BlockHosts uses the host control facility and related files such as hosts.access to enable blocking at the service level.
But with the --ipblock="ip route"
or --ipblock=iptables
options, BlockHosts can be used to protect any service, by allowing the blocking to happen at the network level. This requires no assistance from the TCP_WRAPPER enabled host control facility.
The requirements are:
- there has to be some way to scan a log file and there needs to be way to match the IP address of an abusive host
- there has to some way to invoke blockhosts.py whenever there is failed access
As an example, from the forum topic blockhost-for-apache, there is the need to scan the Apache web server log files, detect abusive accesses, and then block the abusive hosts. For this example, this is the pattern to use to scan the Apache log file:
"APACHE-FAIL": r"""\[client (::ffff:)?(?P<host>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\].+authentication failure""",
Here are the steps to enable blocking of hosts based on Apache web server log information:
- Add the required pattern to the configuration file
/etc/blockhosts.cfg
.
- Configure BlockHosts as usual, still using
hosts.allow
as the block file to maintain the list of currently watched and blocked hosts.
- Find a way to run blockhosts.py for this service - the forum topic blockhost-for-apache uses a php script in a Error document or in a web page for failed access redirects, the line to add in PHP is:
exec('/usr/bin/blockhosts.py --ipblock="ip route"');
Use either the --ipblock="ip route"
or --ipblock=iptables
options to blockhosts.py. This will enable blocking at the network level, so those blocked hosts will be unable to connect to any service running on your server.
Now, there will no longer be any connects from that host in your Apache log files.