Script to record how many times system services are being probed, using configurable pattern matching to recognize failed accesses (such as for "sshd" or "proftpd" or any service), and when a particular IP address exceeds a certain number of failed attempts, that IP address is blocked by using multiple techniques: using /etc/hosts.allow for services that support TCP_WRAPPERS, or by executing ip route commands to setup null-routing for that source host address, or by executing iptables commands to setup packet filtering to drop packets from a source host address.
Requires python version 2.3, and runs on Unix-like machines only.
Script is most suitable for home Linux users, who need to keep ssh/ftp ports or other services open, and need to block the script kiddies. With null-routing or packet filtering, any service can be protected, since those mechanisms block at the IP routing or packet filtering level, in this case, the only requirement is that there should be a way to detect failed accesses in some system log file.
Send comments, suggestions, bug reports by email.
Also available: BlockHosts Forum and BlockHosts FAQ.
Blocks IP addresses based on SSH or FTP incoming login failures, by looking at SSHD and ProFTPD logs, and updating hosts.allow as needed.
If you are a Linux user running SSH server, it is likely that you have been probed by script kiddies, and your daily LogWatch emails will show 100-150 login attempts in a short interval, before they go away. There is no option in OpenSSH to make it difficult to slow down repeated login attempts coming from one IP address -- logins occur at a pretty fast clip -- one attempt every few seconds.
For a home or small business linux user at least, it does not make sense to keep the door open for logins for so long. Use this script, and see the daily LogWatch email notifications now showing only 7-9 login attempts, and remote hosts start getting "Refused incoming connection" messages. Then, reading the daily LogWatch emails is not terrifying at all, in fact, it may be fun to see these script kiddies get blocked!
blockhosts.py scans system logs, and looks for failed login attempts. It keeps a record of the number of times a particular IP address had a failed login. When the count exceeds a configured value, that IP address is added to /etc/hosts.allow with a deny flag, so the next time that IP address attempts to connect to that box, they will get a refused connection message. Optionally, null-routing or packet filtering can be used to block all communication from that IP address. Program also offers a way to provide email notification of the list of blocked as well as watched IP addresses, and a way to specify lists of whitelisted and blacklisted IP addresses and IP address patterns.
Requirements:
For details on the program arguments and configuration, run the script with the --help option:
blockhosts.py --help
Also available: BlockHosts Forum and BlockHosts FAQ.
Update notifications: To get email notifications of new releases, use the facilities available at the freshmeat.net BlockHosts project page. Updates are not very frequent, may be weeks or months between releases.
Note: Version 1.0.5 did not originally include the noarch.rpm kit, see this forum posting for details: no rpm builds. A workaround was posted, and have built the kit using the work around, no problems reported so far for any of the later releases.
This section contains pointers to tools and utilities developed by others for use with BlockHosts.
For any questions or comments on these utilities, please contact the original author of each of these tools.
From Kenneth Kline, a script to show intrusion attempts against a site, based on the contents of hosts.deny.
Uses the following:
Deny Hosts
Google Maps
GeoIP
[Sep 2007: links below not accessible for a long time - here's another link to a copy of the archive: hacker2loc.tar.gz ]
[Old links and info: For an example, see security.kennethkline.com/mashup/
Here is a build of hackers2loc script:
hacker2loc.tar.gz. Additionally, to view the source (PHP) on-line: PHP source ]
It requires a little work to install properly. The README provides all the information that is necessary to get the additional pieces and to get it up and running.
The GeoLiteCity.dat file is updated from time to time, it may be useful to setp a cron script, to download it, untar it, then overwrite the existing DAT file to get updates from GeoIP resulting in more accurate plots.
Perl script and the shtml file that create a report of blocked and watched hosts taken from the hosts.allow file, created by Steve Hammond.
Here's a screenshot of the reporter utility
Here are the files that can be used to create the report displayed above, bh-reporter.cgi and bh-reporter.shtml, in a ZIP archive.
This is a version that includes the changes listed in the comment I've made some changes below:
bh-reporter2.zip
Previous version:
bh-reporter1.zip
This script uses PHP and MySQL to create a web page that lists all the blocked hosts.
It uses a IP to country mapping table to show country flags.
To see this working visit tanchaz.hu/blockhosts/
That page also includes a link to download the software.
