Intelligent DEfence Activation – IDEA
Be prepare to read the whole post… don’t SKIP lines or words.
Normally for securing our machine against hostile machines, we need to check our log files periodically (like /var/log/secure) and then add those hostile machines manually into the TCP-WRAPPER or IP-Tables. This can be a pain in the neck.
This is how we traditionally secure our machines.
STEP #1. Check the log files (/var/log/secure) periodically.
STEP #2. Manually update the firewall or TCP-Wrapper for the illegal hosts or Ips.
Problem: Cannot be updated timely and may result in a compromise. Attacker may tries to intrude using some other service. Attacker may change IP, in that case your IPTables or TCP-WRAPPER will of no use.
WISH #1. My server should be able to track attacker IP.
WISH #2. My server should be able to block attacker IP, automatically.
WISH #3. My server should secure itself, automatically, from any attack from attacker IP.
All your wishes will comes true — you can use a small application named – BLOCKHOSTS for this purpose.
Lets first see how BLOCKHOST works:
Someone do ssh with wrong not allowed –> Event is logged in /var/log/secure –> blockhosts will check the log file for number of failed events –> If number of failed events exceeds above limit –> That hosts IP will be catch by blockhosts –> Put that hosts entry in TCP-Wrapper and Iptables to block any further communication, for a time period.
STEP #1. Download the latest version of blockhosts from:
STEP #2. Install the RPM
STEP #3. Configure the main configuration file /etc/blockhosts.cfg. Here are some common options that need to be configured for making blockhosts work for you.
Tell the blockhosts which file need to be updated for using TCP-WRAPPER, normally it will be /etc/hosts.allow
Under [common] section edit or activate this line:
HOSTS_BLOCKFILE = "/etc/hosts.allow"
Under [filters] section edit or activate these lines:
COUNT_THRESHOLD = 3
by this you had told blockhosts that block any host if the number of failed attempts exceeds 3
AGE_THRESHOLD = 1
by this you had told blockhosts that the denied host will not be allowed to communicate for next 1 hour
WHITELIST = [ "x.x.x.x" ]
by this you can tell blockhosts that these range of IP’s will never be blocked irrespective of how many number of failed attempts.
BLACKLIST = ["x.x.x.x" ]
by this you can tell blockhosts to block these IP’s permanently.
Under [blockhosts] section edit or activate these lines:
LOGFILES = [ "/var/log/secure", ]
by this line you had just told blockhosts to keep checking /var/log/secure (records SSH events) for failed attempts. You can also enable other lines as per your wishes.
SAVE and EXIT.
You had just configured the blockhosts as per your preferences.
Now its the time to activate the blockhosts for checking and blocking hostile machines automatically.
STEP #4. Edit /etc/hosts.allow file for blockhosts. Add these lines under /etc/hosts.allow
sshd, proftpd, vsftpd: ALL: spawn /usr/bin/blockhosts.py \
--echo %c-%s --ipblock=iptables \
PS: please replace 172.24.0.13 with the IP you wish to blacklist as per your network.
STEP #5. START the blockhosts.
this will make blockhosts reading your /var/log/secure file and trapping the hostile IP’s automatically. You can put this under cron to make blockhosts check periodically.