공격한 아이피를 차단시키자 Denyhosts

1. Denyhosts 란?

Denyhosts는 Messages, Secure 로그파일을 읽어들여 공격한 아이피가 있으면 /etc/hosts.deny 에 아이피를 넣어 

접근을 차단해주는 패키지입니다.

2. Denyhosts 다운로드

http://sourceforge.net/projects/denyhosts/files/
http://sourceforge.net/projects/denyhosts/files/denyhosts/2.6/DenyHosts-2.6.tar.gz/download
최근 버전은 2.6 입니다. 

3. Denyhosts 설치 

tar xvfz DenyHosts-2.6.tar.gz
cd DenyHosts-2.6

python setup.py install

4. Denyhosts 설정파일 생성

cd /usr/share/denyhosts
cp denyhosts.cfg-dist denyhosts.cfg

아래 이외 차단 설정값은 서버환경에 맞게 적절하게 적어줍니다.

SECURE_LOG = /var/log/secure
secure 로그파일

HOSTS_DENY = /etc/hosts.deny
접근 차단파일 

BLOCK_SERVICE = sshd vsftpd saslauthd
차단할 서비스 열거

ADMIN_EMAIL = master@seroot.com
리포팅 받을 메일 주소 

SMTP_SUBJECT = [123.123.12.12] DenyHosts Report
리포팅 메일 제목

DAEMON_LOG = /var/log/denyhosts
로그파일

5. Denyhosts 데몬파일 생성

cp daemon-control-dist daemon-control

vi daemon-control
아래와 같은지 확인합니다.

DENYHOSTS_BIN = “/usr/bin/denyhosts.py”
DENYHOSTS_LOCK = “/var/run/denyhosts.pid”
DENYHOSTS_CFG = “/usr/share/denyhosts/denyhosts.cfg”

chown root.root daemon-control
chmod 700 daemon-control

6. Denyhosts 데몬 부팅시 시작할 수 있게 등록

cd /etc/init.d
ln -s /usr/share/daenyhosts/daemon-control denyhosts
update-rc.d denyhosts defaults

7. Denyhosts 시작

/etc/init.d/denyhosts start

8. Denyhosts 적용 확인

/var/log/denyhosts

2014-12-02 13:57:q!:03,288 – denyhosts : ERROR regex pattern ( User (?P<user>.*) not allowed because not listed in AllowUsers ) is missing ‘host’ group
2014-12-02 13:57:03,315 – denyhosts : ERROR regex pattern ( User (?P<user>.*) not allowed because not listed in AllowUsers ) is missing ‘host’ group
2014-12-02 13:57:03,317 – denyhosts : ERROR regex pattern ( User (?P<user>.*) not allowed because not listed in AllowUsers ) is missing ‘host’ group
2014-12-02 13:57:03,317 – denyhosts : ERROR regex pattern ( User (?P<user>.*) not allowed because not listed in AllowUsers ) is missing ‘host’ group
2014-12-02 13:57:03,319 – denyhosts : ERROR regex pattern ( User (?P<user>.*) not allowed because not listed in AllowUsers ) is missing ‘host’ group
2014-12-02 13:57:03,319 – denyhosts : ERROR regex pattern ( User (?P<user>.*) not allowed because not listed in AllowUsers ) is missing ‘host’ group
2014-12-02 13:57:03,380 – denyhosts : INFO new denied hosts: [‘103.41.124.43’]

/etc/hosts.deny

sshd vsftpd saslauthd: 219.153.15.122
sshd vsftpd saslauthd: 103.41.124.33
sshd vsftpd saslauthd: 190.95.196.213
sshd vsftpd saslauthd: 103.41.124.43
sshd vsftpd saslauthd: 115.238.55.163
sshd vsftpd saslauthd: 103.41.124.19
sshd vsftpd saslauthd: 1.93.29.135
sshd vsftpd saslauthd: 124.95.165.186

9. Denyhosts FAQ Link

http://denyhosts.sourceforge.net/faq.html

[polldaddy rating=”7739789″]