blockhosts.py
version: 1.0.4
usage: blockhosts.py [options]
Block IP Addresses based on information in system logs related to SSH/FTP
failures.
options:
--version show program's version number and exit
-h, --help show this help message and exit
-q, --quiet Be as quiet as possible - only print out error messages
-v, --verbose Be verbose - print errors, warnings, and info messages
-g, --debug Be chatty - print out debug level messages also
--ignore-offset Ignore last-processed offset, start processing from
beginning (False)
--dry-run Don't write the block file, just print out blockhosts
section of output block file file to stdout instead
(False)
Configuration Options:
Hard-coded defaults can be overridden by the values in the config file
- if it exists at /etc/blockhosts.cfg, and those values can be
overriden by using the command-line options. The current values are
shown in () below. This program uses a section in the block file
(/etc/hosts.allow) to store blockhosts data. This section is demarcated
by two identical marker lines, with this text - without the quotes:
"#---- BlockHosts Additions". Also see the "INSTALL" file in the
blockhosts.py source package for a detailed example of the hosts.allow
file
--blockfile=FILE Name of hosts-block-file to read/write
(/etc/hosts.allow)
--logfiles=FILE1,FILE2,...
The names of log files to parse
("/var/log/secure,/var/log/vsftpd.log")
--block=BLOCK_SERVICES
Block these services - daemon_list in block file, see
'man hosts.allow' ("ALL")
--blockcount=COUNT Number of invalid tries allowed, before blocking host
(7). Integer values only.
--discard=AGE Number of hours after which to discard record - if most
recent invalid attempt from IP address is older,
discard that host entry (12). Integer values only.
--lockfile=FILE Prevent multiple instances from running - open this
file for locking and writing ("/tmp/blockhosts.lock")
--echo=TAG Prints TAG on stderr and syslog, may be used to
identify a run of blockhosts ()
DETAILS
Automatic updates to hosts.allow to block IP addresses based on failed
login accesses for ssh/ftp.
Script to record how many times "sshd" or "proftpd" is being attacked,
and when a particular IP address exceeds a configured number of
failed login attempts, that IP address is added to /etc/hosts.allow with
the deny file to prohibit access.
Script uses /etc/hosts.allow to store (in comments) count
of failed attempts, and date of last attempt for each IP address
By default, hosts.allow is used, but program can be configured to use any
other file, including /etc/hosts.deny, as needed.
IP addresses with expired last attempt dates (configurable)
can be removed, to keep /etc/hosts.allow size manageable.
This script can be run as the optional command in /etc/hosts.allow
itself, so will kick off only when someone connects to sshd/proftpd, no
need to use cron to run this script.
TCP_WRAPPERS should be enabled for all services, which allows use of
hosts.allow file.
hosts_options should also have been enabled, which requires compile time
PROCESS_OPTIONS to be turned on. This allows extensions to the
basic hosts.* file line format. The extensible language supports lines
of this format in /etc/hosts.allow:
daemon_list : client_list : option : option ...
See the man pages for hosts_options and hosts_access(5) for more
information.
Warnings:
* Be sure to keep a backup of your initial hosts.allow (or hosts.deny)
file, in case it gets overwritten due to an error in this script.
* Do read up on the web topics related to security, denial-of-service,
and IP-address spoofing.
Visit the blockhosts home page for references.
* This script handles IPv4 addresses only.
Usage:
For more info, run this program with --help option.
The blockfile (hosts.allow, or if needed, hosts.deny) layout needs to
have a certain format:
Add following sections, in this order:
-- permament whitelist and blacklist of IP addresses
-- blockhosts marker lines - two lines
-- execute command to kick off blockhosts.py on connects to services
See "man 5 hosts_access" and "man hosts_options" for more details on
hosts.* files line formats.
The two HOSTS_MARKER_LINEs define a section, this is the
region where blockhosts will read/write IP blocking data in the
hosts.allow file. It will use comments to store bookkeeping data needed
by this script in that section, too.
Lines before and after the two HOST_MARKER_LINEs will be left unchanged
in the hosts.allow file
See the "INSTALL" file in the blockhosts.py source package for a
detailed example of the hosts.allow file.
====
This script was inspired by: DenyHosts, which has been developed
by Phil Schwartz: http://denyhosts.sourceforge.net/
====
Requires python 2.3 minimum, many 2.3 modules/constructs used, such as
datetime, optparse.
====
BlockHosts Script License
This work is hereby released into the Public Domain.
To view a copy of the public domain dedication, visit
http://creativecommons.org/licenses/publicdomain/ or send a letter to
Creative Commons, 559 Nathan Abbott Way, Stanford, California 94305, USA.
Author: Avinash Chopde
Created: May 2005
http://www.aczoom.com/cms/blockhosts/
See file INSTALL for installation instructions.
See file blockhosts.cfg for site configuration parameters.
Visit blockhosts home page and forum for details and discussions.