Tag Archives: attacks

Preventing Brute Force Attacks With BlockHosts On Debian Etch

cd
wget http://www.aczoom.com/tools/blockhosts/BlockHosts-2.1.0.tar.gz
tar xvfz BlockHosts-2.1.0.tar.gz
cd cd BlockHosts-2.1.0
python setup.py install –force
nano /etc/blockhosts.cfg

修改

[…]
HOSTS_BLOCKFILE = "/etc/hosts.allow"
[…]
HOST_BLOCKLINE = ["ALL: ", " : deny"]
[…]
LOGFILES = [ "/var/log/auth.log", "/var/log/proftpd/proftpd.log", ]
[…]
COUNT_THRESHOLD = 3
[…]
AGE_THRESHOLD = 12
[…]
MAIL = True
[…]
NOTIFY_ADDRESS = [email protected]
[…]
SMTP_SERVER = "localhost"
SENDER_ADDRESS = ‘BlockHosts <blockhosts-do-not-r[email protected]>’
[…]
IPBLOCK = "iptables" […]

In HOSTS_BLOCKFILE we can specify either /etc/hosts.allow or /etc/hosts.deny. It doesn’t matter which one we choose. I’m using /etc/hosts.allow here. In the LOGFILES line we specify the log files that BlockHosts should look at. OpenSSH is logging failed login attempts to /var/log/auth.log, ProFTPd to /var/log/proftpd/proftpd.log. COUNT_THRESHOLD specifies the number of failed login attempts from the same host after which BlockHosts should block that host. AGE_THRESHOLD is the numer of hours after which blocked hosts get unblocked. IPBLOCK specifies if you’d like to block hosts with iptables or iproute in addition to adding these hosts to /etc/hosts.allow (or /etc/hosts.deny).

Next we must modify /etc/hosts.allow. First back up your current /etc/hosts.allow:

cp /etc/hosts.allow /etc/hosts.allow_bak
nano /etc/hosts.allow

Continue reading