Denyhosts我们通常用来抵御ssh字典攻击。
Denyhosts是采用python写的，需要python环境(现在linux都有python环境)
Denyhosts是通过分析/var/log/secure日志文件中登陆失败，结合设置的策略，进行对应防护措施（比如：检测到同一IP，在一分钟之内尝试错误连接100次，很明显就应该拒绝此IP继续ssh连接，拒绝的策略是写入到/etc/hosts.deny配置文件中）

安装：

# epel源中
# yum install denyhosts -y
# rpm -ql denyhosts
#     /etc/denyhosts.conf       //规则配置文件
#     /etc/rc.d/init.d/denyhosts       //服务脚本
#     /var/log/denyhosts       //日志文件
#     /var/lib/denyhosts       //denyhost 工作目录
#  denyhosts数据文件，看名字大概知道
#  /var/lib/denyhosts/allowed-hosts
#  /var/lib/denyhosts/allowed-warned-hosts
#  /var/lib/denyhosts/hosts
#  /var/lib/denyhosts/hosts-restricted
#  /var/lib/denyhosts/hosts-root
#  /var/lib/denyhosts/hosts-valid
#  /var/lib/denyhosts/offset
#  /var/lib/denyhosts/suspicious-logins
#  /var/lib/denyhosts/sync-hosts
#  /var/lib/denyhosts/users-hosts
#  /var/lib/denyhosts/users-invalid
#  /var/lib/denyhosts/users-valid

配置

# grep -Ev '^#|^$' /etc/denyhosts.conf   
 ############ THESE SETTINGS ARE REQUIRED ############
SECURE_LOG = /var/log/secure
HOSTS_DENY = /etc/hosts.deny
PURGE_DENY = 4w        // ip被禁止之后，多久可以释放(w表示周，d表示天，h表示小时，m表示分钟)
BLOCK_SERVICE  = sshd     // 检测的服务
DENY_THRESHOLD_INVALID = 5     // 无效用户尝试次数之后即被锁定
DENY_THRESHOLD_VALID = 10      //  有效普通用户尝试次数
DENY_THRESHOLD_ROOT = 1       //   root用户尝试次数
DENY_THRESHOLD_RESTRICTED = 1    // 设定denyhosts将数据写入到/etc/hosts.deny文件中
WORK_DIR = /var/lib/denyhosts      //denyhosts工作数据目录
SUSPICIOUS_LOGIN_REPORT_ALLOWED_HOSTS=YES
HOSTNAME_LOOKUP=YES     // 域名解析
LOCK_FILE = /var/lock/subsys/denyhosts
 ############ THESE SETTINGS ARE OPTIONAL ############
ADMIN_EMAIL = root
SMTP_HOST = localhost
SMTP_PORT = 25
SMTP_FROM = DenyHosts <nobody@localhost>
SMTP_SUBJECT = DenyHosts Report from $[HOSTNAME]
AGE_RESET_VALID=5d           //普通有效用户登陆计数清零时间
AGE_RESET_ROOT=25d        //root用户登陆计数清零时间
AGE_RESET_RESTRICTED=25d     // /etc/hosts.deny文件清除数据时间
AGE_RESET_INVALID=10d
 ######### THESE SETTINGS ARE SPECIFIC TO DAEMON MODE  ##########
DAEMON_LOG = /var/log/denyhosts
DAEMON_SLEEP = 30s
DAEMON_PURGE = 1h
 #########   THESE SETTINGS ARE SPECIFIC TO     ##########
 #########       DAEMON SYNCHRONIZATION         ##########

启动服务

# service denyhosts start
# chkconfig denyhosts on

测试

开启两个ssh进程，一个用来测试，一个用来等会解除限制
多次尝试无效用户登陆，发现之后就不会在让你到输入用户密码界面，检查数据
# cat /etc/hosts.deny
# DenyHosts: Wed Feb 22 16:15:51 2017 | sshd: 113.102.163.146
sshd: 113.102.163.146
# cat /var/lib/denyhosts/* | grep 113.102.163.146
# 113.102.163.146:7:Wed Feb 22 16:15:51 2017
# 113.102.163.146:0:Wed Feb 22 16:13:51 2017
# 113.102.163.146:0:Wed Feb 22 16:13:51 2017
# 113.102.163.146:0:Wed Feb 22 16:13:51 2017

denyhosts恢复

清楚文件对应的数据，重启rsyslog服务器重置计数器
# sed -i '/113.102.163.146/d' /etc/hosts.deny
# sed -i '/113.102.163.146/d' /var/lib/denyhosts/*
# service rsyslog restart