blockhosts is a nifty little program that allows for automatic blocking of abusive ssh hosts. It works by recording how many times sshd or proftpd is being attacked, and when a particular IP address exceeds a configured number of failed login attempts, the IP address is added to /etc/hosts.allow to deny any further access. Since my server typically gets attacked several times a day (or more, if it's a weekend), I find blockhosts a very easy way of shutting out the script kiddies and stopping more serious crack attempts. It has the added advantage of freeing up bandwidth that would otherwise be used by an attacker who is hammering the system with a quick succession of 200+ login attempts.
blockhosts is not available through yum, so surf over to their website at:
Click on the download link, and download the BlockHosts-1.0.4-1.noarch.rpm file. Next, install it using rpm:
~>
sudo rpm -vhi BlockHosts-1.0.4-1.noarch.rpm
Hit enter and you should see blockhosts
successfully install: Preparing...
########################################### [100%]
1:BlockHosts ########################################### [100%]
~>
The configuration file is /etc/blockhosts.cfg.
Use sudo
to edit the file, and make sure that the following options are set:1:BlockHosts ########################################### [100%]
~>
[constants]
HOSTS_BLOCKFILE = "/etc/hosts.allow"
LOGFILES = [ "/var/log/secure", ]
COUNT_THRESHOLD = 4
BLOCK_SERVICES = "ALL"
AGE_THRESHOLD = 720
LOCKFILE = "/tmp/blockhosts.lock"
These
configuration options set things
like the file being used to keep track of abusive hosts (/etc/hosts.allow),
the log file it is checking to look for the abuse (/var/log/secure),
the number of attempted login attempts (4) before the
abusive host is completely locked out (ALL) for a
month (720),
and the lockfile location (/tmp/blockhosts.lock).
I personally like to give people 3 attempts to login before
locking them out on the 4th attempt, and will do so for a month at a
time. The numbers can be easily changed to your taste —
just read through the configuration file, as it is nicely documented.HOSTS_BLOCKFILE = "/etc/hosts.allow"
LOGFILES = [ "/var/log/secure", ]
COUNT_THRESHOLD = 4
BLOCK_SERVICES = "ALL"
AGE_THRESHOLD = 720
LOCKFILE = "/tmp/blockhosts.lock"
Once the configuration options are set, uncomment all lines after (and including) "ALL_REGEXS = {" by removing the leading "#" character. Do this for every line until reaching the closing brace "}" (uncomment that line as well). These provide the rules for blockhosts when checking the logfiles for various services such as ssh and ftp. Additional rules can be setup for other services, but you will have to look elsewhere for that information. Save and exit.
Next edit your /etc/hosts.allow file to setup blockhosts to do the following:
1. Add a permanent whitelist and blacklist of IP addresses to the system;
2. Provide blockhosts marker lines to keep track of the number and IP addresses of abusive logins;
3. Setup a command to execute blockhosts.py (a python script) to examine every new login attempt.
This information is found in the INSTALL file on the blockhosts website:
To summarize here, add the following information to your /etc/hosts.allow file:
#
----
# see "man 5 hosts_access" for details of the format of IP addresses,
#services, allow/deny options. Also see "man hosts_options"
#order of lines in this file is important, first matched IP address line
#is rule applied by hosts_access
#
# permanent whitelist addresses - these should always be allowed access
ALL: 127.0.0.1 : allow
ALL: 192.168.0. : allow
# permanent blacklist addresses - these should always be denied access
ALL: 10. : deny
ALL: 192. : deny
ALL: 172. : deny
# ----------------------------------------
# next section is the blockhosts section - it will add/delete entries in
# between the two marker lines (#---- BlockHosts Additions)
#---- BlockHosts Additions
#---- BlockHosts Additions
# ----------------------------------------
# finally, the command to execute the blockhosts script, based on
# connection to particular service or services, for example, for
# sshd and proftpd - if using vsftpd, pure-ftpd, be sure to use those
# words instead:
sshd, proftpd, in.proftpd: ALL: spawn (/usr/bin/blockhosts.py --verbose --echo "%c-%s" >> /var/log/blockhosts/blockhosts.log 2>&1 )& : allow
# --
# See "man hosts.allow" for info on %c and %s identifiers
#----
# for non-verbose, with identification, to syslog only:
#sshd, proftpd, in.proftpd: ALL: spawn /usr/bin/blockhosts.py --echo "%c-%s" & : allow
#----
# minimal logging, to syslog:
#sshd, proftpd, in.proftpd: ALL: spawn /usr/bin/blockhosts.py & : allow
#----
# To test hosts.allow, and to find out exact names of SSH/FTP services,
# add this line to the beginning of hosts.allow, use ssh/ftp to connect
# to your server, and then look at the log (/var/log/messages or
# blockhosts.log) to see the name of the invoked service.
# IMPORTANT: after your test is done, remove this line from hosts.allow!
# Otherwise everyone will always have access.
ALL : ALL: spawn (/usr/bin/blockhosts.py --verbose --echo "%c-%s" >> /var/log/blockhosts/blockhosts.log 2>&1 )& : allow
# -------------------------------------------------------------------------
Please note
that "sshd,
proftpd, in.proftpd: ALL: spawn
(/usr/bin/blockhosts.py --verbose --echo "%c-%s" >>
/var/log/blockhosts/blockhosts.log 2>&1 )& :
allow"
should be on one line, as should "#sshd,
proftpd, in.proftpd: ALL: spawn /usr/bin/blockhosts.py --echo "%c-%s"
& : allow" and "ALL : ALL: spawn
(/usr/bin/blockhosts.py --verbose
--echo "%c-%s" >> /var/log/blockhosts/blockhosts.log
2>&1
)& : allow".# see "man 5 hosts_access" for details of the format of IP addresses,
#services, allow/deny options. Also see "man hosts_options"
#order of lines in this file is important, first matched IP address line
#is rule applied by hosts_access
#
# permanent whitelist addresses - these should always be allowed access
ALL: 127.0.0.1 : allow
ALL: 192.168.0. : allow
# permanent blacklist addresses - these should always be denied access
ALL: 10. : deny
ALL: 192. : deny
ALL: 172. : deny
# ----------------------------------------
# next section is the blockhosts section - it will add/delete entries in
# between the two marker lines (#---- BlockHosts Additions)
#---- BlockHosts Additions
#---- BlockHosts Additions
# ----------------------------------------
# finally, the command to execute the blockhosts script, based on
# connection to particular service or services, for example, for
# sshd and proftpd - if using vsftpd, pure-ftpd, be sure to use those
# words instead:
sshd, proftpd, in.proftpd: ALL: spawn (/usr/bin/blockhosts.py --verbose --echo "%c-%s" >> /var/log/blockhosts/blockhosts.log 2>&1 )& : allow
# --
# See "man hosts.allow" for info on %c and %s identifiers
#----
# for non-verbose, with identification, to syslog only:
#sshd, proftpd, in.proftpd: ALL: spawn /usr/bin/blockhosts.py --echo "%c-%s" & : allow
#----
# minimal logging, to syslog:
#sshd, proftpd, in.proftpd: ALL: spawn /usr/bin/blockhosts.py & : allow
#----
# To test hosts.allow, and to find out exact names of SSH/FTP services,
# add this line to the beginning of hosts.allow, use ssh/ftp to connect
# to your server, and then look at the log (/var/log/messages or
# blockhosts.log) to see the name of the invoked service.
# IMPORTANT: after your test is done, remove this line from hosts.allow!
# Otherwise everyone will always have access.
ALL : ALL: spawn (/usr/bin/blockhosts.py --verbose --echo "%c-%s" >> /var/log/blockhosts/blockhosts.log 2>&1 )& : allow
# -------------------------------------------------------------------------
The last section provides 3 different options for launching python to run the blockhosts.py script. I have chosen to use the last option, which is the one that I have uncommented ("ALL : ALL: spawn (/usr/bin/blockhosts.py --verbose --echo "%c-%s" >> /var/log/blockhosts/blockhosts.log 2>&1 )& : allow"). I have changed the location of the default log location from /var/log/blockhosts.log to /var/log/blockhosts/blockhosts.log, so let's setup the log directory now:
~>
sudo mkdir /var/log/blockhosts
Next, create
a /etc/logrotate.d/blockhosts
file with the following information to setup log rotation: /var/log/blockhosts/blockhosts.log
{
notifempty
weekly
missingok
rotate 4
}
Save and
exit. blockhosts
is
now setup. To check it, login to another computer, and attempt to log
back into the Linux computer containing blockhosts.
Type in an incorrect login
name and/or password.
Then check the /etc/hosts.allow
file, and you should see a line that looks similar to:notifempty
weekly
missingok
rotate 4
}
#bh:
ip: 58.20.241.12 : 1
: 2006-10-03-05-42
It will be
found between the two
"#----
BlockHosts Additions" lines. blockhosts
is now keeping track of this IP address, and if 2 more failed login
attempts occur, a new line will appear that
says: ALL:
58.20.241.12 : deny
The IP address
58.20.241.12 is now denied
from all
services on your computer for the next month (including additional
login attempts). This provides a very nice way of hardening your
system against attempted break-ins and abusive login attempts with
little impact on your system resources.