Preventing Brute Force Attacks With BlockHosts On Debian Etch - Page 2

3 Creating A BlockHosts Cron Job For Non-TCP_WRAPPERS Services

To block hosts from non-TCP_WRAPPERS services such as Debian's ProFTPd, you can run

blockhosts.py --iptables --verbose

on the command line. Of course, you don't want to do this every few minutes, therefore we create a cron job for this.

First we create a little wrapper script for /usr/bin/blockhosts.py:

vi /usr/local/sbin/blockhosts

#!/bin/bash
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

/usr/bin/blockhosts.py --iptables --verbose >> /var/log/blockhosts.log 2>&1

The purpose of this wrapper script is to pass the correct PATH to the /usr/bin/blockhosts.py script; if we use /usr/bin/blockhosts.py directly in the cron job, we will get errors saying that iptables could not be found.

Of course, we must make /usr/local/sbin/blockhosts executable:

chmod 700 /usr/local/sbin/blockhosts

Then, we create a cron job like this:

crontab -e

*/5 * * * *  /usr/local/sbin/blockhosts &> /dev/null

 

4 Testing

Now you can try to log in to your server using SSH and FTP with wrong usernames/passwords. After some time, you shouldn't be able to connect to your server at all which means you got blocked. Change your client's IP address and log in to the server's shell again.

Run

iptables -L

You can see in the output which IP addresses got blocked:

server2:~# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
blockhosts  0    --  anywhere             anywhere

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain blockhosts (1 references)
target     prot opt source               destination
DROP       0    --  192.168.0.93         anywhere
DROP       0    --  192.168.0.92         anywhere
DROP       0    --  192.168.0.91         anywhere
DROP       0    --  192.168.0.94         anywhere
server2:~#

Take a look at /etc/hosts.allow. The same IP addresses should be listed in the #---- BlockHosts Additions section:

vi /etc/hosts.allow

[...]
#---- BlockHosts Additions
ALL: 192.168.0.94 : deny
ALL: 192.168.0.91 : deny
ALL: 192.168.0.92 : deny
ALL: 192.168.0.93 : deny

#bh: ip:    192.168.0.94 :   4 : 2007-09-05 16:59:47 CEST
#bh: ip:    192.168.0.91 :   4 : 2007-09-05 16:49:50 CEST
#bh: ip:    192.168.0.92 :   8 : 2007-09-05 16:40:23 CEST
#bh: ip:    192.168.0.93 :   4 : 2007-09-05 16:35:48 CEST

#bh: logfile: /var/log/auth.log
#bh: offset: 4563
#bh: first line:Jun 28 20:35:51 server2 login[2087]: (pam_unix) session opened for user root by (uid=0)

#bh: logfile: /var/log/proftpd/proftpd.log
#bh: offset: 15020
#bh: first line:Sep 05 16:04:34 server2.example.com proftpd[2355] server2.example.com: error setting IPV6_V6ONLY: Protocol not available

#---- BlockHosts Additions
[...]

Finally, you can also take a look at /var/log/blockhosts.log:

tail /var/log/blockhosts.log

[...]
blockhosts 2.0.5 started: 2007-09-05 16:52:25 CEST
... echo tag: ::ffff:192.168.0.94-sshd@::ffff:192.168.0.101
... load blockfile: /etc/hosts.allow
... found both markers, count of hosts being watched: 3
... loading log file, offset: /var/log/auth.log 4018
... loading log file, offset: /var/log/proftpd/proftpd.log 12305
... will discard all host entries older than 2007-09-05 04:52:25 CEST
... updates: counts: hosts to block: 3; hosts being watched: 3
... no email to send.

 

5 Links

Share this page:

6 Comment(s)

Add comment

Comments

From: Lindylex at: 2009-04-12 09:33:53

I noticed that even when I set my limits to 3 some people could still try to login hundreds of times with ssh. You need to check all the ssh versions “sshd, sshd1, sshd2”.

In your “/etc/hosts.allow” file use the following, notice how I added sshd, sshd1 and sshd2. This caught all the ssh login attempts.

sshd, sshd1, sshd2: ALL: spawn /usr/bin/blockhosts.py --verbose --mail --ipblock=iptables \

--echo "%c-%s" --check-ip "%h" >> /var/log/blockhosts.log 2>&1 & \

: allow

 

Thanks, Lindylex

From: at: 2007-11-26 22:07:04

Good tutorial and the script works great.

Al 

From: at: 2008-04-14 18:36:43

If you use a newer version of BlockHosts, you will have to change /usr/local/sbin/blockhosts a bit.  Here's the new line:

/usr/bin/blockhosts.py --ipblock=iptables --verbose >> /var/log/blockhosts.log 2>&1

So replace "--iptables" with "--ipblock=iptables".

This worked for me on version 2.3.1.

 

From: lindylex at: 2009-03-25 03:18:40

DizzyBum, thanks for that tip.

From: Anonymous at: 2009-12-19 11:33:40

ubuntu guys watch out!

check your paths carefully they are slightly different :)

From: jonia at: 2009-06-12 17:10:33

I am beginner, and my big error is in "/usr/local/sbin/blockhosts" script.

In FreeBSD script begining "#!/bin/sh........." , and on Debian beginin "#!/bin/bash..."

Finally, I saw where I was wrong, and run the script ...

Sorry, for my bad english...