BlockHosts

Protecting sshd (and others) with BlockHosts

http://www.zonsundoor.com/Shownews.asp?id=1021410211 http://www.improduction.co.uk/?q=node/11&page=64#comment-3207 http://www.improduction.co.uk/?q=node/11&page=64#comment-3207

Advantages
BlockHosts can prevent attacks from SSHd and many other services (such as proftpd, vsftpd) innately. It provides multiple ways to block the attacker It's very easy to set up

http://cn.ep-net.cn/Shownews.asp?id=700 http://www.baiyihuwai.com/home.php?mod=space&uid=29794 http://www.baiyihuwai.com/home.php?mod=space&uid=29794

Configuration
First, you need to create and edit some files

echo "# BlockHosts Additions" >> /etc/hosts.allow echo "# BlockHosts Additions" >> /etc/hosts.allow
 * 1) Create /etc/hosts.allow if it does not exists (required by BlockHosts)
 * 2) * touch /etc/hosts.allow
 * 3) Append the following lines to /etc/hosts.allow (BlockHosts will write its own stuff between them)

Setting up openssh:
Check if openssh was merged with the tcpd useflag enabled: equery uses openssh

If not, add this useflag (it's necessary to work with TCP_WRAPPERS) to the openssh package echo "net-misc/openssh tcpd" >> /etc/portage/package.use

Re-emerge to apply use flags emerge -va net-misc/openssh

Add this to your /etc/ssh/sshd_config (disables DNS lookups which may confuse blockhosts when scanning the logs) UseDNS no

Check if your SSHd logs to /var/log/messages cat /var/log/messages | grep sshd

If there's some recent output, everything's ok. Proceed.

Setting up BlockHosts:
Edit /etc/blockhosts.cfg nano /etc/blockhosts.cfg

All occurences of LOGFILES are commented, uncomment the first occurence, and change "secure" to "messages".

File: /etc/blockhosts.cfg ... LOGFILES = [ "/var/log/messages", ] ...
 * 1) LOGFILES = [ "/var/log/auth.log", ]
 * 2) LOGFILES = [ "/var/log/secure", "/var/log/vsftpd.log", ]

Save, close nano again, this should do it.

Post-Configuration
You can tune some settings in the config file if you like to (THRESHOLD and stuff), but the defaults are ok.

Testing
Run blockhosts.py in --dry-run mode (simulation):

/usr/bin/blockhosts.py --dry-run --verbose
 * 1) This will check your logs (configured in /etc/blockhosts.cfg) for potential attacks

The blockhosts.py script should output something like this (assumed there were some failed login attempts already): ... ALL: 89.13.50.6 : deny
 * 1) BlockHosts Additions

#bh: ip:     89.13.50.6 :   8 : 2007-04-10 00:52:23 CEST #bh: logfile: /var/log/sshd #bh: offset: 13083 #bh: first line:Apr 9 23:49:37 hostname sshd(pam_unix)[29697]: authentication$

... The lines starting with "#bh: ip:" count how many times a host has failed to login to any of your services. The lines starting with "ALL:" are the blocked hosts. Now, if everything seems to be ok, drop the --dry-run parameter. BlockHosts will now write to the /etc/hosts.allow file and every service that uses TCP_WRAPPERS (mod_wrap for proftpd) refuses connections from banned ips. /usr/bin/blockhosts.py --verbose
 * 1) BlockHosts Additions

Completion
Now we want to have a cronjob or something which will run blockhosts.py again and again, to check the logs frequently. Alternatively, we can have TCP_WRAPPERS run the script every time someone connects to our watched service by modifying /etc/hosts.allow.

Cronjob
Add a cronjob which runs every five minutes nano /etc/crontab

Add blockhosts.py cron */5 * * * * /usr/bin/blockhosts.py --verbose >> /var/log/blockhosts.log 2>&1

Save, close. BlockHosts should now update hosts.allow every five minutes.

Hosts.allow
Add a couple of lines to the end of /etc/hosts.allow to have the script called at every connection attempt.

File: /etc/hosts.allow ... sshd : ALL : spawn (/usr/bin/blockhosts.py ) sshd : ALL : allow

This will cause /usr/bin/blockhosts.py to be called every time someone connects - much more likely to stop an attack before it fills your logs. However, if you log in incorrectly too many times and get blocked, you will be blocked until someone from a different ip logs in after the timeout has expired (set in /etc/blockhosts.cfg). To remove your dependency on another user attempting to log in, have a cron job also running the script, although possibly less frequently than every five minutes.

See also BlockHosts Homepage

Retrieved from "http://www.gentoo-wiki.info/BlockHosts"