BlockHosts

BlockHosts is a Python system
tool for Linux that blocks IP Addresses based on information gleaned from
scanning system logs. It updates a hosts blockfile (such as hosts.deny)
automatically, to block IP addresses. It will also expire previously
blocked addresses based on age of last failed login attempt; this keeps
the blockfile size manageable. In
addition to hosts.allow TCP wrappers blocking, it can also execute
iptables or ip route commands to block all TCP/IP network traffic
from an address, so all services, even those
that do not run under TCP wrappers, can be protected.
Also available: an email notification facility, as well as an RSS feed exporting the list of blocked addresses. Contributed extensions include web scripts for intrusion source and location mashup displaying a geographic map of the blocked IP addresses.
The patterns used to scan system logs are extendable; out-of-the-box it
comes with patterns to recognize OpenSSH, ProFTPd, vsftpd,
Pure-FTPd, and a few other services. All these use TCP wrappers,
but blockhosts can also be extended to match patterns in non-TCP-wrappers services such as the web server Apache HTTP Server, by
blocking IP addresses using null routing or packet filtering techniques.
Operation
When executed
blockhosts.py scans a configured list of system log files
looking for patterns matching undesirable access to the
services running on the computer. A count is kept of the number of times
a source IP address has made such accesses, and when the count exceeds a
threshold, that IP address is blocked.
blockhosts.py can be executed automatically by using TCP wrappers
mechanisms or by using scheduled cron table entries.
Non-TCP-wrappers service can be protected by using ip route null-route or iptables packet filtering based blocking. Just as the blockfile size is managed by expiring old blocked IP addresses, so are the routing table and packet filtering rules pruned on expiry of a blocked IP address. Reboots are also handled automatically - even though on a reboot the routing table or packet filtering rules may be lost, on the first invocation of blockhosts.py after a reboot, all the blocked IP entries will be re-inserted, so nothing special has to be done to handle reboots.
 
< Prev   Next >