Gentoo Wiki ArchivesGentoo Wiki

BlockHosts

Contents

Protecting sshd (and others) with BlockHosts

What is BlockHosts?

Blockhosts is a python script which records how many times a system service has been probed, using configurable pattern matching to recognize failed accesses (such as for "sshd" or "proftpd" or any service), and when a particular IP address exceeds a certain number of failed attempts that IP address is blocked by using one of the following techniques, e.g.:

Advantages

I decided to install BlockHosts rather than its equivalents, e.g. denyhosts or fail2ban, because it provided more features:

Installation

Ebuild

Currently there's no BlockHosts package in the Portage tree. I've written an ebuild (thanks again to #gentoo-sunrise for reviewing it) which should work (for all archs?). If you do not know how to cope with 3rd party ebuilds, refer to the handbook.

File: blockhosts-2.0.2.ebuild
# Copyright 1999-2007 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
# $Header: $

NEED_PYTHON=2.3

inherit distutils

MY_P="BlockHosts-${PV}"
DESCRIPTION="Blocks abusive IP hosts which probe your services (such as sshd, proftpd)"
HOMEPAGE="http://www.aczoom.com/cms/blockhosts/"
SRC_URI="http://www.aczoom.com/tools/blockhosts/${MY_P}.tar.gz"

LICENSE="public-domain"
SLOT="0"
KEYWORDS="~x86"
IUSE="logrotate"

DEPEND=""
RDEPEND="logrotate? ( app-admin/logrotate )"

DOCS="CHANGES"
S=${WORKDIR}/${MY_P}

src_unpack() {
	unpack ${A}
	cd "${S}"

	# don't let setup.py install bhrss.py to /usr/bin
	sed -i \
		-e "s/,.*bhrss\.py'//" \
		setup.py || die "sed failed"

	# remove logrotate check if not in IUSE
	if ! use logrotate; then
		sed -i \
			-e "/^if/d" \
			-e "/DATA_FILES\./d" \
			setup.py || die "sed failed"
	fi
}

src_install() {
	distutils_src_install

	insinto /usr/share/${PN}
	doins bhrss.py

	dohtml *.html
}

pkg_postinst() {
	echo
	elog "This package isn't configured properly."
	elog "Please refer to the homepage to do this!"
	echo
	elog "bhrss.py cgi-script is in /usr/share/${PN}."
	elog "If you want to use it, put it in your cgi-bin,"
	elog "emerge dev-python/pyxml and copy blockhosts.py"
	elog "into your python module directory."
	echo
}

Emerge

Warning: I assume that you've set your PORTDIR_OVERLAY to /usr/local/portage.

First, copy the ebuild to /usr/local/portage/app-admin/blockhosts/. Then do this:

# Create blockhosts digest
ebuild /usr/local/portage/app-admin/blockhosts/blockhosts-2.0.2.ebuild digest
# Unmask blockhosts
echo "app-admin/blockhosts ~x86" >> /etc/portage/package.keywords
# I'm not sure if this is needed, but it won't hurt anyone
emerge --metadata
# Emerge it
emerge -va app-admin/blockhosts

That's everything.

Configuration

First, you need to create and edit some files

# Create /etc/hosts.allow if it does not exists (required by BlockHosts)
touch /etc/hosts.allow
# Append the following lines to /etc/hosts.allow
# (BlockHosts will write its own stuff between them)
echo "#---- BlockHosts Additions" >> /etc/hosts.allow
echo "#---- BlockHosts Additions" >> /etc/hosts.allow

Setting up BlockHosts protecting sshd

Setting up openssh:
Check if openssh was merged with the tcpd useflag enabled:

equery uses openssh

If not, add this useflag (it's necessary to work with TCP_WRAPPERS) to the openssh package

echo "net-misc/openssh tcpd" >> /etc/portage/package.use
# Re-emerge to apply use flags
emerge -va net-misc/openssh

Add this to your /etc/ssh/sshd_config (disables DNS lookups which may confuse blockhosts when scanning the logs)

UseDNS no

Check if your SSHd logs to /var/log/messages

cat /var/log/messages | grep sshd

If there's some recent output, everything's ok. Proceed.

Setting up BlockHosts:
Edit /etc/blockhosts.cfg

nano /etc/blockhosts.cfg

All occurences of LOGFILES are commented, uncomment the first occurence, and change "secure" to "sshd".

File: /etc/blockhosts.cfg
 ...
 LOGFILES = [ "/var/log/messages", ]
 #LOGFILES = [ "/var/log/auth.log", ]
 #LOGFILES = [ "/var/log/secure", "/var/log/vsftpd.log", ]
 ...

Save, close nano again, this should do it.

Post-Configuration

You can tune some settings in the config file if you like to (THRESHOLD and stuff), but the defaults are ok.

Testing

Run blockhosts.py in --dry-run mode (simulation):

# This will check your logs (configured in /etc/blockhosts.cfg) for potential attacks
/usr/bin/blockhosts.py --dry-run --verbose

The blockhosts.py script should output something like this (assumed there were some failed login attempts already):

 ...
 #---- BlockHosts Additions
 ALL: 89.13.50.6 : deny 

 #bh: ip:      89.13.50.6 :   8 : 2007-04-10 00:52:23 CEST
 
 #bh: logfile: /var/log/sshd
 #bh: offset: 13083
 #bh: first line:Apr  9 23:49:37 hostname sshd(pam_unix)[29697]: authentication$

 #---- BlockHosts Additions
 ...
 

Now, if everything seems to be ok, drop the --dry-run parameter.
BlockHosts will now write to the /etc/hosts.allow file and every service that uses TCP_WRAPPERS (mod_wrap for proftpd) refuses connections from banned ips.

/usr/bin/blockhosts.py --verbose

Completion

Now we want to have a cronjob or something which will run blockhosts.py again and again, to check the logs frequently. Alternatively, we can have TCP_WRAPPERS run the script every time someone connects to our watched service by modifying /etc/hosts.allow.

Cronjob

Add a cronjob which runs every five minutes

nano /etc/crontab

Add blockhosts.py cron

*/5 * * * * /usr/bin/blockhosts.py --verbose >> /var/log/blockhosts.log 2>&1

Save, close. BlockHosts should now update hosts.allow every five minutes.

Hosts.allow

Add a couple of lines to the end of /etc/hosts.allow to have the script called at every connection attempt.

File: /etc/hosts.allow
 ...
 sshd : ALL : spawn (/usr/bin/blockhosts.py )
 sshd : ALL : allow

This will cause /usr/bin/blockhosts.py to be called every time someone connects - much more likely to stop an attack before it fills your logs. However, if you log in incorrectly too many times and get blocked, you will be blocked until someone from a different ip logs in after the timeout has expired (set in /etc/blockhosts.cfg). To remove your dependency on another user attempting to log in, have a cron job also running the script, although possibly less frequently than every five minutes.

Todo

See also

Retrieved from "http://www.gentoo-wiki.info/BlockHosts"

Last modified: Sat, 06 Sep 2008 23:13:00 +1000 Hits: 9,913

Created by NickStallman.net, Luxury Homes Australia
Real estate agents should list their apartments, townhouses and units in Australia.