Of Stack

linux server under iptables+Denyhost against brute force cracking configuration method

  • 2020-05-10 23:18:37
  • OfStack

Using iptables now connects ssh times per minute

# allows local loopback interface access 


iptables -A INPUT -i lo -j ACCEPT

Release all links that have been created 


iptables -A INPUT -m state  � state ESTABLISHED -j ACCEPT

Only two new connections to ssh are allowed per minute, and there is no limit to established connections 



iptables -A INPUT -p tcp  � dport 22 -m limit  � limit 2/minute  � limit-burst 2 -m state  � state NEW -j ACCEPT

Add default policy to reject all 


iptables -P INPUT DROP

Use Denyhost to deny access to ip with the wrong ssh password

Download denyhost http: / / sourceforge net/projects/denyhosts files /

Install denyhost 


tar -zxvf DenyHosts-2.6.tar.gz
cd DenyHosts-2.6
python setup.py install             # The installation DenyHosts
cd /usr/share/denyhosts/            # Default installation path 
cp denyhosts.cfg-dist denyhosts.cfg        #denyhosts.cfg For configuration files 
cp daemon-control-dist daemon-control      #daemon-control To start the program 
chown root daemon-control           # add root permissions 
chmod 700 daemon-control           # Modify to executable file 
ln -s /usr/share/denyhosts/daemon-control /etc/init.d  # right daemon-control Soft connection for easy management 
/etc/init.d/daemon-control start   # Start the denyhosts
chkconfig daemon-control on    # will denghosts Set to boot

Configuration denyhost 


vim /usr/share/denyhosts/denyhosts.cfg
HOSTS_DENY = /etc/hosts.deny     # Control user login files 
PURGE_DENY = 30m         # After how long to clear has been banned, set to 30 Minutes; 
BLOCK_SERVICE = sshd       # Banned service name, of course DenyHost Not just for SSH service 
DENY_THRESHOLD_INVALID = 1    # The number of times an invalid user is allowed to fail 
DENY_THRESHOLD_VALID = 5     # The number of logins that failed to allow normal users to log in 
DENY_THRESHOLD_ROOT = 5     # allow root Number of login failures 
DAEMON_LOG = /var/log/denyhosts  #DenyHosts Log file location, default

After changing the default configuration of DenyHosts, restarting the DenyHosts service will take effect: 


/etc/init.d/daemon-control restart   # restart denyhosts

From: http: / / www zhengdazhi. com / & # 63; p = 563

Related articles: