Tools - Sub Categories

Show blocked hosts on web

This script uses PHP and MySQL to create a web page that lists all the blocked hosts.

It uses a IP to country mapping table to show country flags.

To see this working visit

That page also includes a link to download the software.

Video recording, editing, creating DVD

Nothing like fiddling with MPEG packets on a rainy Saturday afternoon!

This post will be periodically updated, until a reasonably easy, scripted list of steps is documented, on how to make a DVD out of video recorded on a Linux system.

TV Receiver and MPEG2 Encoder: Hauppauge WinTV-PVR-150 (MCE Editon)
This is supposed to be for Windows Media Center Edition only, so will not install on any other Windows operating systems, but works fine on a Linux computer! There is something amazing about that sentence - will not work on Windows, works on Linux! How far has Linux come...

Software: dvdauthor, avidemux2, mkisofs, growisofs, ivtv-drivers, xine, etc
And running on a Fedora FC5 Linux system.

The goals of the steps are to use scripts to save MPEG encoded video, and then perform simple editing - cut out portions not needed, and create a simple DVD structure. Avoid transcoding of video - sure, it is technically possible to get lower bit rates from higher bit rate video, but the quality reduction using transcoding is pretty drastic (possibly because it is very complex with many possible ways to do this), so best to capture at rates desired, and make sure no intermediate step involves transcoding.


  1. Record video as needed, using the script shown elsewhere here - copy video for given duration. In the scheduled command, use ivtvctl commands to set bitrate, tune to correct channel. Choose a DVD-compatible bitrate, for example, I use 6Mb/sec CBR for capturing NTSC Standard-Definition video.
  2. Load up the clip in avidemux2, cut out all ads or portions that are not needed. The avidemux2 pages have good tips on how to make cuts that wll allow the video frames to be just copied - place both A and B marker on I-Frames of the MPEG stream, and then cut.

Copy video for given duration

Needed a simple script to copy video data for a fixed amount of time.

A shell script is available on ivtv driver page at Example script to schedule recordings, but wanted to do something without sending kill signals, so here's a script using the alarm signal.

Here's a perl script: timed-copy that uses an alarm signal instead of kill.

To use this, save the contents of the timed-copy link as text file, make it executable, and fix the perl path in line 1 if needed, and it is then ready to run.

I use this for capturing PVR-150 MPEG2 encoded video, by running something like this:
  timed-copy -v -m 30 < /dev/video0 > `date +%b%d-%H%M`.mpg
and scheduling this with the at command, for example:
  at -v 1:30AM Sep 14

which will end up creating a file named Sep14-0130.mpg.

Simple! Beats installing large, complex packages to do simple recordings.

Run as timed-copy -h to get help on all arguments, use -v to get verbose messages, and -v -v to get debug messages also.
Version 1.2 added a --clock option to use elapsed wall clock instead of alarm(), if needed.
Version 1.3 fixed the problem with alarm() - Time::HiRes has issues with alarm times, if the conversion to microseconds is greater than 2^32. Fix is to eliminate use of Time::HiRes, since the higher time resolution is not needed for this script, and a resolution in seconds is fine. Script now uses the default alarm() which works fine. So, the --clock option should no longer be needed.

Tested on a Fedora FC5 Linux system.

Intrusion source and location mashup

From Kenneth Kline, a script to show intrusion attempts against a site, based on the contents of hosts.deny.

Uses the following:
Deny Hosts
Google Maps

[Sep 2007: links below not accessible for a long time - here's another link to a copy of the archive: hacker2loc.tar.gz ]

[Old links and info: For an example, see
Here is a build of hackers2loc script:
hacker2loc.tar.gz. Additionally, to view the source (PHP) on-line: PHP source ]

It requires a little work to install properly. The README provides all the information that is necessary to get the additional pieces and to get it up and running.

The GeoLiteCity.dat file is updated from time to time, it may be useful to setp a cron script, to download it, untar it, then overwrite the existing DAT file to get updates from GeoIP resulting in more accurate plots.

CGI Reporter

Perl script and the shtml file that create a report of blocked and watched hosts taken from the hosts.allow file, created by Steve Hammond.

Here's a screenshot of the reporter utility

Here are the files that can be used to create the report displayed above, bh-reporter.cgi and bh-reporter.shtml, in a ZIP archive.

This is a version that includes the changes listed in the comment I've made some changes below:

Previous version:

Contributed Utilities

This section contains pointers to tools and utilities developed by others for use with BlockHosts.

For any questions or comments on these utilities, please contact the original author of each of these tools.

Details scans system logs, and looks for failed login attempts. It keeps a record of the number of times a particular IP address had a failed login. When the count exceeds a configured value, that IP address is added to /etc/hosts.allow with a deny flag, so the next time that IP address attempts to connect to that box, they will get a refused connection message. Optionally, null-routing or packet filtering can be used to block all communication from that IP address. Program also offers a way to provide email notification of the list of blocked as well as watched IP addresses, and a way to specify lists of whitelisted and blacklisted IP addresses and IP address patterns.


  1. Python, version 2.3 or later.
  2. If using hosts.allow blocking, TCP_WRAPPERS enabled services can be blocked. Extensions to the access control language as described in the man 5 hosts_options page are required, which allow use of :allow and :deny keywords.
  3. All services can be protected if using null-routing or packet filtering. The requirements for this are that there should be a way to detect failed accesses in some system log file, and a way to run this script each time such an access is made (or if sufficient, this script can be run periodically using cron).
  4. IPv4 addesses supported, IPv6 not supported at this time.
  5. Many patterns are now available, to support detection of failed access to many services. OpenSSH and proftpd logs were the first to be supported, for the current patterns, see the default configuration, in blockhosts.cfg file.

For details on the program arguments and configuration, run the script with the --help option: --help


Blocks IP addresses based on SSH or FTP incoming login failures, by looking at SSHD and ProFTPD logs, and updating hosts.allow as needed.

If you are a Linux user running SSH server, it is likely that you have been probed by script kiddies, and your daily LogWatch emails will show 100-150 login attempts in a short interval, before they go away. There is no option in OpenSSH to make it difficult to slow down repeated login attempts coming from one IP address -- logins occur at a pretty fast clip -- one attempt every few seconds.

For a home or small business linux user at least, it does not make sense to keep the door open for logins for so long. Use this script, and see the daily LogWatch email notifications now showing only 7-9 login attempts, and remote hosts start getting "Refused incoming connection" messages. Then, reading the daily LogWatch emails is not terrifying at all, in fact, it may be fun to see these script kiddies get blocked!

  • Be sure to acquaint yourself with material available on the web, related to security, and denial-of-service. In particular, see the discussion in the OpenSSH mailing list related to SSHD blocking and FAIL_DELAY:
  • Make your sshd/proftpd configurations as tight as possible. For example, for sshd - turn off root logins (PermitRootLogin), use the AllowUsers keyword to only allow one or a select usernames to be accepted. As far as possible, try to avoid common usernames, make even the user names hard to guess. For ProFTPD, use /etc/ftpusers, which contains names of users that will not be allowed to use FTP, root should be in there.
  • Last, but not least - always use strong passwords! That may be the only final protection.


Program Source Code

Update notifications: To get email notifications of new releases, use the facilities available at the BlockHosts project page. Updates are not very frequent, may be weeks or months between releases.


Automatic blocking of remote IP hosts attacking ssh and other services

Script to record how many times system services are being probed, using configurable pattern matching to recognize failed accesses (such as for "sshd" or "proftpd" or any service), and when a particular IP address exceeds a certain number of failed attempts, that IP address is blocked by using multiple techniques: using /etc/hosts.allow for services that support TCP_WRAPPERS, or by executing ip route commands to setup null-routing for that source host address, or by executing iptables commands to setup packet filtering to drop packets from a source host address. Both IPv4 and IPv6 supported.

Requires python version 2.3, and runs on Unix-like machines only.

Script is most suitable for home Linux users, who need to keep ssh/ftp ports or other services open, and need to block the script kiddies. With null-routing or packet filtering, any service can be protected, since those mechanisms block at the IP routing or packet filtering level. In this case, the only requirement is that there should be a way to detect failed accesses in some system log file.

Also available: BlockHosts Forum and BlockHosts FAQ.