之前有介紹怎樣用 SSHGuard 來封鎖一些 Try 網站的 IP。不過他預設的封鎖時間實在是有點短(420秒、1200秒),雖然可以用命令列啟動的方式來設定封鎖時間,可是我覺得太麻煩了,還是直接從程式碼動手好了。
其實在安裝之前就要先動手腳囉,先進到 SSHGuard 的 ports,先抓取要 make 的檔案(如果已經安裝了,請先 uninstall 吧
):
#cd /usr/ports/security/sshguard #make
之後編輯原始碼:
#ee work/sshguard-1.3/src/sshguard.h
紅色的地方是預設的設定值,把他改成你想要的值吧:
/* default: minimum seconds after which unblocking a blocked IP. Max is (min*3/2) */ #define DEFAULT_PARDON_THRESHOLD (7 * 60) /* default number of hits after which blocking an IP (inclusive) */ #define DEFAULT_ABUSE_THRESHOLD 4 /* default seconds after which forgiving a cracker candidate */ #define DEFAULT_STALE_THRESHOLD (20 * 60)
然後進行 configure,選擇你要配合的防火牆,然後安裝:
#work/sshguard-1.3/configure --with-firewall=pf | ipfw | iptables | ipfilter | hosts | aix > (上面是選擇 pf,還有 ipfw、iptables、ipfilter、hosts、aix 可以選) #make install #ee /etc/syslog.conf (編輯設定檔,把紀錄餵給 SSHGuard) #/etc/rc.d/syslog restart (重新啟動 syslog)
這樣就可以囉。
可以用命令列試看看是不是成功了:
Usage:
sshguard [-a num] [-p sec] [-w <whlst>]{0,n} [-s sec] [-l c] [-f srv:pidfile]{0,n}
-a Number of hits after which blocking an address (2)
-p Seconds after which unblocking a blocked address (420)
-w Whitelisting of addr/host/block, or take from file if starts with "/" or "." (repeatable)
-s Seconds after which forgetting about a cracker candidate (1200)
-f "authenticate" service's logs through its process pid, as in pidfile
-d Run in debug mode, log everything to standard error (not syslog)
基本上應該所有的設定都不用改到啥。只是 syslog.conf 會在一開始移除 SSHGuard 的時候,自動幫你把 "auth.info;authpriv.info |exec /usr/local/sbin/sshguard" 這一行註解掉。所以安裝之後還是需要編輯 syslog.conf 後,重新啟動 syslog。
Please follow and like us:
