Preventing Brute Force Attacks With BlockHosts On Debian Etch - Page 2

Want to support HowtoForge? Become a subscriber!
 
Submitted by falko (Contact Author) (Forums) on Thu, 2007-09-27 16:48. ::

3 Creating A BlockHosts Cron Job For Non-TCP_WRAPPERS Services

To block hosts from non-TCP_WRAPPERS services such as Debian's ProFTPd, you can run

blockhosts.py --iptables --verbose

on the command line. Of course, you don't want to do this every few minutes, therefore we create a cron job for this.

First we create a little wrapper script for /usr/bin/blockhosts.py:

vi /usr/local/sbin/blockhosts

#!/bin/bash
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

/usr/bin/blockhosts.py --iptables --verbose >> /var/log/blockhosts.log 2>&1

The purpose of this wrapper script is to pass the correct PATH to the /usr/bin/blockhosts.py script; if we use /usr/bin/blockhosts.py directly in the cron job, we will get errors saying that iptables could not be found.

Of course, we must make /usr/local/sbin/blockhosts executable:

chmod 700 /usr/local/sbin/blockhosts

Then, we create a cron job like this:

crontab -e

*/5 * * * *  /usr/local/sbin/blockhosts &> /dev/null

 

4 Testing

Now you can try to log in to your server using SSH and FTP with wrong usernames/passwords. After some time, you shouldn't be able to connect to your server at all which means you got blocked. Change your client's IP address and log in to the server's shell again.

Run

iptables -L

You can see in the output which IP addresses got blocked:

server2:~# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
blockhosts  0    --  anywhere             anywhere

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain blockhosts (1 references)
target     prot opt source               destination
DROP       0    --  192.168.0.93         anywhere
DROP       0    --  192.168.0.92         anywhere
DROP       0    --  192.168.0.91         anywhere
DROP       0    --  192.168.0.94         anywhere
server2:~#

Take a look at /etc/hosts.allow. The same IP addresses should be listed in the #---- BlockHosts Additions section:

vi /etc/hosts.allow

[...]
#---- BlockHosts Additions
ALL: 192.168.0.94 : deny
ALL: 192.168.0.91 : deny
ALL: 192.168.0.92 : deny
ALL: 192.168.0.93 : deny

#bh: ip:    192.168.0.94 :   4 : 2007-09-05 16:59:47 CEST
#bh: ip:    192.168.0.91 :   4 : 2007-09-05 16:49:50 CEST
#bh: ip:    192.168.0.92 :   8 : 2007-09-05 16:40:23 CEST
#bh: ip:    192.168.0.93 :   4 : 2007-09-05 16:35:48 CEST

#bh: logfile: /var/log/auth.log
#bh: offset: 4563
#bh: first line:Jun 28 20:35:51 server2 login[2087]: (pam_unix) session opened for user root by (uid=0)

#bh: logfile: /var/log/proftpd/proftpd.log
#bh: offset: 15020
#bh: first line:Sep 05 16:04:34 server2.example.com proftpd[2355] server2.example.com: error setting IPV6_V6ONLY: Protocol not available

#---- BlockHosts Additions
[...]

Finally, you can also take a look at /var/log/blockhosts.log:

tail /var/log/blockhosts.log

[...]
blockhosts 2.0.5 started: 2007-09-05 16:52:25 CEST
... echo tag: ::ffff:192.168.0.94-sshd@::ffff:192.168.0.101
... load blockfile: /etc/hosts.allow
... found both markers, count of hosts being watched: 3
... loading log file, offset: /var/log/auth.log 4018
... loading log file, offset: /var/log/proftpd/proftpd.log 12305
... will discard all host entries older than 2007-09-05 04:52:25 CEST
... updates: counts: hosts to block: 3; hosts being watched: 3
... no email to send.

 

5 Links


Please do not use the comment function to ask for help! If you need help, please use our forum.
Comments will be published after administrator approval.
Submitted by jonia (not registered) on Fri, 2009-06-12 18:10.

I am beginner, and my big error is in "/usr/local/sbin/blockhosts" script.

In FreeBSD script begining "#!/bin/sh........." , and on Debian beginin "#!/bin/bash..."

Finally, I saw where I was wrong, and run the script ...

Sorry, for my bad english...

Submitted by Lindylex (not registered) on Sun, 2009-04-12 10:33.

I noticed that even when I set my limits to 3 some people could still try to login hundreds of times with ssh. You need to check all the ssh versions “sshd, sshd1, sshd2”.

In your “/etc/hosts.allow” file use the following, notice how I added sshd, sshd1 and sshd2. This caught all the ssh login attempts.

sshd, sshd1, sshd2: ALL: spawn /usr/bin/blockhosts.py --verbose --mail --ipblock=iptables \

--echo "%c-%s" --check-ip "%h" >> /var/log/blockhosts.log 2>&1 & \

: allow

 

Thanks, Lindylex

Submitted by DizzyBum (registered user) on Mon, 2008-04-14 19:36.

If you use a newer version of BlockHosts, you will have to change /usr/local/sbin/blockhosts a bit.  Here's the new line:

/usr/bin/blockhosts.py --ipblock=iptables --verbose >> /var/log/blockhosts.log 2>&1

So replace "--iptables" with "--ipblock=iptables".

This worked for me on version 2.3.1.

 

Submitted by lindylex (not registered) on Wed, 2009-03-25 04:18.
DizzyBum, thanks for that tip.
Submitted by Anonymous (not registered) on Sat, 2009-12-19 12:33.

ubuntu guys watch out!

check your paths carefully they are slightly different :)

Submitted by yurtboy1 (registered user) on Mon, 2007-11-26 23:07.

Good tutorial and the script works great.

Al