My Linux server every day countless failed attempts SSH recorded some silly people have been constantly scanning these people really boring, nothing fed propped, find some old exhaustive scan software out there, so we the first to set a good enough to remember complex passwords.
How to prevent, if you want a one stop IP Obviously these palliatives, but fortunately there are DenyHosts software to replace our hand to get him
DenyHosts the Python language to write a program that analyzes the sshd log files, when the attack will find duplicate records IP to /etc/hosts.deny file to achieve the automatic screen IP functionality.
DenyHosts official website: http: //denyhosts.sourceforge.net
The following is the installation record (with CentOS 5.1, DenyHosts 2.6 Case Study)
#rpm -ivh DenyHosts-2.6-python2.4.noarch.rpm
Denyhosts made to service the system itself
# Cd /etc/init.d
# Ln -s / usr / share / denyhosts / daemon-control denyhosts
# Chkconfig --add denyhosts
The default is installed into / usr / share / denyhosts directory.
# Cd / usr / share / denyhosts /
# Cp denyhosts.cfg-dist denyhosts.cfg
# Vi denyhosts.cfg
According to their needs and make the appropriate configuration (see explanation document profile)
SECURE_LOG = / var / log / secure
#ssh log file, which is the basis of this document to judge.
HOSTS_DENY = /etc/hosts.deny
# Control user login file
PURGE_DENY = 5m
# How long after the prohibition has been cleared
BLOCK_SERVICE = sshd
# Disable service name
DENY_THRESHOLD_INVALID = 1
# Allowable number of invalid user failed
DENY_THRESHOLD_VALID = 3
# Allows ordinary users to the number of failed login
DENY_THRESHOLD_ROOT = 5
# Allow root of the number of login failures
HOSTNAME_LOOKUP = NO
# Do if the domain inverse solution
ADMIN_EMAIL = email@example.com
# Administrator e-mail address, it will send an email administrator
DAEMON_LOG = / var / log / denyhosts
# Own log file
Let him start with the system startup
# / Etc / ini.d / denyhosts start
#chkconfig denyhosts on
You can use a computer over a remote connection test. If you can see whether there is prohibited within /etc/hosts.deny IP, any explanation has been installed successfully.
Note I found time later deny, delete ip time is not very accurate. The solution is to change the DAEMON_PURGE = this time. I found the system time is deleted him prevail.
DAEMON_PURGE: Scheduled Clean: When DenyHosts in preset patterns, perform cleanup mechanical action expired longest HOSTS_DENY, this will affect PURGE_DENY interval