Yesterday I posted about implementing rate limiting on new connections. Today I'm going to cover how to take it a step further and watch failed login attempts and automatically block an IP address for a day.
First, you'll want to download BlockHosts from A C Zoom. It's a python script that can be run every time someone attempts to connect that will watch your log files and dynamically create your /etc/hosts.allow file to keep out the nasties.
So, in a traditional step by step method, here's what to do:
sudo su - wget http://www.aczoom.com/tools/blockhosts/BlockHosts-2.4.0.tar.gz tar -zxvf BlockHosts* cd BlockHosts* python setup.py install
Now you'll want to configure the /etc/blockhosts.cfg file, so open it with your favorite editor and make the following changes:
Look for "WHITELIST = ". You might want to add your own local network to this just in case.
Look for "LOGFILES" and uncomment the one that says:
LOGFILES = [ "/var/log/auth.log", ]
Look for "[mail]" and plug in your setup if you want it to send you an email periodically telling you what action has been taken.
Save and close that.
Now, edit your /etc/hosts.allow file and add the following to the end of it:
#---- BlockHosts Additions #---- BlockHosts Additions sshd, proftpd, in.proftpd, vsftpd: ALL: spawn (/usr/bin/blockhosts.py \ --verbose --echo "%c-%s" >> /var/log/blockhosts.log 2>&1 )& : allow
The two "BlockHosts Additions" lines are used by BlockHosts to wedge it's settings into the file when it runs.
NOTE: If you are wanting to protect ProFTPD, the easiest way to make this work is to run ProFTPD from xinetd. Getting ProFTPD working in standalone mode where it uses the /etc/hosts.allow is beyond the scope of this tutorial. See below for more information.
Finally enter the following to initialize your blocks from what's already in your logs:
blockhosts.py --verbose
By default BlockHosts will block a user for 12 hours after 7 invalid login attempts. If you want to change that, look for "COUNT_THRESHOLD" and "AGE_THRESHOLD" in the /etc/blockhosts.cfg file and uncomment and change to fit your needs.
This will thwart your average hacker attempting to brute-force their way into your system. On a side note - SSH shouldn't be allowing username/password combinations anyway. It's easy to set up encryption key pairs for SSH so that nobody could brute force their way into the SSH server anyway. I'll cover that another time.
Also, please be aware this only protects the one machine you install it on. Unlike iptables firewall rules which watch all traffic passing through, this will only protect services running on the host it's installed on. So, if you're using DNAT to forward FTP into your network on another machine, you'll want to install BlockHosts on the machine actually running the FTP service, not the firewall.
Getting ProFTPD working with BlockHosts
By default, ProFTPD ignores the /etc/hosts.allow file. There's a wrapper module for it that is supposed to make it work, but after wasting 30 minutes trying to get it to work I decided it wasn't worth the trouble. The best option for me was to install xinetd and reconfigure blockhosts to work from within it's wrappers. Here's how (assuming you'd already installed ProFTPD in daemon mode):
sudo /etc/init.d/proftpd stop sudo apt-get install xinetd sudo dpkg-reconfigure proftpd
When the dialog asks, tell it you want to run ProFTPD from inside inetd.
Next, create a file called /etc/xinetd.d/proftpd and place the following within it:
service ftp
{
disable = no
socket_type = stream
wait = no
user = root
server = /usr/sbin/proftpd
log_on_success += DURATION USERID
log_on_failure += USERID
nice = 10
}Finally, restart xinetd:
sudo /etc/init.d/xinetd restart
Post new comment