ubuntu 取消 DenyHosts 限制的IP

DenyHosts 把我自己的固定ip限制了,从另外ip登录后,修改/etc/hosts.deny可以暂时生效,几分钟后/etc/hosts.deny中又生出了限制记录…..闷…….

根据网上方法,使用以下命令,把很多文件改名后重启denyhosts,测试…….依然不行…

命令

/etc/init.d/denyhosts stop
mv /var/log/secure /var/log/secure.20121127
mv /etc/hosts.deny /etc/hosts.deny.20121127
mv /usr/share/denyhosts/data/hosts /usr/share/denyhosts/data/hosts.20121127
mv /usr/share/denyhosts/data/hosts-restricted /usr/share/denyhosts/data/hosts-restricted.20121127
mv /usr/share/denyhosts/data/hosts-root /usr/share/denyhosts/data/hosts-root.20121127
mv /usr/share/denyhosts/data/hosts-valid /usr/share/denyhosts/data/hosts-valid.20121127
mv /usr/share/denyhosts/data/offset /usr/share/denyhosts/data/offset.20121127
mv /usr/share/denyhosts/data/suspicious-logins /usr/share/denyhosts/data/suspicious-logins.20121127
mv /usr/share/denyhosts/data/users-hosts /usr/share/denyhosts/data/users-hosts.20121127
mv /usr/share/denyhosts/data/users-invalid /usr/share/denyhosts/data/users-invalid.20121127
mv /usr/share/denyhosts/data/users-valid /usr/share/denyhosts/data/users-valid.20121127

cat /dev/null > /var/log/secure
cat /dev/null > /etc/hosts.deny
cat /dev/null > /usr/share/denyhosts/data/hosts
cat /dev/null > /usr/share/denyhosts/data/hosts-restricted
cat /dev/null > /usr/share/denyhosts/data/hosts-root
cat /dev/null > /usr/share/denyhosts/data/hosts-valid
cat /dev/null > /usr/share/denyhosts/data/offset
cat /dev/null > /usr/share/denyhosts/data/suspicious-logins
cat /dev/null > /usr/share/denyhosts/data/users-hosts
cat /dev/null > /usr/share/denyhosts/data/users-invalid
cat /dev/null > /usr/share/denyhosts/data/users-valid

/etc/init.d/denyhosts start

 

以上办法都无效….

最后解决问题的是:
1:创建一个脚本文件:

nano ~/denyhosts_unban.sh

2:写入脚本:

# All the files that contain the blocked IP address and hostname
DENYHOSTS_FILES=(\
'/etc/hosts.deny' \
"{DENYHOSTS_WORK_DIR}/hosts" \
"{DENYHOSTS_WORK_DIR}/hosts-restricted" \
"{DENYHOSTS_WORK_DIR}/hosts-root" \
"{DENYHOSTS_WORK_DIR}/hosts-valid" \
"{DENYHOSTS_WORK_DIR}/users-hosts" \
)
# The file containing the IP addresses and hostnames that can't be blocked
DENYHOSTS_ALLOWED_FILE="{DENYHOSTS_WORK_DIR}/allowed-hosts"
# The command needed to start denyhosts after the IP and/or hostname is unbanned
START_COMMAND='/etc/init.d/denyhosts start'
# The command needed to stop denyhosts before the IP and/or hostname is unbanned
STOP_COMMAND='/etc/init.d/denyhosts stop'

#############################################
# ACTUAL SCRIPT do not edit below this line #
#############################################
# set some default values to a few vars used in the script
# Don't remove an IP address (N=remove, Y=don't remove)
NO_IP='N'
# Don't remove an hostname (N=remove, Y=don't remove)
NO_HOST='N'
# Add the IP address and/or hostname to the allowed list
ADD_ALLOW='N'
# The IP address that has to be removed
IP=''
# The hostname that has to be removed
HOST=''

function show_help()
{
echo 0
echo "a small script to unblock an IP address and/or hostname from denyhosts.
-h | --host | --hostname : Specify the hostname to unblock (required, unless -nh is added).
-i | --ip | --ipaddress : Specify the IP address to unblock (required, unless -ni is added).
-nh | --no-host | --no-hostname : Don't require a hostname to start unblocking things.
-ni | --no-ip | --no-ipaddress : Don't require an IP address to start unblocking things.
-a | --add | --add-allow : Add the specified IP address and/or hostname to the unblock file, thus preventing that the specified IP address and/or hostname get blocked again.
-H | --help : show this help."
}

# Handle the commandline options
while [ -n "(echo 1 | grep -- '-')" -a# -gt 0 ]; do
case 1 in
-h | --host | --hostname) HOST=2; shift 2;;
-i | --ip | --ipaddress) IP=2; shift 2;;
-nh | --no-host | --no-hostname) NO_HOST='Y'; shift;;
-ni | --no-ip | --no-ipaddress) NO_IP='Y'; shift;;
-a | --add | --add-allow) ADD_ALLOW='Y'; shift;;
*)
echo "Unknown argument1" 1>&2
echo ''
show_help 0
exit 1
;;
esac
done

# Checks to see if the required IP address and/or hostname are given
if [ "{NO_IP}" == 'N' -a "{IP}" == '' ]; then
echo 'No IP address given, exiting now' 1>&2
exit 1
fi
if [ "{NO_HOST}" == 'N' -a "{HOST}" == '' ]; then
echo 'No hostname given, exiting now' 1>&2
exit 2
fi

# Show warnings if removing of an IP address and/or hostname is disabled
if [ "{NO_IP}" == 'Y' ]; then
echo 'WARNING: You disabled removing an IP address. Most bans consist of both an IP address and a hostname. Please double check if you want this. Continuing now.' 1>&2
fi
if [ "{NO_HOST}" == 'Y' ]; then
echo 'WARNING: You disabled removing a hostname. Most bans consist of both an IP address and a hostname. Please double check if you want this. Continuing now.' 1>&2
fi

# Stopping denyhosts{STOP_COMMAND}

# Loop through all the denyhost files, to remove the IP address and/or hostname
for FILE in {DENYHOSTS_FILES[@]}; do
# Check to see if the current denyhosts file exists, is a normal file, is
# readable and is writable
if [ -f "{FILE}" -a -r "{FILE}" -a -w "{FILE}" ] ; then
# Check to see if there is an IP address to remove
if [ "{NO_IP}" = 'N' ] ; then
# Check that the IP address exists in the current denyhosts file
if grep -q "{IP}" "{FILE}" ; then
# Remove the IP address from the current denyhosts file
sed -i "/{IP}/d" "{FILE}"
echo "Removed ip address{IP} from {FILE}"
else
# The IP address doesn't exists in the current denyhosts file,
# notify user
echo "The ip address{IP} wasn't in {FILE}"
fi
fi

# Check to see if there is a hostname to remove
if [ "{NO_HOST}" = 'N' ] ; then
# Check that the hostname exists in the current denyhosts file
if grep -q "{HOST}" "{FILE}" ; then
# Remove the hostname from the current denyhosts file
sed -i "/{HOST}/d" "{FILE}"
echo "Removed hostname {HOST} from{FILE}"
else
# The hostname doesn't exists in the current denyhosts file,
# notify user
echo "The hostname {HOST} wasn't in{FILE}"
fi
fi
fi
done

# Check to see if the IP address and/or hostname needs to be added to the
# allowed-hosts file
if [ {ADD_ALLOW} = 'Y' ] ; then
# Check to see if there is an IP address to add
if [ "{NO_IP}" = 'N' ] ; then
echo "{IP}" >> "{DENYHOSTS_ALLOWED_FILE}"
fi

# Check to see if there is a hostname to add
if [ "{NO_HOST}" = 'Y' ] ; then
echo "{HOST}" >> "{DENYHOSTS_ALLOWED_FILE}"
fi
fi

# Start denyhosts again{START_COMMAND}

3:赋予脚本运行权限:

chmod 700 ~/denyhosts_unban.sh

4:执行脚本:

denyhosts_unban.sh --ipaddress (IP_ADDRESS) -nh

测试OK!!!!
这个脚本的作者是:Guido Kroon,感谢他!

2022/01/28 更新:

1: ${DENYHOSTS_WORK_DIR} 更新为 var/lib/denyhosts/

2: 需手工删除iptables的drop项