BlockHosts 1.0.4 reviewDownload
BlockHosts is a script to record how many times "sshd" or "proftpd" is being attacked, and when a particular IP address exceeds a con
BlockHosts is a script to record how many times "sshd" or "proftpd" is being attacked, and when a particular IP address exceeds a configured number of failed login attempts, that IP address is added to /etc/hosts.allow (or optionally to any other file).
Requires python version 2.3 at a minimum, and runs on Unix-like machines only.
The BlockHosts script is most suitable for home Linux users, who need to keep ssh/ftp ports open.
Blocks IP addresses based on SSH or FTP incoming login failures, by looking at SSHD and ProFTPD logs, and updating hosts.allow as needed.
If you are a Linux user running SSH server, it is likely that you have been probed by script kiddies, and your daily LogWatch emails will show 100-150 login attempts in a short interval, before they go away.
There is no option in OpenSSH to make it difficult to slow down repeated login attempts coming from one IP address -- logins occur at a pretty fast clip -- one attempt every few seconds.
For a home or small business linux user at least, it does not make sense to keep the door open for logins for so long. Use this script, and see the daily LogWatch email notifications now showing only 7-9 login attempts, and remote hosts start getting "Refused incoming connection" messages.
Then, reading the daily LogWatch emails is not terrifying at all, in fact, it may be fun to see these script kiddies get blocked!
- Be sure to acquaint yourself with material available on the web, related to security, and denial-of-service. In particular, see the discussion in the OpenSSH mailing list related to SSHD blocking and FAIL_DELAY:
- Make your sshd/proftpd configurations as tight as possible. For example, for sshd - turn off root logins (PermitRootLogin), use the AllowUsers keyword to only allow one or a select usernames to be accepted. As far as possible, try to avoid common usernames, make even the user names hard to guess. For ProFTPD, use /etc/ftpusers, which contains names of users that will not be allowed to use FTP, root should be in there.
- Last, but not least - always use strong passwords! That is the only real protection.
blockhosts.py scans system logs, and looks for failed login attempts. It keeps a record of the number of times a particular IP address had a failed login. When the count exceeds a configured value, that IP address is added to /etc/hosts.allow with a deny flag, so the next time that IP address attempts to connect to that box, they will get a refused connection message.
Python, version 2.3 or later.
TCP_WRAPPERS should be enabled for all services, this will allows use of /etc/hosts.deny and /etc/hosts.allow files.
IPv4 addesses supported, IPv6 not supported at this time.
OpenSSH and proftpd logs can be scanned, other implementations or services may require adding pattern matching options to the default blockhosts.py configuration, see the appropriate section in blockhosts.cfg configuration file.
What's New in This Release:
Handling of vsftpd was improved.
The documentation on the shortcomings of using blockhosts for vsftpd was updated.
BlockHosts 1.0.4 search tags