Preventing Brute Force Attacks With BlockHosts On Debian Etch - Page 2

3 Creating A BlockHosts Cron Job For Non-TCP_WRAPPERS Services

To block hosts from non-TCP_WRAPPERS services such as Debian's ProFTPd, you can run

blockhosts.py --iptables --verbose

on the command line. Of course, you don't want to do this every few minutes, therefore we create a cron job for this.

First we create a little wrapper script for /usr/bin/blockhosts.py:

vi /usr/local/sbin/blockhosts
#!/bin/bash
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

/usr/bin/blockhosts.py --iptables --verbose >> /var/log/blockhosts.log 2>&1

The purpose of this wrapper script is to pass the correct PATH to the /usr/bin/blockhosts.py script; if we use /usr/bin/blockhosts.py directly in the cron job, we will get errors saying that iptables could not be found.

Of course, we must make /usr/local/sbin/blockhosts executable:

chmod 700 /usr/local/sbin/blockhosts

Then, we create a cron job like this:

crontab -e
*/5 * * * *  /usr/local/sbin/blockhosts &> /dev/null

 

4 Testing

Now you can try to log in to your server using SSH and FTP with wrong usernames/passwords. After some time, you shouldn't be able to connect to your server at all which means you got blocked. Change your client's IP address and log in to the server's shell again.

Run

iptables -L

You can see in the output which IP addresses got blocked:

server2:~# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
blockhosts  0    --  anywhere             anywhere

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain blockhosts (1 references)
target     prot opt source               destination
DROP       0    --  192.168.0.93         anywhere
DROP       0    --  192.168.0.92         anywhere
DROP       0    --  192.168.0.91         anywhere
DROP       0    --  192.168.0.94         anywhere
server2:~#

Take a look at /etc/hosts.allow. The same IP addresses should be listed in the #---- BlockHosts Additions section:

vi /etc/hosts.allow
[...]
#---- BlockHosts Additions
ALL: 192.168.0.94 : deny
ALL: 192.168.0.91 : deny
ALL: 192.168.0.92 : deny
ALL: 192.168.0.93 : deny

#bh: ip:    192.168.0.94 :   4 : 2007-09-05 16:59:47 CEST
#bh: ip:    192.168.0.91 :   4 : 2007-09-05 16:49:50 CEST
#bh: ip:    192.168.0.92 :   8 : 2007-09-05 16:40:23 CEST
#bh: ip:    192.168.0.93 :   4 : 2007-09-05 16:35:48 CEST

#bh: logfile: /var/log/auth.log
#bh: offset: 4563
#bh: first line:Jun 28 20:35:51 server2 login[2087]: (pam_unix) session opened for user root by (uid=0)

#bh: logfile: /var/log/proftpd/proftpd.log
#bh: offset: 15020
#bh: first line:Sep 05 16:04:34 server2.example.com proftpd[2355] server2.example.com: error setting IPV6_V6ONLY: Protocol not available

#---- BlockHosts Additions
[...]

Finally, you can also take a look at /var/log/blockhosts.log:

tail /var/log/blockhosts.log
[...]
blockhosts 2.0.5 started: 2007-09-05 16:52:25 CEST
... echo tag: ::ffff:192.168.0.94-sshd@::ffff:192.168.0.101
... load blockfile: /etc/hosts.allow
... found both markers, count of hosts being watched: 3
... loading log file, offset: /var/log/auth.log 4018
... loading log file, offset: /var/log/proftpd/proftpd.log 12305
... will discard all host entries older than 2007-09-05 04:52:25 CEST
... updates: counts: hosts to block: 3; hosts being watched: 3
... no email to send.

 

Share this page:

6 Comment(s)