
DENY_THRESHOLD_INVALID = 5
#
#######################################################################
Kod: Zaznacz cały
#######################################################################
#
# DENY_THRESHOLD_VALID: block each host after the number of failed
# login attempts has exceeded this value. This value applies to valid
# user login attempts (eg. user accounts that exist in /etc/passwd) except
# for the "root" user
#
DENY_THRESHOLD_VALID = 10
#
#######################################################################
Kod: Zaznacz cały
#######################################################################
#
# DENY_THRESHOLD_ROOT: block each host after the number of failed
# login attempts has exceeded this value. This value applies to
# "root" user login attempts only.
#
DENY_THRESHOLD_ROOT = 1
#
#######################################################################
Kod: Zaznacz cały
#######################################################################
#
# DENY_THRESHOLD_RESTRICTED: block each host after the number of failed
# login attempts has exceeded this value. This value applies to
# usernames that appear in the WORK_DIR/restricted-usernames file only.
#
DENY_THRESHOLD_RESTRICTED = 1
#
#######################################################################
Kod: Zaznacz cały
#######################################################################
#
# ADMIN_EMAIL: if you would like to receive emails regarding newly
# restricted hosts and suspicious logins, set this address to
# match your email address. If you do not want to receive these reports
# leave this field blank (or run with the --noemail option)
#
# Multiple email addresses can be delimited by a comma, eg:
# ADMIN_EMAIL = [email]foo@bar.com[/email], [email]bar@foo.com[/email], [email]etc@foobar.com[/email]
#
ADMIN_EMAIL = [email]xxx@xxx.pl[/email]
#
#######################################################################
#######################################################################
#
# SMTP_HOST and SMTP_PORT: if DenyHosts is configured to email
# reports (see ADMIN_EMAIL) then these settings specify the
# email server address (SMTP_HOST) and the server port (SMTP_PORT)
#
#
SMTP_HOST = localhost
SMTP_PORT = 25
#
#######################################################################
#######################################################################
#
# SMTP_USERNAME and SMTP_PASSWORD: set these parameters if your
# smtp email server requires authentication
#
#SMTP_USERNAME=foo
#SMTP_PASSWORD=bar
#
######################################################################
Kod: Zaznacz cały
#######################################################################
#
# SMTP_FROM: you can specify the "From:" address in messages sent
# from DenyHosts when it reports thwarted abuse attempts
#
SMTP_FROM = DenyHosts <nobody@localhost>
#
#######################################################################
#######################################################################
#
# SMTP_SUBJECT: you can specify the "Subject:" of messages sent
# by DenyHosts when it reports thwarted abuse attempts
SMTP_SUBJECT = DenyHosts Report
#
######################################################################
A teraz najlepsza rzecz przed nami czyli synchronizacja bazy danych blokowanych IP. W standardowym konfigu opcja ta jest wyłączona, ja polecam ją załączyć. Z doświadczenia wiem ze bardzo dobrze sie to sprawuje
Kod: Zaznacz cały
#######################################################################
#
# SYNC_SERVER: The central server that communicates with DenyHost
# daemons. Currently, denyhosts.net is the only available server
# however, in the future, it may be possible for organizations to
# install their own server for internal network synchronization
#
# To disable synchronization (the default), do nothing.
#
# To enable synchronization, you must uncomment the following line:
SYNC_SERVER = http://xmlrpc.denyhosts.net:9911
#
#######################################################################
Kod: Zaznacz cały
#######################################################################
#
# SYNC_INTERVAL: the interval of time to perform synchronizations if
# SYNC_SERVER has been uncommented. The default is 1 hour.
#
SYNC_INTERVAL = 1h
#
#######################################################################
Kod: Zaznacz cały
#######################################################################
#
# SYNC_UPLOAD: allow your DenyHosts daemon to transmit hosts that have
# been denied? This option only applies if SYNC_SERVER has
# been uncommented.
# The default is SYNC_UPLOAD = yes
#
#SYNC_UPLOAD = no
SYNC_UPLOAD = yes
#
#######################################################################
Kod: Zaznacz cały
#######################################################################
#
# SYNC_DOWNLOAD: allow your DenyHosts daemon to receive hosts that have
# been denied by others? This option only applies if SYNC_SERVER has
# been uncommented.
# The default is SYNC_DOWNLOAD = yes
#
#SYNC_DOWNLOAD = no
SYNC_DOWNLOAD = yes
#
#
#
#######################################################################
4) Po konfiguracji nie zostało nam nic innego jak tylko przeładowanie naszego nowego demona.
Kod: Zaznacz cały
mrrobby@server:/$ sudo /etc/init.d/denyhosts restart
Wszystkie zablokowane IP będą znajdować sie w /etc/hosts.deny
Logi programu znajdują sie w /var/log/denyhosts tam również znajdują sie IP jakie zostały sciągnięte w ramach synchronizacji