All topics related to blockhosts

Show blocked hosts on web

This script uses PHP and MySQL to create a web page that lists all the blocked hosts.

It uses a IP to country mapping table to show country flags.

To see this working visit

That page also includes a link to download the software.

Intrusion source and location mashup

From Kenneth Kline, a script to show intrusion attempts against a site, based on the contents of hosts.deny.

Uses the following:
Deny Hosts
Google Maps

[Sep 2007: links below not accessible for a long time - here's another link to a copy of the archive: hacker2loc.tar.gz ]

[Old links and info: For an example, see
Here is a build of hackers2loc script:
hacker2loc.tar.gz. Additionally, to view the source (PHP) on-line: PHP source ]

It requires a little work to install properly. The README provides all the information that is necessary to get the additional pieces and to get it up and running.

The GeoLiteCity.dat file is updated from time to time, it may be useful to setp a cron script, to download it, untar it, then overwrite the existing DAT file to get updates from GeoIP resulting in more accurate plots.

CGI Reporter

Perl script and the shtml file that create a report of blocked and watched hosts taken from the hosts.allow file, created by Steve Hammond.

Here's a screenshot of the reporter utility

Here are the files that can be used to create the report displayed above, bh-reporter.cgi and bh-reporter.shtml, in a ZIP archive.

This is a version that includes the changes listed in the comment I've made some changes below:

Previous version:

Contributed Utilities

This section contains pointers to tools and utilities developed by others for use with BlockHosts.

For any questions or comments on these utilities, please contact the original author of each of these tools.

Details scans system logs, and looks for failed login attempts. It keeps a record of the number of times a particular IP address had a failed login. When the count exceeds a configured value, that IP address is added to /etc/hosts.allow with a deny flag, so the next time that IP address attempts to connect to that box, they will get a refused connection message. Optionally, null-routing or packet filtering can be used to block all communication from that IP address. Program also offers a way to provide email notification of the list of blocked as well as watched IP addresses, and a way to specify lists of whitelisted and blacklisted IP addresses and IP address patterns.


  1. Python, version 2.3 or later.
  2. If using hosts.allow blocking, TCP_WRAPPERS enabled services can be blocked. Extensions to the access control language as described in the man 5 hosts_options page are required, which allow use of :allow and :deny keywords.
  3. All services can be protected if using null-routing or packet filtering. The requirements for this are that there should be a way to detect failed accesses in some system log file, and a way to run this script each time such an access is made (or if sufficient, this script can be run periodically using cron).
  4. IPv4 addesses supported, IPv6 not supported at this time.
  5. Many patterns are now available, to support detection of failed access to many services. OpenSSH and proftpd logs were the first to be supported, for the current patterns, see the default configuration, in blockhosts.cfg file.

For details on the program arguments and configuration, run the script with the --help option: --help


Blocks IP addresses based on SSH or FTP incoming login failures, by looking at SSHD and ProFTPD logs, and updating hosts.allow as needed.

If you are a Linux user running SSH server, it is likely that you have been probed by script kiddies, and your daily LogWatch emails will show 100-150 login attempts in a short interval, before they go away. There is no option in OpenSSH to make it difficult to slow down repeated login attempts coming from one IP address -- logins occur at a pretty fast clip -- one attempt every few seconds.

For a home or small business linux user at least, it does not make sense to keep the door open for logins for so long. Use this script, and see the daily LogWatch email notifications now showing only 7-9 login attempts, and remote hosts start getting "Refused incoming connection" messages. Then, reading the daily LogWatch emails is not terrifying at all, in fact, it may be fun to see these script kiddies get blocked!

  • Be sure to acquaint yourself with material available on the web, related to security, and denial-of-service. In particular, see the discussion in the OpenSSH mailing list related to SSHD blocking and FAIL_DELAY:
  • Make your sshd/proftpd configurations as tight as possible. For example, for sshd - turn off root logins (PermitRootLogin), use the AllowUsers keyword to only allow one or a select usernames to be accepted. As far as possible, try to avoid common usernames, make even the user names hard to guess. For ProFTPD, use /etc/ftpusers, which contains names of users that will not be allowed to use FTP, root should be in there.
  • Last, but not least - always use strong passwords! That may be the only final protection.


Program Source Code

Update notifications: To get email notifications of new releases, use the facilities available at the BlockHosts project page. Updates are not very frequent, may be weeks or months between releases.


Automatic blocking of remote IP hosts attacking ssh and other services

Script to record how many times system services are being probed, using configurable pattern matching to recognize failed accesses (such as for "sshd" or "proftpd" or any service), and when a particular IP address exceeds a certain number of failed attempts, that IP address is blocked by using multiple techniques: using /etc/hosts.allow for services that support TCP_WRAPPERS, or by executing ip route commands to setup null-routing for that source host address, or by executing iptables commands to setup packet filtering to drop packets from a source host address. Both IPv4 and IPv6 supported.

Requires python version 2.3, and runs on Unix-like machines only.

Script is most suitable for home Linux users, who need to keep ssh/ftp ports or other services open, and need to block the script kiddies. With null-routing or packet filtering, any service can be protected, since those mechanisms block at the IP routing or packet filtering level. In this case, the only requirement is that there should be a way to detect failed accesses in some system log file.

Also available: BlockHosts Forum and BlockHosts FAQ.