DenyHosts로 sshd brute-force attack 막기

What is DenyHosts?

“DenyHosts is a script intended to be run by Linux system administrators to help
thwart SSH server attacks (also known as dictionary based attacks and brute force
attacks).

If you’ve ever looked at your ssh log (/var/log/secure on Redhat, /var/log/auth.log on Mandrake, etc…) you may be
alarmed to see how many hackers attempted to gain access to your server. Hopefully, none of them were successful (but
then again, how would you know?). Wouldn’t it be better to automatically prevent that attacker from continuing to gain
entry into your system?

DenyHosts attempts to address the above..”

http://denyhosts.sourceforge.net/

사용된 버전: DenyHosts-2.6

1. python 설치(설치 안되어 있을 경우)

fs> ipkg install python24

2. DenyHosts-2.6.tar.gz 다운로드:

3. DenyHosts-2.6 설치

fs> tar xvzf DenyHosts-2.6.tar.gz
fs>
cd DenyHosts-2.6
fs>
python setup.py install
fs> cp -R DenyHosts /usr/share/denyhosts
fs> ln -s /usr/share/denyhosts/DenyHosts /usr/bin/DenyHosts
fs> cd /usr/share/denyhosts
fs>
cp denyhosts.cfg-dist denyhosts.cfg

fs> cp daemon-control-dist daemon-control
fs> chown root daemon-control
fs>
chmod 700 daemon-control

4. /usr/share/denyhosts/denyhosts.cfg 수정

# Debian:
SECURE_LOG = /var/log/messages

# Another possibility (also see the next option):
HOSTS_DENY = /etc/hosts.evil

# http://denyhosts.sourceforge.net/faq.html#aux
BLOCK_SERVICE =   

# Debian
LOCK_FILE = /var/run/denyhosts.pid

# To enable synchronization, you must uncomment the following line:
SYNC_SERVER = http://xmlrpc.denyhosts.net:9911

# The default is SYNC_UPLOAD = yes
#
SYNC_UPLOAD = no

# The default is SYNC_DOWNLOAD = yes
#
#SYNC_DOWNLOAD = no
SYNC_DOWNLOAD = yes


5. /usr/share/denyhosts/daemon-control 수정

DENYHOSTS_LOCK = “/var/run/denyhosts.pid”

6. /etc/hosts.deny 설정

ALL: /etc/hosts.evil

7. 차단할 IP 주소를 기록할 파일 생성

fs> touch /etc/hosts.evil

8. 자동 실행 설정: /etc/rc.local 수정

# denyhosts
/usr/share/denyhosts/daemon-control start

9. DenyHosts 실행(최초 1회)

fs> /usr/share/denyhosts/daemon-control start

10. /etc/hosts.evil 확인: 아래와 같은 형식으로 공격자의 IP 주소가 기록됨

62.193.233.132
80.24.4.23
210.15.200.92
81.138.41.99
193.231.3.97
201.0.145.106
168.167.229.166
24.232.77.40
213.251.154.165


*. 참고사항
/usr/share/denyhosts/daemon-control start 실행 시 다음과 같은 에러가 발생할 경우

starting DenyHosts:    /usr/bin/env python /usr/bin/denyhosts.py –daemon –config=/usr/share/denyhosts/denyhosts.cfg
Traceback (most recent call last):
  File “/usr/bin/denyhosts.py”, line 5, in ?
    import DenyHosts.python_version
  File “/usr/bin/DenyHosts.py”, line 5, in ?
    import DenyHosts.python_version
ImportError: No module named python_version

에는 다음과 같이 처리하면 됩니다.

fs> cp -R DenyHosts /usr/share/denyhosts
fs> ln -s /usr/share/denyhosts/DenyHosts /usr/bin/DenyHosts



설치 과정은 다음 사이트를 참고하였습니다.
http://www.howtoforge.com/preventing_ssh_dictionary_attacks_with_denyhosts

2 thoughts to “DenyHosts로 sshd brute-force attack 막기”

  1. user> python setup.py install
    -ash: python: not found

    라면서 진행이 안되는데, 분명히 ipkg install python24 해서 설치가 된 것 같거든요? 혹시 무슨 문제인지 알고 계실까요? 제가 워낙 초보라;;

    1. python이 제대로 설치가 안된 거 같습니다.
      ll /opt/bin/python
      명령을 내려보세요..
      전 위 명령을 내리니
      /opt/bin/python -> python2.5
      이렇게 되어 있네요.. 이 글을 작성한 후 업데이트 되어서 2.5로 나온 것 같습니다.
      혹시 /opt/bin/python이 없다면
      ln -s /opt/bin/python2.4 /opt/bin/python
      명령으로 링크를 걸어주세요.

답글 남기기

이메일은 공개되지 않습니다.