CSUF LogoCSUF Site Navigation
optics.csufresno.edu

F14 Security BlockHosts

Department of Electrical and Computer Engineering
Associate Professor Gregory R. Kriehn
Forums
Wiki
F14 BlockHosts


NOTE:
BlockHosts has not seen active development in several years. Although I am maintaining this web page for now, I consider the use of BlockHosts to be deprecated, and strongly suggest the use of Fail2Ban, instead.

blockhosts is a nifty little program that allows for automatic blocking of abusive ssh hosts. It works by recording how many times sshd or proftpd is being attacked, and when a particular IP address exceeds a configured number of failed login attempts, the IP address is added to /etc/hosts.allow to deny any further access. Since my server typically gets attacked several times a day (or more, if it's a weekend), I find blockhosts a very easy way of shutting out the script kiddies and stopping more serious crack attempts. It has the added advantage of freeing up bandwidth that would otherwise be used by an attacker who is hammering the system with a quick succession of 200+ login attempts.

blockhosts is not available through yum, so surf over to their website at:

http://www.aczoom.com/cms/blockhosts

Click on the download link, and download the BlockHosts-2.4.0-1.noarch.rpm file. Next, install it using rpm:
~> sudo rpm -vhi ~/Download/BlockHosts-2.4.0-1.noarch.rpm
Hit enter and you should see blockhosts successfully install:
Preparing...                ########################################### [100%]
   1:BlockHosts             ########################################### [100%]
~>
The configuration file is /etc/blockhosts.cfg. Use sudo to edit the file, and make sure that the following options are set:
[constants]

HOSTS_BLOCKFILE = "/etc/hosts.allow"
HOST_BLOCKLINE = ["ALL: ", " : deny"]
VERBOSE = Log.MESSAGE_LEVEL_WARNING #-> warning  (default)
COUNT_THRESHOLD = 4
AGE_THRESHOLD = 720
LOGFILES = [ "/var/log/secure", ] # default
LOCKFILE = "/tmp/blockhosts.lock"
These configuration options set things like the file being used to keep track of abusive hosts (/etc/hosts.allow), the log file it is checking to look for the abuse (/var/log/secure), the number of attempted login attempts (4) before the abusive host is completely locked out (ALL) for a month (720), and the lockfile location (/tmp/blockhosts.lock). I personally like to give people 3 attempts to login before locking them out on the 4th attempt, and will do so for a month at a time. The numbers can be easily changed to your taste  just read through the configuration file, as it is nicely documented.

Once the configuration options are set, verify that  the lines after (and including) "ALL_REGEXS_STR = {" are uncommented (check to make sure the leading "#" character is absent). Do this for every line until reaching the closing brace "}". These provide the rules for blockhosts when checking the logfiles for various services such as ssh, ftp, etc. Additional rules can be setup for other services, but you will have to look elsewhere for that information. Save and exit.

Next edit your /etc/hosts.allow file to setup blockhosts to do the following:

    1.  Add a permanent whitelist and blacklist of IP addresses to the system;
    2.  Provide blockhosts marker lines to keep track of the number and IP addresses of abusive logins;
    3.  Setup a command to execute blockhosts.py (a python script) to examine every new login attempt.

This information is found in the INSTALL file on the blockhosts website:

http://www.aczoom.com/tools/blockhosts/INSTALL

To summarize here, add the following information to your /etc/hosts.allow file:

# ----
# see "man 5 hosts_access" for details of the format of IP addresses,
#services, allow/deny options. Also see "man hosts_options"
#order of lines in this file is important, first matched IP address line
#is rule applied by hosts_access
#
# the following lines show how to use hosts.allow syntax to create
# whitelists and blacklists - this works if invoking blockhosts.py from
# hosts.allow file. If using cron to run blockhosts, look into
# using the blockhosts.cfg for specifying whitelists and blacklists.

# permanent whitelist addresses - these should always be ALLOWED access - edit
# as needed, following is example to show syntax only.
ALL: 127.0.0.1 : allow
ALL: 192.168.0. : allow
# permanent blacklist addresses - these should always be DENIED access - edit
# as needed, following is example to show syntax only.

ALL: 10. : deny
ALL: 192. : deny
ALL: 172. : deny

# ----------------------------------------
# next section is the blockhosts section - it will add/delete entries in
# between the two marker lines (#---- BlockHosts Additions)

#---- BlockHosts Additions
#---- BlockHosts Additions

# ----------------------------------------
# finally, the command to execute the blockhosts script, based on
# connection to particular service or services, for example, for
# sshd, proftpd, etc - if using pure-ftpd, etc, be sure to use those
# words instead - this is spread over multiple lines, so has \ at end of
# line to signal continuation:

sshd, proftpd, vsftpd: ALL: spawn /usr/bin/blockhosts.py \
--echo "%c-%s" --ipblock=iptables \
--whitelist="10\..*,127.0.0.1" --blacklist="192.168.1.1,192.168.1.2" \
#---
# for more help on all the options, run:
# blockhosts.py --help
#---
# use --ipblock="ip route" to enable null-routing,
# or use --ipblock=iptables to enable packet filtering,
# either of which blocks all network communication from blocked hosts
#---
# add for email notification - email sent on newly blocked address,
# expired blocking, or errors/warnings. Optionally add --verbose for
# more info.
--mail --verbose
#---
# add for extra logging to blockhosts.log, if needed for debugging:
--verbose >> /var/log/blockhosts/blockhosts.log 2>&1 &
# or
# --debug >> /var/log/blockhosts.log 2>&1 &
# without this, it will still log to syslog (errors/warnings/notices),
# so logging to another file is not usually necessary.
#---
# above commands will use default config file - /etc/blockhosts.cfg, edit
# it as needed to specify local configuration options

# See "man hosts.allow" for info on %c and %s identifiers

# for non-verbose, with identification, to syslog only (/var/log/messages),
# triggered on any service (using ALL as first word):
#ALL: ALL: spawn /usr/bin/blockhosts.py --echo "%c-%s" & : allow
#----
# To test hosts.allow, and to find out exact names of SSH/FTP services,
# add this line to the beginning of hosts.allow, use ssh/ftp to connect
# to your server, and then look at the log (/var/log/messages or
# blockhosts.log) to see the name of the invoked service.
# IMPORTANT: after your test is done, remove this line from hosts.allow!
# Otherwise everyone will always have access.
#ALL : ALL: spawn (/usr/bin/blockhosts.py --verbose --echo "%c-%s" >> /var/log/blockhosts/blockhosts.log 2>&1 )& : allow

# -------------------------------------------------------------------------
Please note that I have changed the location of the default log location from /var/log/blockhosts.log to /var/log/blockhosts/blockhosts.log. As a result, let's setup the log directory now:
~> sudo mkdir /var/log/blockhosts
Next, edit the /etc/logrotate.d/blockhosts file with the following information to setup log rotation:
/var/log/blockhosts/blockhosts.log {
        notifempty
        missingok
        monthly
        rotate 4
        create
}
Save and exit. blockhosts is now setup. To check it, login to another computer, and attempt to log back into the Linux computer containing blockhosts. Type in an incorrect login name and/or password. Then check the /etc/hosts.allow file, and you should see a line that looks similar to:
#bh: ip:    58.20.241.12 :   1 : 2006-10-03-05-42
It will be found between the two "#---- BlockHosts Additions" lines.  blockhosts is now keeping track of this IP address, and if 2 more failed login attempts occur, a new line will appear that says:
ALL:    58.20.241.12 : deny
The IP address 58.20.241.12 is now denied from all services on your computer for the next month (including additional login attempts). This provides a very nice way of hardening your system against attempted break-ins and abusive login attempts with little impact on your system resources.