Travel Travel reports, it is all about food
Montreal: Schwartz's, Le Petit Alep
Albums: Pictures and some notes
ITRANS Song Book Hindi, Urdu, Marathi song lyrics
Online ITRANS Web Interface
BlockHosts block hosts
BlockHosts FAQ
BlockHosts Forum
CD Inserts & Envelopes Web Interface
Nisha Ganatra's Films
Cake: starring Heather Graham
Email: avinash@aczoom.com
Actual time is greater
That is the minimum time a host will be blocked. It will be unblocked next time blockhosts.py runs. So, if a host is blocked, and blockhosts.py does not run for 6 hours next, the host won't be removed from block list for 6 hours.
Thanks! Do I need a cron job
Thanks!
Do I need a cron job to run blockhost.py? Or it will automatically run when user access ftp or ssh because I have put
in.proftpd: ALL : spawn /usr/bin/blockhosts.py --verbose --echo "%c-%s" --check-ip "h" /var/log/blockhosts.log 2>&1 &: ALLOW
On the other hand, Do I need to carry out logrotate on the /var/log/secure because the blocked IP is still exist in the existing /var/log/secure file.
Look at log output
> Or it will automatically run when user access ftp or ssh because I have put ..
> in.proftpd: ALL : ...
Yes, it will automatically run when user accesses in.proftpd - based on that line - I'm assuming you have another line for ssh? Otherwise only FTP will trigger blockhosts.
The example blockhosts.cfg uses:
sshd, proftpd, vsftpd: ALL: ....
which certainly will run when sshd, or proftpd, or vsftpd is invoked.
You can take a look at the /var/log/blockhosts.log to see when blockhosts was actually run - if you don't see it running when needed, that means either the hosts.allow config is not correct, or no one tried to connect to the server.
It can be sometimes difficult to figure out what names to put in hosts.allow. If the above does not work, then try running the command in cron also - but that will only help in cleanup of stale IPs.
As for /usr/log/secure - that is as system file, there is usually no need to change any logrotate operations on it.
Blocked IP can't release
Sorry that I have re-tested and I found that the IP can be blocked after several unsuccessful attempt but it will not be released after "AGE_THRESHOLD" period.
I have monitored the /var/log/blockhosts.log and found that after there is no logging of the IP after the IP is blocked. I guess the IP is already marked as DENY and it won't execute "spawn /usr/bin/blockhosts.py". under in.proftpd.
Any configuration wrong? Thanks for help!
Below is my hosts.allow config : -
sshd: ALL : ALLOW
in.proftpd: 11.11.11.11 127.0.0.1 : ALLOW
#---- BlockHosts Additions
ALL: 203.218.211.161 : deny
#bh: ip: 203.218.211.161 : 23 : 2010-04-25 17:47:35 HKT
#bh: logfile: /var/log/secure
#bh: offset: 7156
#---- BlockHosts Additions
in.proftpd: ALL : spawn /usr/bin/blockhosts.py \
--verbose \
--echo "%c-%s" --check-ip "%h" >> /var/log/blockhosts.log 2>&1 &: ALLOW
ALL : ALL : DENY
My /etc/blockhosts.cfg
COUNT_THRESHOLD = 7
AGE_THRESHOLD = 1
FTP should be released...
Config looks ok - assuming on FTP needs to blocked (config allows all SSH connections through - they will never be blocked).
Since it did block the FTP from the .161 address, it should unblock it. It will unblock only if someone connects to FTP again after 1 hour, and from some address that is not 11.11.11.11 or 127.0.0.1 or 203.218.211.161 - if only one of these addresses is trying FTP, it will never be unblocked.
If that is the case, then the option of running cron every hour, just for cleanup, will work.
ssh connections will never run blockhosts, given above config.