#----------------------------------------------------------------------- # comments must begin in column 1, like this line. # /etc/blockhosts.cfg : make it writeable only when you need to update # this file, otherwise should be set to readonly for everyone, # for security # -- customized config file, copy this to /etc/blockhosts.cfg and change # as needed. See comments for SSHD-Invalid in ALL_REGEXS below # ---------------------------------------------------------------------- # BE CAREFUL UNCOMMENTING - if done incorrectly, blockhosts.py will not # start up. # The best way to uncomment is to just remove the single character # # from the appropriate lines, and then edit the line as needed # ---------------------------------------------------------------------- # This file is shipped with all assignments commented out, the default # values are shown in the comments. To make changes, copy the assignment # line you need to change, remove the # character from column 1, and # provide the new value as needed. Follow python string/list/dict # constant expression syntax, as shown in the commented lines. All strings # should be enclosed with python-style quotes. # python experts: note that the script uses eval() to parse all the # values specified here. This is not considered a security risk, since # this file should not be editable by non-root users. But if this is # something you don't like, free free to remove this file, you can always # provide most of the values listed below using command-line arguments. [constants] #HOSTS_BLOCKFILE = "/etc/hosts.allow" #HOSTS_BLOCKFILE = "/etc/hosts.deny" # the name of the block-file on your computer - usually hosts.allow or # hosts.deny, see "man 5 hosts_access" for details on these files. # default is hosts.allow #LOGFILES = [ "/var/log/secure", ] #LOGFILES = [ "/var/log/auth.log", ] #LOGFILES = [ "/var/log/secure", "/var/log/vsftpd.log", ] # default list of logs to process, comma separated, can follow Python # syntax, should be a sequence (list or tuple) of strings representing # filenames: 1 or more files, default is single file: /var/log/secure #COUNT_THRESHOLD = 7 # number of invalid attempts after which host is blocked # note that actual denial make take one or more attempts - depends on the # timing of when LOGFILES are updated by the system, and when this script # gets to run #BLOCK_SERVICES = "ALL" # this string used for "daemon_list" in hosts.deny for each blocked # IP address #AGE_THRESHOLD = 12 # number of hours after which host entry is discarded from hosts.deny # 24 -> one day, 168 -> one week, 720 -> 30 days, integer values only # most attackers go away after they are blocked, so to keep hosts.deny # file size small, no reason to make this any more than, say, half-a-day #LOCKFILE = "/tmp/blockhosts.lock" # need create/write access to this file, used to make sure only one # instance of this script runs at one time # ALL_REGEXS should not be changed, unless you test this thoroughly! # Use this if you need to match some other lines in your system logfiles, # other that for OpenSSH sshd, proftpd, and vsftpd, which are built-in. # The regexps should contain a P to make a named match for the IP # address, no other P<> is required. # Use this if you need to match additional lines or services to block # IP addresses based on lines in the system logs. # The value for this is a python dictionary, key is a string to label the # regular expression, choose any unique string, and value is the regular # expression. # In the defaults below, the given keys match the following example lines: # SSHD: #Apr 20 12:34:30 hostname sshd[9701]: Failed password for invalid user patrick from 10.21.45.30 port 35993 ssh2 # no example for SSHD-Illegal, not seen with OpenSSH on Fedora FC3 # ProFTPD: # May 29 22:38:10 hostname proftpd[28865]: hostname (10.0.0.1[10.0.0.1]) - USER validuser (Login failed): Incorrect password. # May 29 22:40:20 hostname proftpd[28879]: hostname (10.0.0.1[10.0.0.1]) - USER aaa: no such user found from 10.0.0.1 [10.0.0.1] to 10.0.0.1:21 # May 30 07:31:55 hostname proftpd[1450]: hostname (10.0.0.1[10.0.0.1]) - SECURITY VIOLATION: root login attempted. # VSFTPD: # Fri Jan 21 15:56:57 2005 [pid 6726] [test] FAIL LOGIN: Client "10.204.30.15" # BE CAREFUL UNCOMMENTING - if done incorrectly, blockhosts.py will not # start up. # The best way to uncomment is to just remove the single character # # from the appropriate lines, and then edit the line as needed # - make sure to uncomment the line: #ALL_REGEXS = { # - make sure each uncommented rule is in a single line (no line breaks) # - if you add a rule, add a id for the rule - any string, like # "ProFTPD-NoUser" as key, and then the re.compile(...) as value. # This is a "dict" data structure from python. # - each rule line should be indented identically - four spaces, then the # rule, for example, deleting the single # character below in all # example ALL_REGEXS lines will result in syntactically correct lines # - make sure the ending brace is uncommented, remove # character: # } ALL_REGEXS = { "SSHD-Fail": re.compile(r"""sshd\[\d+\]: Failed (?P.*) for (?Pinvalid user |illegal user )?(?P.*?) from (::ffff:)?(?P\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"""), "SSHD-Illegal": re.compile(r"""sshd\[\d+\]: Illegal user (?P.*?) from (::ffff:)?(?P\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"""), # SSHD-Invalid and NotAllowed added based on comments from some users # that they only see these messages in their logs, and don't see the # SSHD-Fail message. This may cause double counting of some IP # addresses, not sure about this though. Still, better to double # count than to ignore an abusive IP address! "SSHD-Invalid": re.compile(r"""sshd\[\d+\]: Invalid user (?P.*?) from (::ffff:)?(?P\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"""), "SSHD-NotAllowed": re.compile(r"""sshd\[\d+\]: User (?P.*?) from (::ffff:)?(?P\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}) not allowed"""), "ProFTPD-NoPassword": re.compile(r"""proftpd\[\d+\]: [^[]+\[(?P\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}).+Login failed"""), "ProFTPD-NoUser" :re.compile(r"""proftpd\[\d+\]: [^[]+\[(?P\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}).+no such user"""), "ProFTPD-SecurityViolation": re.compile(r"""proftpd\[\d+\]: [^[]+\[(?P\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}).+SECURITY VIOLATION"""), "VSFTPD-Fail": re.compile(r"""\[pid \d+\] \[(?P.*)\] FAIL LOGIN: Client "(?P\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"""), } #-----------------------------------------------------------------------