Blockhost 2.0.6

Sun, 2007–Oct–14

Hello Mr.Avinash

i have configured blockhost 2.0.6, its working pretty good, hats of to you work, can do a small enhancement

in hosts.allow

1) we would like to know on which service the attack is on, can we ask blockhosts.py to write the log for individual service for individual ip.

with regards
Chandra shaker
dchandrashaker@gmail.com

BlockHosts

Sun, 2007-10-14 19:30 — ac

not clear if that is possible

Not entirely sure about the question - but if you are asking for blockhosts to log info on what service triggered it, and you are using TCP WRAPPERS, i.e., hosts.allow and not cron runs, you can use the %c and %s hosts.allow tags to print out service by adding it to the blockhosts.py command line, for example in hosts.allow if you have this command:

sshd, proftpd, vsftpd: ALL: spawn /usr/bin/blockhosts.py --verbose \
     --mail --iptables \
     --whitelist="127\..*" \
     --echo "%c-%s" --check-ip "%h" >> /var/log/blockhosts.log 2>&1 & \
: allow

This prints lines like this in blockhosts.log:

 ... echo tag: ::ffff:10.245.140.155-sshd@::ffff:10.0.0.15

But if you are looking for general log scanning utilities, look into the daily reports from Logwatch, it does analysis of logs, reports on who attacked what service to some extent.

Tue, 2007-10-16 15:52 — Chandra Shaker (not verified)

Req for enhancements in blockhost 2.0.6

Hi thanks for reply

right now blockhost is denying a ip for all the services if login from ip failed for one service,

enhancement 1:-)
but can we deny the ip instead of ALL to serice level ( sshd:192.168.1.1 :deny)

enhancement 2:-)

in #bh: ip: line we are including the ip of the attacker ,can we include the serivce name on which the attack happened

her am taking just a example for more easyness

#---- BlockHosts Additions
vsftpd: 192.168.1.3, 192.168.1.4, 192.168.1.5 : deny
sshd: 192.168.2.1,192.168.2.2 : deny

#bh: ip: 192.168.2.1 :sshd: 24 : 2007-10-16 12:40:05 EDT
#---- BlockHosts Additions

with regards

Chandra Shaker.D

Tue, 2007-10-16 19:10 — ac

what if...

What if the same IP address is attacking both FTP and SSHD - so the logs contain failure lines for both, this would require blockhosts to keep track of each failure based on the service - that is a lot of code, but not sure about the value.

Is there a specific reason why this feature would be useful? The presumption is that if some IP address is probing your computer for any service, it is best to just block all service access.

If you need this for just one service, then you can configure blockhosts today to do what you need - edit blockhosts.cfg and change the definition of HOST_BLOCKLINE which by default uses ALL for blocking services, you can change that to sshd, for example. But only one such service can be handled. Also change the patterns to only look for sshd failures.

Fri, 2007-10-19 19:09 — Chandra Shaker (not verified)

need regex to protect sendmail and qmail

Hi avinash

can u help me in writing the regex for sendmail and qmail

here is the log files am having for sendmail

Oct 16 09:58:49 www1 sendmail[2720]: l9GDwVCJ002720: ruleset=check_rcpt, arg1=, relay=[203.169.142.38], reject=550 5.7.1 ... Relaying denied. IP name lookup failed [203.169.142.38]
Oct 16 09:58:49 www1 sendmail[2720]: l9GDwVCJ002720: ruleset=check_rcpt, arg1=, relay=[203.169.142.38], reject=550 5.7.1 ... Relaying denied. IP name lookup failed [203.169.142.38]

here is the log for qmail
Oct 18 13:07:00 mail1 qmail: 1192727220.128880 delivery 977: failure: 60.37.40.7 _does_not_like_recipient./Remote_host_said:_554_5.7.1_:_Recipient_address_rejected:_Access_denied/Giving_up_on_60.37.40.7./
Oct 18 13:07:56 mail1 qmail: 1192727276.045348 delivery 976: failure: 60.37.40.6 _does_not_like_recipient./Remote_host_said:_554_5.7.1_:_Recipient_address_rejected:_Access_denied/Giving_up_on_60.37.40.6./

i tried to do some regex, but got defeated hands down... :-)

chandra

Sat, 2007-10-20 17:26 — Anonymous (not verified)

use the kodos program to experiment on regex

See the FAQ on some tips on how to generate regular expressions -
How to add new patterns to protect additional services.

Here are the patterns for the above comment:

    "Sendmail-Relay": r"""^[^[]+?sendmail\[\d+\]:.*? Relaying denied. IP name lookup failed \[(ffff:)?(?P\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\]\s*$""",
    "Qmail-Reject": r"""^[^[]+?qmail:.*?:_Recipient_address_rejected:_Access_denied/Giving_up_on_(ffff:)?(?P\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\./\s*$""",

Sun, 2007-11-04 16:59 — Chandra Shaker (not verified)

blockhost + timezone change

when time zone is changed from edt to est , blockhost is unable to handle this, and giving error, saying time and date in hosts.allow is not valid , hence it cannot run further,

so i have emptied the entries between the two lines of Blockhost******, and ran the blockhost.py,

can we add this timezone handling, before march 9th 2008, as you know , again timezone changes on this date.

thankyou
Chandra Shaker.D

Mon, 2007-11-05 10:49 — ac

blockhosts + timechange - works in test, any more logs?

On the time zone change failure to read the time from the hosts files, can you provide more info - if by chance you have log lines, it would help.

I checked one server that is running blockhosts, and it seems to have run just fine this Sunday though the Daylight Savings to Standard time transtions, for example, I see log lines (run with --verbose):

....
 ... discarding all host entries older than  2007-11-03 19:35:10 EDT
  removed expired host:    10.55.40.75  HostData(8, 1194130885.0)
...
...
 ... discarding all host entries older than  2007-11-04 02:21:11 EST
  removed expired host:   10.34.32.250  HostData(8, 1194149097.0)
  removed expired host:   10.182.206.19  HostData(8, 1194136202.0)
...

Internally, blockhosts uses time/mktime routines. Would need more data to do anything about this, though, since it works fine on the test systems. There may be an issue in %Z handling - if you copy a hosts.allow from a place that uses a different TZNAME, the date parsing may fail - for example, on Fedora FC7 on the East Coast USA, if I change EST or EDT to PST in the blockfile, the Python strptime routine used by blockhosts.py fails to parse it correctly. Is this or a similar situation occurring in your case?

Fri, 2007-11-09 22:03 — ac

Use blockhosts 2.1.2+

The latest blockhosts - 2.1.2 (or newer) now handles invalid time zone (or invalid time strings) in the blockfile (/etc/hosts.allow). So, for example if "2007-11-03 19:35:10 MST" fails to parse using python's strptime() on a particular machine, blockhosts.py will now reset the clock for that IP address to time of "now", instead of causing a fatal error and exiting.

This is a case that should never happen on a system where the blockfile was filled in by the blockhosts.py running on that system - but it may happen if the blockfile is copied from another system, most likely with a different time zone.

Mon, 2007-11-12 17:58 — Chandra Shaker.D (not verified)

Blockhost + timechange - logs

here are my logs , as u can see the blockhost is working fine till Nov 4 01:37:39 and it went wiered till i noticed in my log alerts
this went till Nov 4 02:05:37 .almost 90 min, here u see only 30 min difference, as u know the time went back 1hr.
here am unable to show the exact messages i got in hosts.allow, as i have removed the content between the blockhost lines and
saved it.

Nov 4 01:24:54 www1 blockhosts: final counts: blocking 0, watching 1
Nov 4 01:26:25 www1 blockhosts: final counts: blocking 0, watching 1
Nov 4 01:29:48 www1 blockhosts: final counts: blocking 0, watching 1
Nov 4 01:35:27 www1 blockhosts: final counts: blocking 0, watching 1
Nov 4 01:37:39 www1 blockhosts: reading date or count for ip: time data did not match format: data=2007-11-03 22:33:22 EDT fmt=%Y-%m-%d %H:%M:%S %Z
Nov 4 01:37:39 www1 blockhosts: Failed to load blockfile - block-file marker error Expected two marker lines in the file, somewhere in the middle of the fi
le: #---- BlockHosts Additions #---- BlockHosts Additions
Nov 4 01:37:39 www1 blockhosts: reading date or count for ip: time data did not match format: data=2007-11-03 22:33:22 EDT fmt=%Y-%m-%d %H:%M:%S %Z
Nov 4 01:37:39 www1 blockhosts: Failed to load blockfile - block-file marker error Expected two marker lines in the file, somewhere in the middle of the fi
le: #---- BlockHosts Additions #---- BlockHosts Additions
Nov 4 01:37:39 www1 blockhosts: reading date or count for ip: time data did not match format: data=2007-11-03 22:33:22 EDT fmt=%Y-%m-%d %H:%M:%S %Z
Nov 4 01:37:39 www1 blockhosts: Failed to load blockfile - block-file marker error Expected two marker lines in the file, somewhere in the middle of the fi
le: #---- BlockHosts Additions #---- BlockHosts Additions
Nov 4 01:37:56 www1 blockhosts: reading date or count for ip: time data did not match format: data=2007-11-03 22:33:22 EDT fmt=%Y-%m-%d %H:%M:%S %Z
Nov 4 01:37:56 www1 blockhosts: Failed to load blockfile - block-file marker error Expected two marker lines in the file, somewhere in the middle of the fi
le: #---- BlockHosts Additions #---- BlockHosts Additions
Nov 4 01:37:56 www1 blockhosts: reading date or count for ip: time data did not match format: data=2007-11-03 22:33:22 EDT fmt=%Y-%m-%d %H:%M:%S %Z
Nov 4 01:37:56 www1 blockhosts: Failed to load blockfile - block-file marker error Expected two marker lines in the file, somewhere in the middle of the fi
le: #---- BlockHosts Additions #---- BlockHosts Additions
Nov 4 01:37:56 www1 blockhosts: reading date or count for ip: time data did not match format: data=2007-11-03 22:33:22 EDT fmt=%Y-%m-%d %H:%M:%S %Z
Nov 4 01:37:56 www1 blockhosts: Failed to load blockfile - block-file marker error Expected two marker lines in the file, somewhere in the middle of the fi
le: #---- BlockHosts Additions #---- BlockHosts Additions
Nov 4 01:40:00 www1 blockhosts: reading date or count for ip: time data did not match format: data=2007-11-03 22:33:22 EDT fmt=%Y-%m-%d %H:%M:%S %Z
Nov 4 01:40:00 www1 blockhosts: Failed to load blockfile - block-file marker error Expected two marker lines in the file, somewhere in the middle of the fi
le: #---- BlockHosts Additions #---- BlockHosts Additions
Nov 4 01:40:00 www1 blockhosts: reading date or count for ip: time data did not match format: data=2007-11-03 22:33:22 EDT fmt=%Y-%m-%d %H:%M:%S %Z
Nov 4 01:40:00 www1 blockhosts: Failed to load blockfile - block-file marker error Expected two marker lines in the file, somewhere in the middle of the fi
le: #---- BlockHosts Additions #---- BlockHosts Additions
Nov 4 01:40:00 www1 blockhosts: reading date or count for ip: time data did not match format: data=2007-11-03 22:33:22 EDT fmt=%Y-%m-%d %H:%M:%S %Z
Nov 4 01:40:00 www1 blockhosts: Failed to load blockfile - block-file marker error Expected two marker lines in the file, somewhere in the middle of the fi
le: #---- BlockHosts Additions #---- BlockHosts Additions
Nov 4 01:40:49 www1 blockhosts: reading date or count for ip: time data did not match format: data=2007-11-03 22:33:22 EDT fmt=%Y-%m-%d %H:%M:%S %Z
Nov 4 01:40:49 www1 blockhosts: Failed to load blockfile - block-file marker error Expected two marker lines in the file, somewhere in the middle of the fi
le: #---- BlockHosts Additions #---- BlockHosts Additions
Nov 4 01:40:49 www1 blockhosts: reading date or count for ip: time data did not match format: data=2007-11-03 22:33:22 EDT fmt=%Y-%m-%d %H:%M:%S %Z
Nov 4 01:40:49 www1 blockhosts: Failed to load blockfile - block-file marker error Expected two marker lines in the file, somewhere in the middle of the fi
le: #---- BlockHosts Additions #---- BlockHosts Additions
Nov 4 01:40:49 www1 blockhosts: reading date or count for ip: time data did not match format: data=2007-11-03 22:33:22 EDT fmt=%Y-%m-%d %H:%M:%S %Z
Nov 4 01:40:49 www1 blockhosts: Failed to load blockfile - block-file marker error Expected two marker lines in the file, somewhere in the middle of the fi
le: #---- BlockHosts Additions #---- BlockHosts Additions
Nov 4 01:41:21 www1 blockhosts: reading date or count for ip: time data did not match format: data=2007-11-03 22:33:22 EDT fmt=%Y-%m-%d %H:%M:%S %Z
Nov 4 01:41:21 www1 blockhosts: Failed to load blockfile - block-file marker error Expected two marker lines in the file, somewhere in the middle of the fi
le: #---- BlockHosts Additions #---- BlockHosts Additions
Nov 4 01:41:21 www1 blockhosts: reading date or count for ip: time data did not match format: data=2007-11-03 22:33:22 EDT fmt=%Y-%m-%d %H:%M:%S %Z
Nov 4 01:41:21 www1 blockhosts: Failed to load blockfile - block-file marker error Expected two marker lines in the file, somewhere in the middle of the fi
:
.....................................................this went on till

Nov 4 02:01:44 www1 blockhosts: Failed to load blockfile - block-file marker error Expected two marker lines in the file, somewhere in the middle of the fi
le: #---- BlockHosts Additions #---- BlockHosts Additions
Nov 4 02:01:44 www1 blockhosts: reading date or count for ip: time data did not match format: data=2007-11-03 22:33:22 EDT fmt=%Y-%m-%d %H:%M:%S %Z
Nov 4 02:01:44 www1 blockhosts: Failed to load blockfile - block-file marker error Expected two marker lines in the file, somewhere in the middle of the fi
le: #---- BlockHosts Additions #---- BlockHosts Additions
Nov 4 02:01:44 www1 blockhosts: reading date or count for ip: time data did not match format: data=2007-11-03 22:33:22 EDT fmt=%Y-%m-%d %H:%M:%S %Z
Nov 4 02:01:44 www1 blockhosts: Failed to load blockfile - block-file marker error Expected two marker lines in the file, somewhere in the middle of the fi
le: #---- BlockHosts Additions #---- BlockHosts Additions
Nov 4 02:02:24 www1 blockhosts: reading date or count for ip: time data did not match format: data=2007-11-03 22:33:22 EDT fmt=%Y-%m-%d %H:%M:%S %Z
Nov 4 02:02:24 www1 blockhosts: Failed to load blockfile - block-file marker error Expected two marker lines in the file, somewhere in the middle of the fi
le: #---- BlockHosts Additions #---- BlockHosts Additions
Nov 4 02:04:29 www1 blockhosts: reading date or count for ip: time data did not match format: data=2007-11-03 22:33:22 EDT fmt=%Y-%m-%d %H:%M:%S %Z
Nov 4 02:04:29 www1 blockhosts: Failed to load blockfile - block-file marker error Expected two marker lines in the file, somewhere in the middle of the fi
le: #---- BlockHosts Additions #---- BlockHosts Additions
Nov 4 02:05:37 www1 blockhosts: final counts: blocking 0, watching 0
Nov 4 02:06:57 www1 blockhosts: final counts: blocking 0, watching 0
Nov 4 02:08:19 www1 blockhosts: final counts: blocking 0, watching 0
Nov 4 02:10:00 www1 blockhosts: final counts: blocking 0, watching 0
Nov 4 02:11:09 www1 blockhosts: final counts: blocking 0, watching 0
Nov 4 02:15:34 www1 blockhosts: final counts: blocking 0, watching 0
Nov 4 02:20:00 www1 blockhosts: final counts: blocking 0, watching 0

thankyou
Chandra

Mon, 2007-11-12 22:00 — ac

Thanks - 2.1.2 should handle this

BlockHosts version 2.1.2 should handle the case above - it will not error out if Python's strptime fails, as shown in the log above.

Not sure about the root cause though - all I can think of is that for some reason Python was unable to parse the EDT word when the system switched to EST - but I have seen this work fine on Fedora FC7.

If you have some time to dig more into this, try these two commands in your python interpreter - start the python command, and at the >>> prompt, type these commands - the first two should run without errors, and print out the (2007, ....) lines. If the first one errors out, then it shows a problem in the Python install on your system. The third one uses an invalid time zone XXX, so it will throw an error, as shown.
If both work, then we are back to the mystery - no root cause identified yet.

$ python
>>> import time
>>> time.strptime("2007-11-03 22:33:22 EDT", "%Y-%m-%d %H:%M:%S %Z")
(2007, 11, 3, 22, 33, 22, 5, 307, 1)
>>> time.strptime("2007-11-03 22:33:22 EST", "%Y-%m-%d %H:%M:%S %Z")
(2007, 11, 3, 22, 33, 22, 5, 307, 0)
>>> time.strptime("2007-11-03 22:33:22 XXX", "%Y-%m-%d %H:%M:%S %Z")
Traceback (most recent call last):
  File "", line 1, in 
  File "/usr/lib/python2.5/_strptime.py", line 310, in strptime
    (data_string, format))
ValueError: time data did not match format:  data=2007-11-03 22:33:22 XXX  fmt=%Y-%m-%d %H:%M:%S %Z
>>> exit()

Tue, 2007-11-13 13:28 — Chandra Shaker.D (not verified)

timezone issue

here is my tests on my servers, no command has worked , i have tried on different different servers, but answer is fail

i have changed the time and date to the time am working, but answer is null
can u guide me

python
Python 2.5.1 (r251:54863, Oct 11 2007, 16:13:34)
[GCC 3.2.2 20030222 (Red Hat Linux 3.2.2-5)] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import time
>>> time.strptime("2007-11-03 22:33:22 EDT", "%Y-%m-%d %H:%M:%S %Z")(2007, 11, 3, 22, 33, 22, 5, 307, 1)
Traceback (most recent call last):
File "", line 1, in
File "/usr/local/lib/python2.5/_strptime.py", line 331, in strptime
(data_string, format))
ValueError: time data did not match format: data=2007-11-03 22:33:22 EDT fmt=%Y-%m-%d %H:%M:%S %Z
>>> time.strptime("2007-11-03 22:33:22 EST", "%Y-%m-%d %H:%M:%S %Z")(2007, 11, 3, 22, 33, 22, 5, 307, 0)
Traceback (most recent call last):
File "", line 1, in
TypeError: 'time.struct_time' object is not callable
>>> time.strptime("2007-11-13 12:23:22 EST", "%Y-%m-%d %H:%M:%S %Z")(2007, 11, 13, 12, 23, 22, 5, 307, 0)
Traceback (most recent call last):
File "", line 1, in
TypeError: 'time.struct_time' object is not callable
>>>

thankyou

ACZoom · Archive-2016