BlockHosts
From Wikipedia, the free encyclopedia
BlockHosts is a Python system tool for Linux that blocks IP Addresses based on information gleaned from scanning system logs. It updates a hosts blockfile (such as hosts.allow) automatically, to block IP addresses. It will also expire previously blocked addresses based on age of last failed login attempt, this keeps the blockfile size manageable. In addition to hosts.allow TCP Wrappers blocking, it can also execute iptables or ip route commands to block all TCP/IP network traffic from an address, so all services, even those that do not run under TCP Wrappers, can be protected.
Also available: an email notification facility, as well as an RSS feed exporting the list of blocked addresses. Contributed extensions include web scripts for intrusion source and location mashup displaying a geographic map of the blocked IP addresses.
The patterns used to scan system logs are extendable; out-of-the-box it comes with patterns to recognize OpenSSH, ProFTPd, vsftpd, Pure-FTPd, and a few other services. All these use TCP WRAPPERS, but blockhosts can also be extended to match patterns in non-TCP WRAPPERS services such as the web server Apache HTTP Server, by blocking IP addresses using null routing or packet filtering techniques.
[edit] Operation
When executed blockhosts.py scans a configured list of system log files looking for patterns matching undesirable access to the services running on the computer. A count is kept of the number of times a source IP address has made such accesses, and when the count exceeds a threshold, that IP address is blocked. blockhosts.py can be executed automatically by using TCP WRAPPERS mechanisms or by using scheduled cron table entries.
Non TCP WRAPPERS service can be protected by using ip route null-route or iptables packet filtering based blocking. Just as the blockfile size is managed by expiring old blocked IP addresses, so are the routing table and packet filtering rules pruned on expiry of a blocked IP address. Reboots are also handled automatically - even though on a reboot the routing table or packet filtering rules may be lost, on the first invocation of blockhosts.py after a reboot, all the blocked IP entries will be re-inserted, so nothing special has to be done to handle reboots.
[edit] See also
[edit] External links
- BlockHosts website, along with contributed utilities