Preventing Brute Force Attacks With BlockHosts On Debian Etch - Page 2

3 Creating A BlockHosts Cron Job For Non-TCP_WRAPPERS Services

To block hosts from non-TCP_WRAPPERS services such as Debian's ProFTPd, you can run --iptables --verbose

on the command line. Of course, you don't want to do this every few minutes, therefore we create a cron job for this.

First we create a little wrapper script for /usr/bin/

vi /usr/local/sbin/blockhosts


/usr/bin/ --iptables --verbose >> /var/log/blockhosts.log 2>&1

The purpose of this wrapper script is to pass the correct PATH to the /usr/bin/ script; if we use /usr/bin/ directly in the cron job, we will get errors saying that iptables could not be found.

Of course, we must make /usr/local/sbin/blockhosts executable:

chmod 700 /usr/local/sbin/blockhosts

Then, we create a cron job like this:

crontab -e

*/5 * * * *  /usr/local/sbin/blockhosts &> /dev/null


4 Testing

Now you can try to log in to your server using SSH and FTP with wrong usernames/passwords. After some time, you shouldn't be able to connect to your server at all which means you got blocked. Change your client's IP address and log in to the server's shell again.


iptables -L

You can see in the output which IP addresses got blocked:

server2:~# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
blockhosts  0    --  anywhere             anywhere

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain blockhosts (1 references)
target     prot opt source               destination
DROP       0    --         anywhere
DROP       0    --         anywhere
DROP       0    --         anywhere
DROP       0    --         anywhere

Take a look at /etc/hosts.allow. The same IP addresses should be listed in the #---- BlockHosts Additions section:

vi /etc/hosts.allow

#---- BlockHosts Additions
ALL: : deny
ALL: : deny
ALL: : deny
ALL: : deny

#bh: ip: :   4 : 2007-09-05 16:59:47 CEST
#bh: ip: :   4 : 2007-09-05 16:49:50 CEST
#bh: ip: :   8 : 2007-09-05 16:40:23 CEST
#bh: ip: :   4 : 2007-09-05 16:35:48 CEST

#bh: logfile: /var/log/auth.log
#bh: offset: 4563
#bh: first line:Jun 28 20:35:51 server2 login[2087]: (pam_unix) session opened for user root by (uid=0)

#bh: logfile: /var/log/proftpd/proftpd.log
#bh: offset: 15020
#bh: first line:Sep 05 16:04:34 proftpd[2355] error setting IPV6_V6ONLY: Protocol not available

#---- BlockHosts Additions

Finally, you can also take a look at /var/log/blockhosts.log:

tail /var/log/blockhosts.log

blockhosts 2.0.5 started: 2007-09-05 16:52:25 CEST
... echo tag: ::ffff:
... load blockfile: /etc/hosts.allow
... found both markers, count of hosts being watched: 3
... loading log file, offset: /var/log/auth.log 4018
... loading log file, offset: /var/log/proftpd/proftpd.log 12305
... will discard all host entries older than 2007-09-05 04:52:25 CEST
... updates: counts: hosts to block: 3; hosts being watched: 3
... no email to send.


Share this page:

6 Comment(s)

Add comment


From: Lindylex

I noticed that even when I set my limits to 3 some people could still try to login hundreds of times with ssh. You need to check all the ssh versions “sshd, sshd1, sshd2”.

In your “/etc/hosts.allow” file use the following, notice how I added sshd, sshd1 and sshd2. This caught all the ssh login attempts.

sshd, sshd1, sshd2: ALL: spawn /usr/bin/ --verbose --mail --ipblock=iptables \

--echo "%c-%s" --check-ip "%h" >> /var/log/blockhosts.log 2>&1 & \

: allow


Thanks, Lindylex


Good tutorial and the script works great.



If you use a newer version of BlockHosts, you will have to change /usr/local/sbin/blockhosts a bit.  Here's the new line:

/usr/bin/ --ipblock=iptables --verbose >> /var/log/blockhosts.log 2>&1

So replace "--iptables" with "--ipblock=iptables".

This worked for me on version 2.3.1.


From: lindylex

DizzyBum, thanks for that tip.

From: Anonymous

ubuntu guys watch out!

check your paths carefully they are slightly different :)

From: jonia

I am beginner, and my big error is in "/usr/local/sbin/blockhosts" script.

In FreeBSD script begining "#!/bin/sh........." , and on Debian beginin "#!/bin/bash..."

Finally, I saw where I was wrong, and run the script ...

Sorry, for my bad english...