防止在Debian Etch上使用BlockHosts进行暴力攻击
版本1.0
作者:Falko Timme
在本文中,我将介绍如何在Debian蚀刻系统上安装和配置BlockHosts 。 BlockHosts是一个Python工具,可以观察对各种服务(例如SSH,FTP等)的登录尝试,如果从同一个IP地址或主机一次又一次发现失败的登录尝试,则会停止该IP地址/主机的进一步登录尝试。 默认情况下,BlockHosts支持使用TCP_WRAPPERS(例如使用/etc/hosts.allow或/etc/hosts.deny)的 SSH(即服务)的服务,但也可以使用iproute或iptables阻止其他服务。
本文档不附带任何形式的保证! 我不会保证这将为您工作!
1初步说明
我在Debian蚀刻系统上测试了BlockHosts。
我将向您展示如何使用/etc/hosts.allow或/etc/hosts.deny(sshd )和不使用TCP_WRAPPERS的服务(例如Debian的ProFTPd软件包)的服务。 不使用/etc/hosts.allow或/etc/hosts.deny的服务可能被iproute或iptables阻止。
我假设OpenSSH和ProFTPd都已正确安装并在您的系统上工作。
2安装BlockHosts
由于BlockHosts是用Python编写的,我们现在必须安装Python:
apt-get install python
之后,我们下载并安装BlockHosts,如下所示:
cd /tmp
wget http://www.aczoom.com/tools/blockhosts/BlockHosts-2.0.5.tar.gz
tar xvfz BlockHosts-2.0.5.tar.gz
cd BlockHosts-2.0.5
python setup.py install --force
现在我们必须编辑/etc/blockhosts.cfg 。 修改如下:
vi /etc/blockhosts.cfg
[...] HOSTS_BLOCKFILE = "/etc/hosts.allow" [...] HOST_BLOCKLINE = ["ALL: ", " : deny"] [...] LOGFILES = [ "/var/log/auth.log", "/var/log/proftpd/proftpd.log", ] [...] COUNT_THRESHOLD = 3 [...] AGE_THRESHOLD = 12 [...] MAIL = True [...] NOTIFY_ADDRESS = 'root@localhost.localdomain' [...] SMTP_SERVER = "localhost" SENDER_ADDRESS = 'BlockHosts <blockhosts-do-not-reply@localhost.localdomain>' [...] IPBLOCK = "iptables" [...] |
在HOSTS_BLOCKFILE中,我们可以指定/etc/hosts.allow或/etc/hosts.deny 。 我们选择哪一个都不重要。 我在这里使用/etc/hosts.allow 在LOGFILES行中,我们指定了BlockHosts应该查看的日志文件。 OpenSSH将登录失败登录尝试/var/log/auth.log,ProFTPd记录到/var/log/proftpd/proftpd.log 。 COUNT_THRESHOLD指定来自同一主机的失败登录尝试次数,此后BlockHosts应该阻止该主机。 AGE_THRESHOLD是阻塞主机被解除阻塞后的小时数。 IPBLOCK指定是否要使用iptables或iproute阻止主机,除了将这些主机添加到/etc/hosts.allow (或/etc/hosts.deny )之外。
接下来我们必须修改/etc/hosts.allow 。 首先备份你当前的/etc/hosts.allow :
cp /etc/hosts.allow /etc/hosts.allow_orig
然后空的/etc/hosts.allow并把这样的东西放进去:
cat /dev/null > /etc/hosts.allow
vi /etc/hosts.allow
#
# hosts.allow This file describes the names of the hosts which are
# allowed to use the local INET services, as decided
# by the '/usr/sbin/tcpd' server.
#
# ----
# see "man 5 hosts_access" for details of the format of IP addresses,
#services, allow/deny options. Also see "man hosts_options"
#
# permanent whitelist addresses - this should always be allowed access
ALL: 127.0.0.1 : allow
# ALL: 192.168.0. : allow
# permanent blacklist addresses - this should always be denied access
# ALL: 10. : deny
# ----------------------------------------
# next section is the blockhosts section - it will add/delete entries in
# between the two marker lines (#---- BlockHosts Additions)
#---- BlockHosts Additions
#---- BlockHosts Additions
# ----------------------------------------
# finally, the command to execute the blockhosts script, based on
# connection to particular service or services:
sshd: ALL: spawn /usr/bin/blockhosts.py --verbose --mail --iptables \
--echo "%c-%s" --check-ip "%h" >> /var/log/blockhosts.log 2>&1 & \
: allow
#---
# add --iproute to enable null-routing, or add --iptables to enable packet
# filtering, which blocks all network communication from blocked hosts
#---
# remove >> /var/log/blockhosts.log 2>&1 if no logging to blockhosts.log
# is needed - without this, it will still log to syslog (minimally)
#sshd: ALL: spawn /usr/bin/blockhosts.py --verbose --echo "%c-%s" & : allow
#---
# above commands will use default config file - /etc/blockhosts.cfg, edit
# it as needed to specify local configuration options
# See "man hosts.allow" for info on %c and %s identifiers
# for non-verbose, with identification, to syslog only (/var/log/messages),
# triggered on any service (using ALL as first word):
#ALL: ALL: spawn /usr/bin/blockhosts.py --echo "%c-%s" & : allow
#----
# To test hosts.allow, and to find out exact names of SSH/FTP services,
# add this line to the beginning of hosts.allow, use ssh/ftp to connect
# to your server, and then look at the log (/var/log/messages or
# blockhosts.log) to see the name of the invoked service.
# IMPORTANT: after your test is done, remove this line from hosts.allow!
# Otherwise everyone will always have access.
#ALL : ALL: spawn (/usr/bin/blockhosts.py --verbose --echo "%c-%s" >> /var/log/blockhosts.log 2>&1 )& : allow
# ------------------------------------------------------------------------- |
在第一部分中,您将列出要列入白名单的主机(例如127.0.0.1 )。 如果要将整个192.168.0子网的白名单删除 ,请取消注释。
然后我们必须添加这些标记 - BlockHosts将在它们之间添加被阻止的主机:
#---- BlockHosts Additions
#---- BlockHosts Additions
最重要的是这一个:
sshd: ALL: spawn /usr/bin/blockhosts.py --verbose --mail --iptables \
--echo "%c-%s" --check-ip "%h" >> /var/log/blockhosts.log 2>&1 & \
: allow
现在每当有人尝试使用SSH登录时, 都会启动/usr/bin/blockhosts.py ,检查我们在/etc/blockhosts.cfg中指定的日志文件,并通过添加它们来阻止超过COUNT_THRESHOLD个失败的登录尝试的所有主机到/etc/hosts.allow和使用iptables (这将完全阻止这些主机访问您的系统)。 所有操作将记录到/var/log/blockhosts.log 。
现在我们需要初始化BlockHosts。 首先,我们使用--dry-run选项来查看是否没有错误:
blockhosts.py --dry-run --verbose
输出可能如下所示:
server2:/var/log# blockhosts.py --dry-run --verbose
blockhosts 2.0.5 started: 2007-09-05 16:31:10 CEST
... load blockfile: /etc/hosts.allow
... found both markers, count of hosts being watched: 0
no logoffsets found, will read from beginning in logfile: /var/log/auth.log
... loading log file, offset: /var/log/auth.log 0
no logoffsets found, will read from beginning in logfile: /var/log/proftpd/proftpd.log
... loading log file, offset: /var/log/proftpd/proftpd.log 0
... will discard all host entries older than 2007-09-05 04:31:10 CEST
... updates: counts: hosts to block: 0; hosts being watched: 0
#---- BlockHosts Additions
#bh: logfile: /var/log/auth.log
#bh: offset: 2643
#bh: first line:Jun 28 20:35:51 server2 login[2087]: (pam_unix) session opened for user root by (uid=0)
#bh: logfile: /var/log/proftpd/proftpd.log
#bh: offset: 1308
#bh: first line:Sep 05 16:04:34 server2.example.com proftpd[2355] server2.example.com: error setting IPV6_V6ONLY: Protocol not available
#---- BlockHosts Additions
# ----------------------------------------
# finally, the command to execute the blockhosts script, based on
# connection to particular service or services:
sshd, proftpd, vsftpd: ALL: spawn /usr/bin/blockhosts.py --verbose --mail \
--echo "%c-%s" --check-ip "%h" >> /var/log/blockhosts.log 2>&1 & \
: allow
#---
# add --iproute to enable null-routing, or add --iptables to enable packet
# filtering, which blocks all network communication from blocked hosts
#---
# remove >> /var/log/blockhosts.log 2>&1 if no logging to blockhosts.log
# is needed - without this, it will still log to syslog (minimally)
#sshd: ALL: spawn /usr/bin/blockhosts.py --verbose --echo "%c-%s" & : allow
#---
# above commands will use default config file - /etc/blockhosts.cfg, edit
# it as needed to specify local configuration options
# See "man hosts.allow" for info on %c and %s identifiers
# for non-verbose, with identification, to syslog only (/var/log/messages),
# triggered on any service (using ALL as first word):
#ALL: ALL: spawn /usr/bin/blockhosts.py --echo "%c-%s" & : allow
#----
# To test hosts.allow, and to find out exact names of SSH/FTP services,
# add this line to the beginning of hosts.allow, use ssh/ftp to connect
# to your server, and then look at the log (/var/log/messages or
# blockhosts.log) to see the name of the invoked service.
# IMPORTANT: after your test is done, remove this line from hosts.allow!
# Otherwise everyone will always have access.
#ALL : ALL: spawn (/usr/bin/blockhosts.py --verbose --echo "%c-%s" >> /var/log/blockhosts.log 2>&1 )& : allow
# -------------------------------------------------------------------------
Commands (tentative) to run for ip null-route blocking:
... no email to send.
server2:/var/log#
看起来不错(除了可以忽略的IPv6错误),所以我们可以运行它,而不需要--dry-run选项:
blockhosts.py --verbose
这应该是这样的:
server2:/var/log# blockhosts.py --verbose
blockhosts 2.0.5 started: 2007-09-05 16:33:24 CEST
... load blockfile: /etc/hosts.allow
... found both markers, count of hosts being watched: 0
... loading log file, offset: /var/log/auth.log 2643
... loading log file, offset: /var/log/proftpd/proftpd.log 1308
... will discard all host entries older than 2007-09-05 04:33:24 CEST
... updates: counts: hosts to block: 0; hosts being watched: 0
... created user-defined chain blockhosts
... creating jump from INPUT to blockhosts chain
... no email to send.
server2:/var/log#
BlockHosts现在可以检查SSH登录失败,但不能因为ProFTPd登录失败,因为Debian的ProFTPd不会检查/etc/hosts.allow和/etc/hosts.deny ,这意味着当有人尝试登录时,不会调用BlockHosts进入ProFTPd(当然,如果有人有COUNT_THRESHOLD或更多的失败登录尝试ProFTPD,然后尝试登录到OpenSSH,他将被阻止,因为OpenSSH使用/etc/hosts.allow然后调用BlockHosts找到失败登录尝试ProFTPd;但如果有人试图登录到ProFTPd,没有办法抓住他与当前的设置)。 要阻止非TCP_WRAPPERS服务,我们将创建一个cron作业,每五分钟启动一次BlockHosts(例如)。
