CentOS 7下限制ip访问(白名单)
vim /etc/hosts.allow
sshd:192.168.31.109:allow //只允许192.168.31.109登录
vim /etc/hosts.deny
sshd:ALL //开启白名单,只允许192.168.31.109登录
service sshd restart,重启sshd
查看本机运行的脚本
[root@cvm-3i2fmpd28a225 ~]# ps -ef|grep sh
root 1192 1114 0 Jan19 tty1 00:00:00 -bash
root 662609 1 0 21:40 ? 00:00:00 sshd: root [priv]
root 662613 662609 0 21:40 ? 00:00:01 sshd: root@pts/1
root 662614 662613 0 21:40 pts/1 00:00:00 -bash
root 694003 1 0 21:56 ? 00:00:00 /usr/sbin/sshd -D -oCiphers=aes256-gcm@openssh.com,chacha20
-poly1305@openssh.com,aes256-ctr,aes256-cbc,aes128-gcm@openssh.com,aes128-ctr,aes128-cbc -oMACs=hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512 -oGSSAPIKexAlgorithms=gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512-,gss-gex-sha1-,gss-group14-sha1- -oKexAlgorithms=curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1 -oHostKeyAlgorithms=ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com,ssh-rsa,ssh-rsa-cert-v01@openssh.com -oPubkeyAcceptedKeyTypes=ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com,ss-rsa,ssh-rsa-cert-v01@openssh.com -oCASignatureAlgorithms=ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,rsa-sha2-256,rsa-sha2-512,ssh-rsaroot 694543 694003 0 23:01 ? 00:00:00 sshd: root [priv]
root 694547 694543 0 23:01 ? 00:00:00 sshd: root@pts/3
root 694548 694547 0 23:01 pts/3 00:00:00 -bash
root 694658 694003 0 23:02 ? 00:00:00 sshd: [accepted]
root 694664 694003 0 23:04 ? 00:00:00 sshd: [accepted]
root 694665 694003 0 23:04 ? 00:00:00 sshd: root [priv]
sshd 694666 694665 0 23:04 ? 00:00:00 sshd: root [net]
root 694669 694548 0 23:04 pts/3 00:00:00 grep --color=auto sh
[root@cvm-3i2fmpd28a225 ~]# kill -9 694003
[root@cvm-3i2fmpd28a225 ~]# systemctl list-unit-files | grep enabled
auditd.service enabled
autovt@.service enabled
chronyd.service enabled
cloud-config.service enabled
cloud-final.service enabled
cloud-init-local.service enabled
cloud-init.service enabled
crond.service enabled
dbus-org.freedesktop.nm-dispatcher.service enabled
dbus-org.freedesktop.timedate1.service enabled
getty@.service enabled
import-state.service enabled
irqbalance.service enabled
kdump.service enabled
loadmodules.service enabled
microcode.service enabled
NetworkManager-dispatcher.service enabled
NetworkManager-wait-online.service enabled
NetworkManager.service enabled
nfs-convert.service enabled
nis-domainname.service enabled
rc-local.service enabled
rngd.service enabled
rpcbind.service enabled
rsyslog.service enabled
selinux-autorelabel-mark.service enabled
sssd.service enabled
syslog.service enabled
sysstat.service enabled
timedatex.service enabled
tuned.service enabled
rpcbind.socket enabled
sssd-kcm.socket enabled
cloud-init.target enabled-runtime
nfs-client.target enabled
remote-fs.target enabled
dnf-makecache.timer enabled
sysstat-collect.timer enabled
sysstat-summary.timer enabled
unbound-anchor.timer enable
安装DenyHosts
http://denyhosts.sourceforge.net/
https://github.com/denyhosts/denyhosts/tags
What is DenyHosts? DenyHosts is a Python script that analyzes the sshd server log messages to determine what hosts are attempting to hack into your system. It also determines what user accounts are being targeted. It keeps track of the frequency of attempts from each host. Additionally, upon discovering a repeated attack host, the /etc/hosts.deny file is updated to prevent future break-in attempts from that host. An email report can be sent to a system admin.
requirements.txt
ipaddr >= 2.1 ; python_version < '3.0' mock ; python_version < '3.3' requests configparser
python 版本小于3.0
[root@cvm-3i2fmpd28a225 denyhosts-3.1]# python setup.py install running install running build running build_py creating build creating build/lib creating build/lib/DenyHosts copying DenyHosts/__init__.py -> build/lib/DenyHosts copying DenyHosts/allowedhosts.py -> build/lib/DenyHosts copying DenyHosts/constants.py -> build/lib/DenyHosts copying DenyHosts/counter.py -> build/lib/DenyHosts copying DenyHosts/daemon.py -> build/lib/DenyHosts copying DenyHosts/deny_hosts.py -> build/lib/DenyHosts copying DenyHosts/denyfileutil.py -> build/lib/DenyHosts copying DenyHosts/filetracker.py -> build/lib/DenyHosts copying DenyHosts/lockfile.py -> build/lib/DenyHosts copying DenyHosts/loginattempt.py -> build/lib/DenyHosts copying DenyHosts/plugin.py -> build/lib/DenyHosts copying DenyHosts/prefs.py -> build/lib/DenyHosts copying DenyHosts/purgecounter.py -> build/lib/DenyHosts copying DenyHosts/python_version.py -> build/lib/DenyHosts copying DenyHosts/regex.py -> build/lib/DenyHosts copying DenyHosts/report.py -> build/lib/DenyHosts copying DenyHosts/restricted.py -> build/lib/DenyHosts copying DenyHosts/sync.py -> build/lib/DenyHosts copying DenyHosts/util.py -> build/lib/DenyHosts copying DenyHosts/version.py -> build/lib/DenyHosts running build_scripts creating build/scripts-2.7 copying and adjusting denyhosts.py -> build/scripts-2.7 copying and adjusting daemon-control-dist -> build/scripts-2.7 changing mode of build/scripts-2.7/denyhosts.py from 644 to 755 changing mode of build/scripts-2.7/daemon-control-dist from 644 to 755 running install_lib creating /root/.pyenv/versions/2.7.18/lib/python2.7/site-packages/DenyHosts copying build/lib/DenyHosts/__init__.py -> /root/.pyenv/versions/2.7.18/lib/python2.7/site-packages/DenyHosts copying build/lib/DenyHosts/allowedhosts.py -> /root/.pyenv/versions/2.7.18/lib/python2.7/site-packages/DenyHos tscopying build/lib/DenyHosts/constants.py -> /root/.pyenv/versions/2.7.18/lib/python2.7/site-packages/DenyHosts copying build/lib/DenyHosts/counter.py -> /root/.pyenv/versions/2.7.18/lib/python2.7/site-packages/DenyHosts copying build/lib/DenyHosts/daemon.py -> /root/.pyenv/versions/2.7.18/lib/python2.7/site-packages/DenyHosts copying build/lib/DenyHosts/deny_hosts.py -> /root/.pyenv/versions/2.7.18/lib/python2.7/site-packages/DenyHosts copying build/lib/DenyHosts/denyfileutil.py -> /root/.pyenv/versions/2.7.18/lib/python2.7/site-packages/DenyHos tscopying build/lib/DenyHosts/filetracker.py -> /root/.pyenv/versions/2.7.18/lib/python2.7/site-packages/DenyHost scopying build/lib/DenyHosts/lockfile.py -> /root/.pyenv/versions/2.7.18/lib/python2.7/site-packages/DenyHosts copying build/lib/DenyHosts/loginattempt.py -> /root/.pyenv/versions/2.7.18/lib/python2.7/site-packages/DenyHos tscopying build/lib/DenyHosts/plugin.py -> /root/.pyenv/versions/2.7.18/lib/python2.7/site-packages/DenyHosts copying build/lib/DenyHosts/prefs.py -> /root/.pyenv/versions/2.7.18/lib/python2.7/site-packages/DenyHosts copying build/lib/DenyHosts/purgecounter.py -> /root/.pyenv/versions/2.7.18/lib/python2.7/site-packages/DenyHos tscopying build/lib/DenyHosts/python_version.py -> /root/.pyenv/versions/2.7.18/lib/python2.7/site-packages/DenyH ostscopying build/lib/DenyHosts/regex.py -> /root/.pyenv/versions/2.7.18/lib/python2.7/site-packages/DenyHosts copying build/lib/DenyHosts/report.py -> /root/.pyenv/versions/2.7.18/lib/python2.7/site-packages/DenyHosts copying build/lib/DenyHosts/restricted.py -> /root/.pyenv/versions/2.7.18/lib/python2.7/site-packages/DenyHosts copying build/lib/DenyHosts/sync.py -> /root/.pyenv/versions/2.7.18/lib/python2.7/site-packages/DenyHosts copying build/lib/DenyHosts/util.py -> /root/.pyenv/versions/2.7.18/lib/python2.7/site-packages/DenyHosts copying build/lib/DenyHosts/version.py -> /root/.pyenv/versions/2.7.18/lib/python2.7/site-packages/DenyHosts byte-compiling /root/.pyenv/versions/2.7.18/lib/python2.7/site-packages/DenyHosts/__init__.py to __init__.pyc byte-compiling /root/.pyenv/versions/2.7.18/lib/python2.7/site-packages/DenyHosts/allowedhosts.py to allowedhos ts.pycbyte-compiling /root/.pyenv/versions/2.7.18/lib/python2.7/site-packages/DenyHosts/constants.py to constants.pyc byte-compiling /root/.pyenv/versions/2.7.18/lib/python2.7/site-packages/DenyHosts/counter.py to counter.pyc byte-compiling /root/.pyenv/versions/2.7.18/lib/python2.7/site-packages/DenyHosts/daemon.py to daemon.pyc byte-compiling /root/.pyenv/versions/2.7.18/lib/python2.7/site-packages/DenyHosts/deny_hosts.py to deny_hosts.p ycbyte-compiling /root/.pyenv/versions/2.7.18/lib/python2.7/site-packages/DenyHosts/denyfileutil.py to denyfileut il.pycbyte-compiling /root/.pyenv/versions/2.7.18/lib/python2.7/site-packages/DenyHosts/filetracker.py to filetracker .pycbyte-compiling /root/.pyenv/versions/2.7.18/lib/python2.7/site-packages/DenyHosts/lockfile.py to lockfile.pyc byte-compiling /root/.pyenv/versions/2.7.18/lib/python2.7/site-packages/DenyHosts/loginattempt.py to loginattem pt.pycbyte-compiling /root/.pyenv/versions/2.7.18/lib/python2.7/site-packages/DenyHosts/plugin.py to plugin.pyc byte-compiling /root/.pyenv/versions/2.7.18/lib/python2.7/site-packages/DenyHosts/prefs.py to prefs.pyc byte-compiling /root/.pyenv/versions/2.7.18/lib/python2.7/site-packages/DenyHosts/purgecounter.py to purgecount er.pycbyte-compiling /root/.pyenv/versions/2.7.18/lib/python2.7/site-packages/DenyHosts/python_version.py to python_v ersion.pycbyte-compiling /root/.pyenv/versions/2.7.18/lib/python2.7/site-packages/DenyHosts/regex.py to regex.pyc byte-compiling /root/.pyenv/versions/2.7.18/lib/python2.7/site-packages/DenyHosts/report.py to report.pyc byte-compiling /root/.pyenv/versions/2.7.18/lib/python2.7/site-packages/DenyHosts/restricted.py to restricted.p ycbyte-compiling /root/.pyenv/versions/2.7.18/lib/python2.7/site-packages/DenyHosts/sync.py to sync.pyc byte-compiling /root/.pyenv/versions/2.7.18/lib/python2.7/site-packages/DenyHosts/util.py to util.pyc byte-compiling /root/.pyenv/versions/2.7.18/lib/python2.7/site-packages/DenyHosts/version.py to version.pyc running install_scripts copying build/scripts-2.7/denyhosts.py -> /root/.pyenv/versions/2.7.18/bin copying build/scripts-2.7/daemon-control-dist -> /root/.pyenv/versions/2.7.18/bin changing mode of /root/.pyenv/versions/2.7.18/bin/denyhosts.py to 755 changing mode of /root/.pyenv/versions/2.7.18/bin/daemon-control-dist to 755 running install_data copying denyhosts.conf -> /etc copying denyhosts.8 -> /usr/share/man/man8 running install_egg_info Writing /root/.pyenv/versions/2.7.18/lib/python2.7/site-packages/DenyHosts-3.0-py2.7.egg-info
[root@cvm-3i2fmpd28a225 denyhosts-3.1]# ls /etc/de default/ denyhosts.conf depmod.d/ [root@cvm-3i2fmpd28a225 denyhosts-3.1]# ls /etc/denyhosts.conf /etc/denyhosts.conf [root@cvm-3i2fmpd28a225 denyhosts-3.1]# ls build DenyHosts denyhosts.py Makefile plugins scripts TODO CHANGELOG.txt denyhosts.8 denyhosts.service MANIFEST.in README.md setup.py daemon-control-dist denyhosts.conf LICENSE.txt PKG-INFO requirements.txt tests [root@cvm-3i2fmpd28a225 denyhosts-3.1]# cp daemon-control-dist daemon-control [root@cvm-3i2fmpd28a225 denyhosts-3.1]# vim daemon-control [root@cvm-3i2fmpd28a225 denyhosts-3.1]# chmod 700 daemon-control [root@cvm-3i2fmpd28a225 denyhosts-3.1]# ./daemon-control start starting DenyHosts: /usr/bin/env python /usr/sbin/denyhosts --daemon --config=/etc/denyhosts.conf python: can't open file '/usr/sbin/denyhosts': [Errno 2] No such file or directory [root@cvm-3i2fmpd28a225 denyhosts-3.1]# ls -l /usr/sbin/denyhosts ls: cannot access '/usr/sbin/denyhosts': No such file or directory [root@cvm-3i2fmpd28a225 denyhosts-3.1]# cp denyhosts.py /usr/sbin/denyhosts [root@cvm-3i2fmpd28a225 denyhosts-3.1]# ./daemon-control start starting DenyHosts: /usr/bin/env python /usr/sbin/denyhosts --daemon --config=/etc/denyhosts.conf Can't read: /var/log/auth.log [Errno 2] No such file or directory: '/var/log/auth.log' Error deleting DenyHosts lock file: /var/run/denyhosts.pid [Errno 2] No such file or directory: '/var/run/denyhosts.pid' [root@cvm-3i2fmpd28a225 denyhosts-3.1]# touch var/log/auth.log touch: cannot touch 'var/log/auth.log': No such file or directory [root@cvm-3i2fmpd28a225 denyhosts-3.1]# touch /var/log/auth.log [root@cvm-3i2fmpd28a225 denyhosts-3.1]# touch /var/run/denyhosts.pid [root@cvm-3i2fmpd28a225 denyhosts-3.1]# ./daemon-control start starting DenyHosts: /usr/bin/env python /usr/sbin/denyhosts --daemon --config=/etc/denyhosts.conf DenyHosts could not obtain lock (pid: ) [Errno 17] File exists: '/var/run/denyhosts.pid' [root@cvm-3i2fmpd28a225 denyhosts-3.1]# ps -ef|grep den root 453223 1 0 Feb18 ? 00:18:08 /usr/local/nexus/nexus-2.11.2-03/bin/jsw/linux-x86-64/wrapp er /usr/local/nexus/nexus-2.11.2-03/bin/jsw/conf/wrapper.conf wrapper.syslog.ident=nexus wrapper.pidfile=/usr/local/nexus/nexus-2.11.2-03/bin/jsw/linux-x86-64/nexus.pid wrapper.daemonize=TRUE wrapper.lockfile=/var/lock/subsys/nexusroot 734738 702555 0 00:44 pts/1 00:00:00 grep --color=auto den [root@cvm-3i2fmpd28a225 denyhosts-3.1]# ps -ef|grep denyhosts root 734740 702555 0 00:45 pts/1 00:00:00 grep --color=auto denyhosts [root@cvm-3i2fmpd28a225 denyhosts-3.1]# rm -rf /var/run/denyhosts.pid [root@cvm-3i2fmpd28a225 denyhosts-3.1]# ./daemon-control start starting DenyHosts: /usr/bin/env python /usr/sbin/denyhosts --daemon --config=/etc/denyhosts.conf [root@cvm-3i2fmpd28a225 denyhosts-3.1]# ps -ef|grep deny root 734779 1 0 00:45 ? 00:00:00 python /usr/sbin/denyhosts --daemon --config=/etc/denyhosts .confroot 734784 702555 0 00:45 pts/1 00:00:00 grep --color=auto deny
主要配置文件:
daemon-control
DENYHOSTS_BIN = "/usr/sbin/denyhosts" DENYHOSTS_LOCK = "/run/denyhosts.pid" DENYHOSTS_CFG = "/etc/denyhosts.conf" PYTHON_BIN = "/usr/bin/env python"