DenyHosts로 sshd brute-force attack 막기

What is DenyHosts?

“DenyHosts is a script intended to be run by Linux system administrators to help
thwart SSH server attacks (also known as dictionary based attacks and brute force
attacks).

If you’ve ever looked at your ssh log (/var/log/secure on Redhat, /var/log/auth.log on Mandrake, etc…) you may be
alarmed to see how many hackers attempted to gain access to your server. Hopefully, none of them were successful (but
then again, how would you know?). Wouldn’t it be better to automatically prevent that attacker from continuing to gain
entry into your system?

DenyHosts attempts to address the above..”

http://denyhosts.sourceforge.net/

사용된 버전: DenyHosts-2.6

1. python 설치(설치 안되어 있을 경우)

fs> ipkg install python24

2. DenyHosts-2.6.tar.gz 다운로드:

3. DenyHosts-2.6 설치

fs> tar xvzf DenyHosts-2.6.tar.gz
fs>
cd DenyHosts-2.6
fs>
python setup.py install
fs> cp -R DenyHosts /usr/share/denyhosts
fs> ln -s /usr/share/denyhosts/DenyHosts /usr/bin/DenyHosts
fs> cd /usr/share/denyhosts
fs>
cp denyhosts.cfg-dist denyhosts.cfg
fs> cp daemon-control-dist daemon-control
fs> chown root daemon-control
fs>
chmod 700 daemon-control

4. /usr/share/denyhosts/denyhosts.cfg 수정

# Debian:
SECURE_LOG = /var/log/messages

# Another possibility (also see the next option):
HOSTS_DENY = /etc/hosts.evil

# http://denyhosts.sourceforge.net/faq.html#aux
BLOCK_SERVICE =   

# Debian
LOCK_FILE = /var/run/denyhosts.pid

# To enable synchronization, you must uncomment the following line:
SYNC_SERVER = http://xmlrpc.denyhosts.net:9911

# The default is SYNC_UPLOAD = yes
#
SYNC_UPLOAD = no

# The default is SYNC_DOWNLOAD = yes
#
#SYNC_DOWNLOAD = no
SYNC_DOWNLOAD = yes

5. /usr/share/denyhosts/daemon-control 수정

DENYHOSTS_LOCK = “/var/run/denyhosts.pid”

6. /etc/hosts.deny 설정

ALL: /etc/hosts.evil

7. 차단할 IP 주소를 기록할 파일 생성