Preventing Brute Force Attacks With BlockHosts On Debian Etch

In this article I will show how to install and configure BlockHosts on a Debian Etch system. BlockHosts is a Python tool that observes login attempts to various services, e.g. SSH, FTP, etc., and if it finds failed login attempts again and again from the same IP address or host, it stops further login attempts from that IP address/host. By default, BlockHosts supports services that use TCP_WRAPPERS, such as SSH, i.e. services, that use /etc/hosts.allow or /etc/hosts.deny, but it can also block other services using iproute or iptables.

This document comes without warranty of any kind! I do not issue any guarantee that this will work for you!

1 Preliminary Note

I have tested BlockHosts on a Debian Etch system.

I will show you how to to use it with a service that uses /etc/hosts.allow or /etc/hosts.deny (sshd) and with a service that doesn’t use TCP_WRAPPERS, e.g. Debian’s ProFTPd package. Services that don’t use /etc/hosts.allow or /etc/hosts.deny can be blocked by iproute or iptables.

I assume that OpenSSH and ProFTPd are both properly installed and working on your system.

2 Installing BlockHosts

As BlockHosts is written in Python, we must install Python now:

apt-get install python

Afterwards, we download and install BlockHosts like this:

cd /tmp
wget http://www.aczoom.com/tools/blockhosts/BlockHosts-2.0.5.tar.gz
tar xvfz BlockHosts-2.0.5.tar.gz
cd BlockHosts-2.0.5

python setup.py install –force

Now we have to edit /etc/blockhosts.cfg. Modify it as follows:

vi /etc/blockhosts.cfg

[...] HOSTS_BLOCKFILE = "/etc/hosts.allow" [...] HOST_BLOCKLINE = ["ALL: ", " : deny"] [...] LOGFILES = [ "/var/log/auth.log", "/var/log/proftpd/proftpd.log", ] [...] COUNT_THRESHOLD = 3 [...] AGE_THRESHOLD = 12 [...] MAIL = True [...] NOTIFY_ADDRESS = 'root@localhost.localdomain' [...] SMTP_SERVER = "localhost" SENDER_ADDRESS = 'BlockHosts <blockhosts-do-not-reply@localhost.localdomain>' [...] IPBLOCK = "iptables" [...]

In HOSTS_BLOCKFILE we can specify either /etc/hosts.allow or /etc/hosts.deny. It doesn’t matter which one we choose. I’m using /etc/hosts.allow here. In the LOGFILES line we specify the log files that BlockHosts should look at. OpenSSH is logging failed login attempts to /var/log/auth.log, ProFTPd to /var/log/proftpd/proftpd.log. COUNT_THRESHOLD specifies the number of failed login attempts from the same host after which BlockHosts should block that host. AGE_THRESHOLD is the numer of hours after which blocked hosts get unblocked. IPBLOCK specifies if you’d like to block hosts with iptables or iproute in addition to adding these hosts to /etc/hosts.allow (or /etc/hosts.deny).

Next we must modify /etc/hosts.allow. First back up your current /etc/hosts.allow:

cp /etc/hosts.allow /etc/hosts.allow_orig

Then empty /etc/hosts.allow and put something like this into it:

cat /dev/null > /etc/hosts.allow
vi /etc/hosts.allow

# # hosts.allow This file describes the names of the hosts which are # allowed to use the local INET services, as decided # by the '/usr/sbin/tcpd' server. # # ---- # see "man 5 hosts_access" for details of the format of IP addresses, #services, allow/deny options. Also see "man hosts_options" # # permanent whitelist addresses - this should always be allowed access ALL: 127.0.0.1 : allow # ALL: 192.168.0. : allow # permanent blacklist addresses - this should always be denied access # ALL: 10. : deny # ---------------------------------------- # next section is the blockhosts section - it will add/delete entries in # between the two marker lines (#---- BlockHosts Additions) #---- BlockHosts Additions #---- BlockHosts Additions # ---------------------------------------- # finally, the command to execute the blockhosts script, based on # connection to particular service or services: sshd: ALL: spawn /usr/bin/blockhosts.py --verbose --mail --iptables \ --echo "%c-%s" --check-ip "%h" >> /var/log/blockhosts.log 2>&1 & \ : allow #--- # add --iproute to enable null-routing, or add --iptables to enable packet # filtering, which blocks all network communication from blocked hosts #--- # remove >> /var/log/blockhosts.log 2>&1 if no logging to blockhosts.log # is needed - without this, it will still log to syslog (minimally) #sshd: ALL: spawn /usr/bin/blockhosts.py --verbose --echo "%c-%s" & : allow #--- # above commands will use default config file - /etc/blockhosts.cfg, edit # it as needed to specify local configuration options # See "man hosts.allow" for info on %c and %s identifiers # for non-verbose, with identification, to syslog only (/var/log/messages), # triggered on any service (using ALL as first word): #ALL: ALL: spawn /usr/bin/blockhosts.py --echo "%c-%s" & : allow #---- # To test hosts.allow, and to find out exact names of SSH/FTP services, # add this line to the beginning of hosts.allow, use ssh/ftp to connect # to your server, and then look at the log (/var/log/messages or # blockhosts.log) to see the name of the invoked service. # IMPORTANT: after your test is done, remove this line from hosts.allow! # Otherwise everyone will always have access. #ALL : ALL: spawn (/usr/bin/blockhosts.py --verbose --echo "%c-%s" >> /var/log/blockhosts.log 2>&1 )& : allow # -------------------------------------------------------------------------

In the first section you put hosts that you want to whitelist (e.g. 127.0.0.1). If you’d like to whitelist the whole 192.168.0 subnet, uncomment that line.

Then we must add these markers – BlockHosts will add blocked hosts between them:

#—- BlockHosts Additions
#—- BlockHosts Additions

The most important part is this one:

sshd: ALL: spawn /usr/bin/blockhosts.py –verbose –mail –iptables \
–echo “%c-%s” –check-ip “%h” >> /var/log/blockhosts.log 2>&1 & \
: allow

Now whenever someone tries to log in using SSH, /usr/bin/blockhosts.py is started, checks the log files that we specified in /etc/blockhosts.cfg, and blocks all hosts with more than COUNT_THRESHOLD failed login attempts by adding them to /etc/hosts.allow and by using iptables (which will totally block these hosts from accessing your system). All actions will be logged to /var/log/blockhosts.log.

Now we need to initialize BlockHosts. First, we do this with the –dry-run option to see if there are no errors:

blockhosts.py –dry-run –verbose

The output could look like this:

server2:/var/log# blockhosts.py –dry-run –verbose
blockhosts 2.0.5 started: 2007-09-05 16:31:10 CEST
… load blockfile: /etc/hosts.allow
… found both markers, count of hosts being watched: 0
no logoffsets found, will read from beginning in logfile: /var/log/auth.log
… loading log file, offset: /var/log/auth.log 0
no logoffsets found, will read from beginning in logfile: /var/log/proftpd/proftpd.log
… loading log file, offset: /var/log/proftpd/proftpd.log 0
… will discard all host entries older than 2007-09-05 04:31:10 CEST
… updates: counts: hosts to block: 0; hosts being watched: 0
#—- BlockHosts Additions
#bh: logfile: /var/log/auth.log
#bh: offset: 2643
#bh: first line:Jun 28 20:35:51 server2 login[2087]: (pam_unix) session opened for user root by (uid=0)

#bh: logfile: /var/log/proftpd/proftpd.log
#bh: offset: 1308
#bh: first line:Sep 05 16:04:34 server2.example.com proftpd[2355] server2.example.com: error setting IPV6_V6ONLY: Protocol not available

#—- BlockHosts Additions

# —————————————-
# finally, the command to execute the blockhosts script, based on
# connection to particular service or services:

sshd, proftpd, vsftpd: ALL: spawn /usr/bin/blockhosts.py –verbose –mail \
–echo “%c-%s” –check-ip “%h” >> /var/log/blockhosts.log 2>&1 & \
: allow

#—
# add –iproute to enable null-routing, or add –iptables to enable packet
# filtering, which blocks all network communication from blocked hosts
#—
# remove >> /var/log/blockhosts.log 2>&1 if no logging to blockhosts.log
# is needed – without this, it will still log to syslog (minimally)
#sshd: ALL: spawn /usr/bin/blockhosts.py –verbose –echo “%c-%s” & : allow
#—
# above commands will use default config file – /etc/blockhosts.cfg, edit
# it as needed to specify local configuration options

# See “man hosts.allow” for info on %c and %s identifiers

# for non-verbose, with identification, to syslog only (/var/log/messages),
# triggered on any service (using ALL as first word):
#ALL: ALL: spawn /usr/bin/blockhosts.py –echo “%c-%s” & : allow
#—-
# To test hosts.allow, and to find out exact names of SSH/FTP services,
# add this line to the beginning of hosts.allow, use ssh/ftp to connect
# to your server, and then look at the log (/var/log/messages or
# blockhosts.log) to see the name of the invoked service.
# IMPORTANT: after your test is done, remove this line from hosts.allow!
# Otherwise everyone will always have access.
#ALL : ALL: spawn (/usr/bin/blockhosts.py –verbose –echo “%c-%s” >> /var/log/blockhosts.log 2>&1 )& : allow

# ————————————————————————-
Commands (tentative) to run for ip null-route blocking:
… no email to send.
server2:/var/log#

Looks ok (apart from the IPv6 error which you can ignore), so we can run it without the –dry-run option:

blockhosts.py –verbose

This should look like this:

server2:/var/log# blockhosts.py –verbose
blockhosts 2.0.5 started: 2007-09-05 16:33:24 CEST
… load blockfile: /etc/hosts.allow
… found both markers, count of hosts being watched: 0
… loading log file, offset: /var/log/auth.log 2643
… loading log file, offset: /var/log/proftpd/proftpd.log 1308
… will discard all host entries older than 2007-09-05 04:33:24 CEST
… updates: counts: hosts to block: 0; hosts being watched: 0
… created user-defined chain blockhosts
… creating jump from INPUT to blockhosts chain
… no email to send.
server2:/var/log#

BlockHosts is now ready to check for failed SSH logins, but not for failed ProFTPd logins because Debian’s ProFTPd doesn’t check /etc/hosts.allow and /etc/hosts.deny, which means BlockHosts isn’t invoked when someone tries to log in to ProFTPd (of course, if someone has COUNT_THRESHOLD or more failed log in attempts on ProFTPD and then tries to log in to OpenSSH, he will be blocked, because OpenSSH uses /etc/hosts.allow which then invokes BlockHosts which finds the failed login attempts to ProFTPd; but if someone tries to log in to ProFTPd only, there’s no way to catch him with the current setup). To block non-TCP_WRAPPERS services, we will create a cron job that starts BlockHosts every five minutes (for example).

3 Creating A BlockHosts Cron Job For Non-TCP_WRAPPERS Services

To block hosts from non-TCP_WRAPPERS services such as Debian’s ProFTPd, you can run

blockhosts.py –iptables –verbose

on the command line. Of course, you don’t want to do this every few minutes, therefore we create a cron job for this.

First we create a little wrapper script for /usr/bin/blockhosts.py:

vi /usr/local/sbin/blockhosts

#!/bin/bash PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin /usr/bin/blockhosts.py --iptables --verbose >> /var/log/blockhosts.log 2>&1

The purpose of this wrapper script is to pass the correct PATH to the /usr/bin/blockhosts.py script; if we use /usr/bin/blockhosts.py directly in the cron job, we will get errors saying that iptables could not be found.

Of course, we must make /usr/local/sbin/blockhosts executable:

chmod 700 /usr/local/sbin/blockhosts

Then, we create a cron job like this:

crontab -e

*/5 * * * * /usr/local/sbin/blockhosts &> /dev/null

4 Testing

Now you can try to log in to your server using SSH and FTP with wrong usernames/passwords. After some time, you shouldn’t be able to connect to your server at all which means you got blocked. Change your client’s IP address and log in to the server’s shell again.

Run

iptables -L

You can see in the output which IP addresses got blocked:

server2:~# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
blockhosts  0    —  anywhere             anywhere

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain blockhosts (1 references)
target     prot opt source               destination
DROP       0    —  192.168.0.93         anywhere
DROP       0    —  192.168.0.92         anywhere
DROP       0    —  192.168.0.91         anywhere
DROP       0    —  192.168.0.94         anywhere
server2:~#

Take a look at /etc/hosts.allow. The same IP addresses should be listed in the #—- BlockHosts Additions section:

vi /etc/hosts.allow

[...] #---- BlockHosts Additions ALL: 192.168.0.94 : deny ALL: 192.168.0.91 : deny ALL: 192.168.0.92 : deny ALL: 192.168.0.93 : deny #bh: ip: 192.168.0.94 : 4 : 2007-09-05 16:59:47 CEST #bh: ip: 192.168.0.91 : 4 : 2007-09-05 16:49:50 CEST #bh: ip: 192.168.0.92 : 8 : 2007-09-05 16:40:23 CEST #bh: ip: 192.168.0.93 : 4 : 2007-09-05 16:35:48 CEST #bh: logfile: /var/log/auth.log #bh: offset: 4563 #bh: first line:Jun 28 20:35:51 server2 login[2087]: (pam_unix) session opened for user root by (uid=0) #bh: logfile: /var/log/proftpd/proftpd.log #bh: offset: 15020 #bh: first line:Sep 05 16:04:34 server2.example.com proftpd[2355] server2.example.com: error setting IPV6_V6ONLY: Protocol not available #---- BlockHosts Additions [...]

Finally, you can also take a look at /var/log/blockhosts.log:

tail /var/log/blockhosts.log

[…]
blockhosts 2.0.5 started: 2007-09-05 16:52:25 CEST
… echo tag: ::ffff:192.168.0.94-sshd@::ffff:192.168.0.101
… load blockfile: /etc/hosts.allow
… found both markers, count of hosts being watched: 3
… loading log file, offset: /var/log/auth.log 4018
… loading log file, offset: /var/log/proftpd/proftpd.log 12305
… will discard all host entries older than 2007-09-05 04:52:25 CEST
… updates: counts: hosts to block: 3; hosts being watched: 3
… no email to send.

How To Set Up VMware Tools On Various Linux Distributions

This document explains how to set up the VMware Tools in the following guest operating systems: Ubuntu 7.04, Fedora 7, PCLinuxOS 2007 and Debian Etch. Installing VMware Tools in your guest operating systems will help maximize performance, provide mouse synchronization and copy & paste functionality. This article also shows a way of making VMware Tools start automatically when you start a guest operating system.

I used the VMware Tools v1.0.3-44356 provided by VMware Server v1.03.

This howto is meant as a practical guide; it does not cover the theoretical backgrounds. They are treated in a lot of other documents in the web.

This document comes without warranty of any kind! I want to say that this is not the only way of setting up such a system. There are many ways of achieving this goal but this is the way I take. I do not issue any guarantee that this will work for you!

1 Preparation

Set up a virtual machine of your choice. Click on VM in the top menu of the VMware Server console and select Install VMware Tools.

(JavaScript must be enabled in your browser to view the large image as an image overlay.)

(JavaScript must be enabled in your browser to view the large image as an image overlay.)

(JavaScript must be enabled in your browser to view the large image as an image overlay.)

2 Ubuntu 7.04

First copy the VMware Tools from the mounted iso to the temporary folder:

cp /media/cdrom/VMwareTools-1.0.3-44356.tar.gz /tmp/

Afterwards switch to the temporary folder and unpack the VMware Tools:

cd /tmp/
tar xvfz VMwareTools-1.0.3-44356.tar.gz

Next switch to the folder with the unpacked files and execute the installer:

cd vmware-tools-distrib/
sudo ./vmware-install.pl

Now you will be asked a few questions relating to installation paths etc. Choose the default value every time (simply hit enter).

After the installation/configuration finished you have to start the VMware Tools:

vmware-toolbox &

You can automatize the start of the VMware Tools – have a look at step 6 of this howto.

Note: If you close the VMware Tools window, the VMware Tools will be disabled immediately.

3 Fedora 7 (Kernel 2.6.22.5-76.fc7)

First become root and install some needed packages:

su –
%yourrootpassword%
yum install kernel-devel gcc gcc-c++

Next copy the VMware Tools from the mounted iso to the temporary folder:

cp /media/VMware\ Tools/VMwareTools-1.0.3-44356.tar.gz /tmp/

Afterwards switch to the temporary folder and unpack the VMware Tools:

cd /tmp/
tar xvfz VMwareTools-1.0.3-44356.tar.gz

Now we have to fix the vmxnet module:

cd vmware-tools-distrib/lib/modules/source
tar xf vmxnet.tar
cp vmxnet-only/vmxnet.c vmxnet-only/vmxnet.c.orig
wget http://www.thoughtpolice.co.uk/vmware/howto/patch2-vmxnet.c.patch
patch -u vmxnet-only/vmxnet.c < patch2-vmxnet.c.patch
tar cf vmxnet.tar vmxnet-only/
cd /tmp/vmware-tools-distrib
./vmware-install.pl

You will be asked a few questions relating to installation paths etc. Choose the default value every time (simply hit enter).

Next step is to fix the xorg.conf:

vi /etc/X11/xorg.conf

Add the following lines:

Section "Monitor"
   Identifier "vmware"
EndSection

After this you have to run the configuration again:

vmware-config-tools.pl

Choose the default value every time (simply hit enter) till you reach the question Do you want to change your guest X resolution? – choose yes and select your desired resolution.

The last step is to fix the integration of the vmxnet module by manually loading it (otherwise you might obtain problems with the network):

/etc/init.d/networking stop
rmmod pcnet32
rmmod vmxnet
depmod -a
modprobe vmxnet
/etc/init.d/networking start

Afterwards reboot the vm. After the vm has rebooted, you can start the VMware Tools via:

vmware-toolbox &

You can automatize the start of the VMware Tools – have a look at step 6 of this howto.

Note: If you close the VMware Tools window, the VMware Tools will be disabled immediately.

4 PCLinuxOS 2007

Become root, switch to the mounted iso and install the rpm package:

su –
%yourrootpassword%
cd /media/VMware\ Tools/
rpm -ivh VMwareTools-1.0.3-44356.i386.rpm

Afterwards run the configuration:

vmware-config-tools.pl

You will be asked a few questions relating to installation paths etc. Choose the default value every time (simply hit enter).

Afterwards reboot the vm. After the vm has rebooted, you can start the VMware Tools via:

vmware-toolbox &

You can automatize the start of the VMware Tools – have a look at step 6 of this howto.

Note: If you close the VMware Tools window, the VMware Tools will be disabled immediately.

5 Debian Etch

First install some needed pakages:

apt-get install autoconf automake binutils cpp gcc linux-headers-$(uname -r) make psmisc

Next copy the VMware Tools from the mounted iso to the temporary folder:

cp /media/cdrom/VMwareTools-1.0.3-44356.tar.gz /tmp/

Afterwards switch to the temporary folder and unpack the VMware Tools:

cd /tmp/
tar xvfz VMwareTools-1.0.3-44356.tar.gz

Next switch to the folder with the unpacked files and execute the installer:

cd vmware-tools-distrib/
./vmware-install.pl

Now you will be asked a few questions relating to installation paths etc. Choose the default value every time (simply hit enter).

Afterwards reboot the vm. After the vm has rebooted, you can start the VMware Tools via:

vmware-toolbox &

You can automatize the start of the VMware Tools – have a look at step 6 of this howto.

Note: If you close the VMware Tools window, the VMware Tools will be disabled immediately.

6 VMware Toolbox Automatic Hidden Start

We’ll create two scripts (I sometimes had problems when I put all in one script). These scripts will be executed everytime when an X-session starts – they will switch to the next workspace, start the VMware Tools minimized and switch back to the previous workspace. The switching will be done with xvkbd – a virtual keyboard for the X window system.

6.1 Install Xvkbd

Ubuntu 7.04:

sudo apt-get install xvkbd

Fedora 7:

su –
%yourrootpassword%
rpm -ivh http://dag.wieers.com/rpm/packages/xvkbd/xvkbd-2.8-1.el4.rf.i386.rpm
exit

PCLinuxOS 2007:

Download the rpm-package from http://rpmseek.com/rpm/xvkbd-2.7a-2mdk.i586.html?hl=de&cs=xvkbd:PN:0:0:0:0:2800686.

Afterwards switch to the directory where you downloaded the package and install it:

su –
%yourrootpassword
rpm -ivh xvkbd-2.7a-2mdk.i586.rpm
exit

Debian Etch:

su –
%yourrootpassword%
apt-get install xvkbd
exit

Now change to your homedir:

cd ~

6.2 Scripts For Gnome

vi switcher1.sh

#! /bin/sh
sleep 2
xvkbd -text "\C\A\[Right]"
sleep 2 
vmware-toolbox --minimize &> /dev/null

vi switcher2.sh

#! /bin/sh
sleep 10
xvkbd -text "\C\A\[Left]"

Make the scripts executeable:

chmod +x switcher*

Add the scripts to the session startup programs:

(JavaScript must be enabled in your browser to view the large image as an image overlay.)

(JavaScript must be enabled in your browser to view the large image as an image overlay.)

Repeat these steps for “switcher2.sh”

6.3 Scripts For KDE

Note: If the panel taskbar is configured to show windows from all desktops, the VMware Toolbox will still be visible in the taskbar.

vi .kde/Autostart/switcher1.sh

#! /bin/sh
sleep 2
xvkbd -text "\C\[F2]"
sleep 2
vmware-toolbox --minimize &> /dev/null

vi .kde/Autostart/switcher2.sh

#! /bin/sh
sleep 10
xvkbd -text "\C\[F1]"

Make the scripts executeable:

chmod +x .kde/Autostart/switcher*