在Debian Lenny上防止暴力攻击
在本文中,我将介绍如何在Debian Lenny系统上安装和配置BlockHosts 。 BlockHosts是一个Python工具,可以观察对各种服务(例如SSH,FTP等)的登录尝试,如果从同一个IP地址或主机一次又一次发现失败的登录尝试,则会停止该IP地址/主机的进一步登录尝试。 默认情况下,BlockHosts支持使用TCP_WRAPPERS(例如使用/etc/hosts.allow或/etc/hosts.deny)的 SSH(即服务)的服务,但也可以使用iproute或iptables阻止其他服务。
本文档不附带任何形式的保证! 我不会保证这将为您工作!
1初步说明
我在Debian Lenny系统上测试了BlockHosts。
我将向您展示如何使用/etc/hosts.allow或/etc/hosts.deny(sshd )和不使用TCP_WRAPPERS的服务(例如Debian的ProFTPd软件包)的服务。 不使用/etc/hosts.allow或/etc/hosts.deny的服务可能被iproute或iptables阻止。
我假设OpenSSH和ProFTPd都已正确安装并在您的系统上工作。
2安装BlockHosts
由于BlockHosts是用Python编写的,我们现在必须安装Python:
aptitude install python
之后,我们下载并安装BlockHosts,如下所示:
cd /tmp
wget http://www.aczoom.com/tools/blockhosts/BlockHosts-2.5.0.tar.gz
tar xvfz BlockHosts-2.5.0.tar.gz
cd BlockHosts-2.5.0
python setup.py install --force
现在我们必须编辑/etc/blockhosts.cfg 。 修改如下:
vi /etc/blockhosts.cfg
[...] HOSTS_BLOCKFILE = "/etc/hosts.allow" [...] HOST_BLOCKLINE = ["ALL: ", " : deny"] [...] COUNT_THRESHOLD = 3 [...] AGE_THRESHOLD = 12 [...] LOGFILES = [ "/var/log/auth.log", "/var/log/proftpd/proftpd.log", ] [...] MAIL = True [...] NOTIFY_ADDRESS = 'root@localhost.localdomain' [...] SMTP_SERVER = "localhost" |
在HOSTS_BLOCKFILE中,我们可以指定/etc/hosts.allow或/etc/hosts.deny 。 我们选择哪一个都不重要。 我在这里使用/etc/hosts.allow 在LOGFILES行中,我们指定了BlockHosts应该查看的日志文件。 OpenSSH将登录失败登录尝试/var/log/auth.log,ProFTPd记录到/var/log/proftpd/proftpd.log 。 COUNT_THRESHOLD指定来自同一主机的失败登录尝试次数,此后BlockHosts应该阻止该主机。 AGE_THRESHOLD是阻塞主机被解除阻塞后的小时数。 IPBLOCK指定是否要使用iptables或iproute阻止主机,除了将这些主机添加到/etc/hosts.allow (或/etc/hosts.deny )之外。
接下来我们必须修改/etc/hosts.allow 。 首先备份你当前的/etc/hosts.allow :
cp /etc/hosts.allow /etc/hosts.allow_orig
然后空的/etc/hosts.allow并把这样的东西放进去:
cat /dev/null > /etc/hosts.allow
vi /etc/hosts.allow
#
# hosts.allow This file describes the names of the hosts which are
# allowed to use the local INET services, as decided
# by the '/usr/sbin/tcpd' server.
#
# ----
# see "man 5 hosts_access" for details of the format of IP addresses,
#services, allow/deny options. Also see "man hosts_options"
#
# permanent whitelist addresses - this should always be allowed access
ALL: 127.0.0.1 : allow
# ALL: 192.168.0. : allow
# permanent blacklist addresses - this should always be denied access
# ALL: 10. : deny
# ----------------------------------------
# next section is the blockhosts section - it will add/delete entries in
# between the two marker lines (#---- BlockHosts Additions)
#---- BlockHosts Additions
#---- BlockHosts Additions
# ----------------------------------------
# finally, the command to execute the blockhosts script, based on
# connection to particular service or services:
sshd: ALL: spawn /usr/bin/blockhosts.py --verbose --mail --iptables \
--echo "%c-%s" --check-ip "%h" >> /var/log/blockhosts.log 2>&1 & \
: allow
#---
# add --iproute to enable null-routing, or add --iptables to enable packet
# filtering, which blocks all network communication from blocked hosts
#---
# remove >> /var/log/blockhosts.log 2>&1 if no logging to blockhosts.log
# is needed - without this, it will still log to syslog (minimally)
#sshd: ALL: spawn /usr/bin/blockhosts.py --verbose --echo "%c-%s" & : allow
#---
# above commands will use default config file - /etc/blockhosts.cfg, edit
# it as needed to specify local configuration options
# See "man hosts.allow" for info on %c and %s identifiers
# for non-verbose, with identification, to syslog only (/var/log/messages),
# triggered on any service (using ALL as first word):
#ALL: ALL: spawn /usr/bin/blockhosts.py --echo "%c-%s" & : allow
#----
# To test hosts.allow, and to find out exact names of SSH/FTP services,
# add this line to the beginning of hosts.allow, use ssh/ftp to connect
# to your server, and then look at the log (/var/log/messages or
# blockhosts.log) to see the name of the invoked service.
# IMPORTANT: after your test is done, remove this line from hosts.allow!
# Otherwise everyone will always have access.
#ALL : ALL: spawn (/usr/bin/blockhosts.py --verbose --echo "%c-%s" >> /var/log/blockhosts.log 2>&1 )& : allow
# ------------------------------------------------------------------------- |
在第一部分中,您将列出要列入白名单的主机(例如127.0.0.1 )。 如果要将整个192.168.0子网的白名单删除 ,请取消注释。
然后我们必须添加这些标记 - BlockHosts将在它们之间添加被阻止的主机:
#---- BlockHosts Additions
#---- BlockHosts Additions
最重要的是这一个:
sshd: ALL: spawn /usr/bin/blockhosts.py --verbose --mail --iptables \
--echo "%c-%s" --check-ip "%h" >> /var/log/blockhosts.log 2>&1 & \
: allow
现在每当有人尝试使用SSH登录时, 都会启动/usr/bin/blockhosts.py ,检查我们在/etc/blockhosts.cfg中指定的日志文件,并通过添加它们来阻止超过COUNT_THRESHOLD个失败的登录尝试的所有主机到/etc/hosts.allow和使用iptables (这将完全阻止这些主机访问您的系统)。 所有操作将记录到/var/log/blockhosts.log 。
现在我们需要初始化BlockHosts。 首先,我们使用--dry-run选项来查看是否没有错误:
blockhosts.py --dry-run --verbose
输出可能如下所示:
server1:/tmp/BlockHosts-2.5.0# blockhosts.py --dry-run --verbose
blockhosts 2.5.0 started: 2010-08-18 14:16:56 CEST
... loaded /etc/hosts.allow, starting counts: blocked 0, watched 0
no logoffsets found, will read from beginning in logfile: /var/log/auth.log
... loading log file /var/log/auth.log, offset: 0
no logoffsets found, will read from beginning in logfile: /var/log/proftpd/proftpd.log
... loading log file /var/log/proftpd/proftpd.log, offset: 0
... discarding all host entries older than 2010-08-18 02:16:56 CEST
... final counts: blocked 0, watched 1
#---- BlockHosts Additions
#bh: ip: 192.168.0.2 : 1 : 2010-08-18 14:16:56 CEST
#bh: logfile: /var/log/auth.log
#bh: offset: 6763
#bh: first line:Feb 16 13:22:10 server1 login[1992]: pam_unix(login:session): session opened for user root by (uid=0)
#bh: logfile: /var/log/proftpd/proftpd.log
#bh: offset: 884
#bh: first line:Feb 16 14:59:18 server1.example.com proftpd[13157] server1.example.com:
ProFTPD 1.3.1 (stable) (built Fri Feb 6 12:26:25 GMT 2009) standalone mode STARTUP
#---- BlockHosts Additions
# ----------------------------------------
# finally, the command to execute the blockhosts script, based on
# connection to particular service or services:
sshd: ALL: spawn /usr/bin/blockhosts.py --verbose --mail --iptables \
--echo "%c-%s" --check-ip "%h" >> /var/log/blockhosts.log 2>&1 & \
: allow
#---
# add --iproute to enable null-routing, or add --iptables to enable packet
# filtering, which blocks all network communication from blocked hosts
#---
# remove >> /var/log/blockhosts.log 2>&1 if no logging to blockhosts.log
# is needed - without this, it will still log to syslog (minimally)
#sshd: ALL: spawn /usr/bin/blockhosts.py --verbose --echo "%c-%s" & : allow
#---
# above commands will use default config file - /etc/blockhosts.cfg, edit
# it as needed to specify local configuration options
# See "man hosts.allow" for info on %c and %s identifiers
# for non-verbose, with identification, to syslog only (/var/log/messages),
# triggered on any service (using ALL as first word):
#ALL: ALL: spawn /usr/bin/blockhosts.py --echo "%c-%s" & : allow
#----
# To test hosts.allow, and to find out exact names of SSH/FTP services,
# add this line to the beginning of hosts.allow, use ssh/ftp to connect
# to your server, and then look at the log (/var/log/messages or
# blockhosts.log) to see the name of the invoked service.
# IMPORTANT: after your test is done, remove this line from hosts.allow!
# Otherwise everyone will always have access.
#ALL : ALL: spawn (/usr/bin/blockhosts.py --verbose --echo "%c-%s" >> /var/log/blockhosts.log 2>&1 )& : allow
# -------------------------------------------------------------------------
Commands (tentative) to run for IPTables filtering:
... created user-defined chain blockhosts
... creating jump from INPUT to blockhosts chain
... creating jump from FORWARD to blockhosts chain
... no email to send.
server1:/tmp/BlockHosts-2.5.0#
看起来不错,所以我们可以运行它没有--dry-run选项:
blockhosts.py --verbose
这应该是这样的:
server1:/tmp/BlockHosts-2.5.0# blockhosts.py --verbose
blockhosts 2.5.0 started: 2010-08-18 14:20:20 CEST
... loaded /etc/hosts.allow, starting counts: blocked 0, watched 0
no logoffsets found, will read from beginning in logfile: /var/log/auth.log
... loading log file /var/log/auth.log, offset: 0
no logoffsets found, will read from beginning in logfile: /var/log/proftpd/proftpd.log
... loading log file /var/log/proftpd/proftpd.log, offset: 0
... discarding all host entries older than 2010-08-18 02:20:20 CEST
... final counts: blocked 0, watched 1
... created user-defined chain blockhosts
... creating jump from INPUT to blockhosts chain
... creating jump from FORWARD to blockhosts chain
... no email to send.
server1:/tmp/BlockHosts-2.5.0#
BlockHosts现在可以检查SSH登录失败,但不能因为ProFTPd登录失败,因为Debian的ProFTPd不会检查/etc/hosts.allow和/etc/hosts.deny ,这意味着当有人尝试登录时,不会调用BlockHosts进入ProFTPd(当然,如果有人有COUNT_THRESHOLD或更多的失败登录尝试ProFTPD,然后尝试登录到OpenSSH,他将被阻止,因为OpenSSH使用/etc/hosts.allow然后调用BlockHosts找到失败登录尝试ProFTPd;但如果有人试图登录到ProFTPd,没有办法抓住他与当前的设置)。 要阻止非TCP_WRAPPERS服务,我们将创建一个cron作业,每五分钟启动一次BlockHosts(例如)。
3为非TCP_WRAPPERS服务创建BlockHosts Cron作业
要阻止来自非TCP_WRAPPERS服务(如Debian ProFTPd)的主机,可以运行
blockhosts.py --ipblock=iptables --verbose
在命令行上。 当然,你不想每隔几分钟就这样做,所以我们为此创建一个cron工作。
首先,我们为/usr/bin/blockhosts.py创建一个小包装脚本:
vi /usr/local/sbin/blockhosts
#!/bin/bash PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin /usr/bin/blockhosts.py --ipblock=iptables --verbose >> /var/log/blockhosts.log 2>&1 |
这个包装器脚本的目的是将正确的PATH传递给/usr/bin/blockhosts.py脚本; 如果我们在cron作业中直接使用/usr/bin/blockhosts.py ,我们将收到错误,指出无法找到iptables 。
当然,我们必须使/ usr / local / sbin / blockhosts可执行:
chmod 700 /usr/local/sbin/blockhosts
然后,我们创建一个这样的cron工作:
crontab -e
*/5 * * * * /usr/local/sbin/blockhosts &> /dev/null |
4测试
现在,您可以尝试使用SSH和FTP以错误的用户名/密码登录到您的服务器。 一段时间后,您无法连接到您的服务器,这意味着您被阻止。 更改客户端的IP地址并再次登录服务器的shell。
跑
iptables -L
您可以在输出中看到哪些IP地址被阻止:
server1:~# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
blockhosts all -- anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
blockhosts all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain blockhosts (2 references)
target prot opt source destination
DROP all -- 192.168.0.199 anywhere
server1:~#
看看/etc/hosts.allow 。 #---- BlockHosts添加部分中应列出相同的IP地址:
vi /etc/hosts.allow
[...] #---- BlockHosts Additions ALL: 192.168.0.199 : deny #bh: ip: 192.168.0.199 : 24 : 2010-08-18 14:37:53 CEST #bh: ip: 192.168.0.2 : 1 : 2010-08-18 14:20:20 CEST #bh: logfile: /var/log/auth.log #bh: offset: 7619 #bh: first line:Feb 16 13:22:10 server1 login[1992]: pam_unix(login:session): session opened for user root by (uid=0) #bh: logfile: /var/log/proftpd/proftpd.log #bh: offset: 8588 #bh: first line:Feb 16 14:59:18 server1.example.com proftpd[13157] server1.example.com: ProFTPD 1.3.1 (stable) (built Fri Feb 6 12:26:25 GMT 2009) standalone mode STARTUP #---- BlockHosts Additions [...] |
最后还可以看看/var/log/blockhosts.log :
tail /var/log/blockhosts.log
server1:~# tail /var/log/blockhosts.log
... discarding all host entries older than 2010-08-18 02:40:02 CEST
... final counts: blocked 1, watched 2
... no email to send.
blockhosts 2.5.0 started: 2010-08-18 14:45:01 CEST
... loaded /etc/hosts.allow, starting counts: blocked 1, watched 2
... loading log file /var/log/auth.log, offset: 7619
... loading log file /var/log/proftpd/proftpd.log, offset: 8588
... discarding all host entries older than 2010-08-18 02:45:01 CEST
... final counts: blocked 1, watched 2
... no email to send.
server1:~#
5链接
- BlockHosts: http : //www.aczoom.com/blockhosts
- Debian: http : //www.debian.org/
