blockhosts.py
version: 2.0.2
usage: blockhosts.py [options]
Block IP Addresses based on login or access failure information in system
logs. Updates a hosts blockfile (such as hosts.allow) automatically, to block
IP addresses. Will also expire previously blocked addresses based on age of
last failed login attempt, this keeps the blockfile size manageable. In
addition to TCP_WRAPPERS, can also execute iptables or ip route commands to
block all TCP/IP network input from an IP address, so all services, even those
that do not run under libwrap TCP_WRAPPERS, can be protected. An email
notification facility is also available.
options:
--version show program's version number and exit
-h, --help show this help message and exit
--configfile=FILE Name of configuration file to read. A configuration
file must be readable. (/etc/blockhosts.cfg)
Common options:
Each option is shown below with its current value in parentheses ().
Nearly all of these options can be specified in the configuration
file, and that is the recommended way.
-q, --quiet Be as quiet as possible - only print out error
messages
-v, --verbose Be verbose - print errors, warnings, and info messages
-g, --debug Be chatty - print out debug level messages also
--dry-run Don't write the block file or send email or block
routes, just print out blockhosts section of output
block file file to stdout instead (False)
--echo=TAG Prints TAG on stderr and syslog, may be used to
identify a run of this script ()
--blockfile=FILE [Deprecated: use the config file to specify this
instead] Name of hosts-block-file to read/write
(/etc/hosts.allow)
BlockHosts blockfile specific options:
These options apply to the process of updating the list of blocked
hosts in the blockfile. Note that many of these options are
deprecated, use the config file to specify them instead of using the
command-line.
--load-only Load the blockfile, the blocked/watched host list, but
do not prune/add or write back the data (False)
--ignore-offset Ignore last-processed offset, start processing from
beginning. This is useful for testing or special uses
only. (False)
--logfiles=FILE1,FILE2,...
[Deprecated: use the config file to specify this
instead] The names of log files to parse
("/var/log/secure")
--blockcount=COUNT [Deprecated: use the config file to specify this
instead] Number of invalid tries allowed, before
blocking host (7). Integer values only.
--discard=AGE [Deprecated: use the config file to specify this
instead] Number of hours after which to discard record
- if most recent invalid attempt from IP address is
older, discard that host entry (12). Integer values
only.
--lockfile=FILE [Deprecated: use the config file to specify this
instead] Prevent multiple instances from writing to
blockfile at once - open this file for locking and
writing (/tmp/blockhosts.lock)
Mail specific options:
These options apply to the process of sending email. Additional
configuration options in the config file: MAIL_LOG_MESSAGES (Whether
to include log messages in emails).
--mail Enable e-mail capability - send message with list of
blocked and hosts, if any. See --check-ip option also.
Additionally, by default, error messages will also be
mailed out (False)
--check-ip=IPADDRESS
Instead of mailing entire list of blocked address,
just send email if given IP address is being blocked
()
--notify-address=ADDRESS
Address to send notification emails to
(root@localhost.localdomain)
TCP/IP level blocking options:
These options apply to the process of using ip route/iptables commands
to block IP addresses. Root permission for the run of this script is
needed, since only root can change routing tables or install iptables
rules. [This works fine if using hosts.access/hosts.deny to run this
script.] All communication to the IP address is blocked at route or
packet, therefore, this method of disabling a host will protect even
non-tcpwrapper services.
--iproute Enable IP address block capability using ip route
commands. Using this, all communication to the IP
address is blocked at routing table level ()
--iptables Enable IP address block capability, using iptables
filtering. Using this, all communication to the IP
address is blocked at packet filtering level ()
DETAILS
Automatic updates to hosts.allow to block IP addresses based on failed
login accesses for ssh/ftp or any such service.
Script to record how many times "sshd" or other service is being attacked,
and when a particular IP address exceeds a configured number of
failed login attempts, that IP address is added to /etc/hosts.allow with
the deny flag to prohibit access.
Script uses /etc/hosts.allow to store (in comments) count
of failed attempts, and date of last attempt for each IP address
By default, hosts.allow is used, but program can be configured to use any
other file, including /etc/hosts.deny, as needed.
IP addresses with expired last attempt dates (configurable)
can be removed, to keep /etc/hosts.allow size manageable.
This script can be run as the optional command in /etc/hosts.allow
itself, so will kick off only when someone connects to a specific service
controlled by tcpwrappers, or use cron to periodically run this script.
TCP_WRAPPERS should be enabled for all services, which allows use of
hosts.allow file.
hosts_options should also have been enabled, which requires compile time
PROCESS_OPTIONS to be turned on. This allows extensions to the
basic hosts.* file line format. The extensible language supports lines
of this format in /etc/hosts.allow:
daemon_list : client_list : option : option ...
See the man pages for hosts_options and hosts_access(5) for more
information.
Null Routing and Packet Filtering Blocking
Many services do not use libwrap, so cannot use TCP_WRAPPERS blocking
methods. Those services can be protected by this script, by using
the null routing, or iptables packet filtering to completely block all
network communication from a particular IP address.
Use the --iproute or --iptables options to enable null routing or
packet filtering blocking.
Root permission for the run of blockhosts.py script is needed, since
only root can change routing tables or install iptables rules. This works
fine if using hosts.access/hosts.deny to run this script.
Null routing/packet filtering could be used for example, to scan Apache
web server logs, and based on that, block an IP address so neither
Apache or any other service on the computer will see any network
communication that IP address.
Mail Notification Support
Email notifications can be sent periodically using a cron script, or
email can be sent provided a a given IP address is being blocked by
blockhosts. Such email notifications include all currently blocked
IP addresses in the email message. Will not send email if given IP address
is not yet blocked, or if not a single address is being blocked. SMTP is
required for sending email.
Example hosts.allow script:
Warnings:
* Be sure to keep a backup of your initial hosts.allow (or hosts.deny)
file, in case it gets overwritten due to an error in this script.
* Do read up on the web topics related to security, denial-of-service,
and IP-address spoofing.
Visit the blockhosts home page for references.
* This script handles IPv4 addresses only.
Usage:
For more info, run this program with --help option.
The blockfile (hosts.allow, or if needed, hosts.deny) layout needs to
have a certain format:
Add following sections, in this order:
-- permament whitelist and blacklist of IP addresses
-- blockhosts marker lines - two lines
-- execute command to kick off blockhosts.py on connects to services
See "man 5 hosts_access" and "man hosts_options" for more details on
hosts.* files line formats.
The two HOSTS_MARKER_LINEs define a section, this is the
region where blockhosts will read/write IP blocking data in the
hosts.allow file. It will use comments to store bookkeeping data needed
by this script in that section, too.
Lines before and after the two HOST_MARKER_LINEs will be left unchanged
in the hosts.allow file
See the "INSTALL" file in the blockhosts.py source package for a
detailed example of the hosts.allow file.
====
Requirements:
1: Python 2.3 or later, need the optparse module.
2: Primarily uses host control facility and related files such as
hosts.access. If not using TCP/IP blocking, then the extensions to
the access control language as described in the man 5 hosts_options
page are required, which allow use of :allow and :deny keywords.
["...extensions are turned on at program build time by
building with -DPROCESS_OPTIONS..."]
3: If not using host control facilities (tcpd, hosts.access, etc),
then there needs to be a way to trigger the run of blockhosts.py,
or blockhosts.py should be run periodically using cron. Secondly,
there must be some way to update a file to list the blocked ip
(for example, hosts.deny file, or Apache .htaccess file, etc).
Alternately, all TCP/IP communication can be blocked by using the
null-routing or packet filtering options of blockhosts.py
====
BlockHosts Script License
This work is hereby released into the Public Domain.
To view a copy of the public domain dedication, visit
http://creativecommons.org/licenses/publicdomain/ or send a letter to
Creative Commons, 559 Nathan Abbott Way, Stanford, California 94305, USA.
Author: Avinash Chopde
Created: May 2005
http://www.aczoom.com/cms/blockhosts/
See file INSTALL for installation instructions.
See file blockhosts.cfg for site configuration parameters.
Visit blockhosts home page and forum for details and discussions.