我的 /etc/hosts.deny 文件中有以下内容
#
# hosts.deny This file describes the names of the hosts which are
# *not* allowed to use the local INET services, as decided
# by the '/usr/sbin/tcpd' server.
#
# The portmap line is redundant, but it is left to remind you that
# the new secure portmap uses hosts.deny and hosts.allow. In particular
# you should know that NFS uses portmap!
ALL:ALL
这在 /etc/hosts.allow 中
#
# hosts.allow This file describes the names of the hosts which are
# allowed to use the local INET services, as decided
# by the '/usr/sbin/tcpd' server.
#
ALL:xx.xx.xx.xx , xx.xx.xxx.xx , xx.xx.xxx.xxx , xx.x.xxx.xxx , xx.xxx.xxx.xxx
但我仍然收到很多这样的电子邮件:
Time: Thu Feb 10 13:39:55 2011 +0000
IP: 202.119.208.220 (CN/China/-)
Failures: 5 (sshd)
Interval: 300 seconds
Blocked: Permanent Block
Log entries:
Feb 10 13:39:52 ds-103 sshd[12566]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.119.208.220 user=root
Feb 10 13:39:52 ds-103 sshd[12567]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.119.208.220 user=root
Feb 10 13:39:52 ds-103 sshd[12568]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.119.208.220 user=root
Feb 10 13:39:52 ds-103 sshd[12571]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.119.208.220 user=root
Feb 10 13:39:53 ds-103 sshd[12575]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.119.208.220 user=root
更糟糕的是,csf 会在用户尝试进入时自动阻止这些 ip,但尽管它确实将 ip 放入了 csf.deny 文件中,但它们也没有被阻止
因此我尝试使用 /etc/hosts.deny 阻止所有 IP,并使用 /etc/hosts.allow 仅允许我使用的 IP,但到目前为止似乎不起作用。
现在我必须用 iptables 手动阻止每一个,我宁愿它自动阻止黑客,以防我离开电脑或睡着了
答案1
将文件更改为此,现在看来它可以正常工作了。
几个小时后就会知道这是否解决了问题
#
# hosts.deny This file describes the names of the hosts which are
# *not* allowed to use the local INET services, as decided
# by the '/usr/sbin/tcpd' server.
#
# The portmap line is redundant, but it is left to remind you that
# the new secure portmap uses hosts.deny and hosts.allow. In particular
# you should know that NFS uses portmap!
ALL: ALL
看起来冒号后面需要一个空格。
#
# hosts.allow This file describes the names of the hosts which are
# allowed to use the local INET services, as decided
# by the '/usr/sbin/tcpd' server.
ALL: xx.xxx.xx.xx , xx.xxx.xxx.xx , xx.xx.xxx.xxx , xx.x.xxx.xxx , xx.xxx.xxx.xxx
答案2
尝试在 /etc/hosts.deny 中明确设置 sshd deamon
sshd: ALL
并在 /etc/hosts.allow
sshd: .example.com xxx.xxx.xxx.xxx
这对于我来说总是有效的。
答案3
您还可以将 AllowUsers 设置为您允许的用户和 IP。
为了让生活更轻松,我还启动了第二个 sshd 进行外部连接,监听不同于 ssh 默认端口 22 的端口。这样,许多尝试甚至都无法到达我的日志。这根本不能提高安全性,一些脚本可能会扫描所有端口并找到真正的端口,但大多数只扫描默认端口 22。这样我的日志文件就不会被这些噪音填满。
我还对 sshd 使用 /etc/hosts.deny 和 /etc/hosts.allow,在这里运行完美。这些文件在您的系统世界中可读吗?