made blockhost for apache and horde webmail

I changed the script so i can use it fore apache and horde webmail
i think a lot of people can benefit from this but need some help.

this is what i'v done, the script is called by a php entry: exec('/usr/bin/blockhosts.py');
this can be placed in a error document or a faild login page this works fine.
canges to the script.
in line line 678 got rid of te : after the %s
further changes :
"HOSTS_BLOCKFILE": "/var/www/html/.htaccess"
"BLOCK_SERVICES": "deny from"
HOSTS_DENY_SUFFIX = ""

this result in a htaccess file:
order deny,allow
#---- BlockHosts Additions
deny from 10.0.0.23

#bh: ip: 10.0.0.23 : 66 : 2007-02-26-18-41

#bh: logfile: /var/log/messages
#bh: offset: 189219
#bh: first line:Feb 25 13:01:26 localhost syslogd 1.4.1: restart.

#---- BlockHosts Additions

and bloks the hacker from te webserver.

the part i cant get becouse i dont understand the caracters the lines to read the logs,
got 2 logs one is apache and one is horde log.

[Mon Feb 26 19:06:47 2007] [error] [client 10.0.0.23] user jasper: authentication failure for "/private": Password Mismatch

Feb 26 00:11:05 HORDE [error] [horde] FAILED LOGIN for jasper [127.0.0.1] to Horde [on line 117 of "/var/www/html/horde/login.php"]

if some one coult take the trouble of making the apropiate sintax for these lines
it would be amazing and a lot of people are waiting for this at the hore community.

futher i would need to call the blockhosts script bij a other script so its not run by user Apache.

thanks jasper
the netherlands.

got it all working

ok neded to consentrate i'snt so hard these are my working lines for horde webmail and apache.

     "HORDE-Fail": re.compile(r"""FAILED LOGIN.* \[(::ffff:)?(?P<host>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\]"""),

     "APACHE-FAIL": re.compile(r"""\[client (::ffff:)?(?P<host>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\].+authentication failure"""),

further i renamed te script and cleand out te rest of the lines not neded here.

now i have a script apacheblockhost.py with apacheblockhost.conf and blockhost.py with blockhost.conf.
so i can have both scripts running.

this is super thanks for te bas script.

jasper
the netherlands

[Editor: changed < characters to &lt; to make them display correctly, added pre html tags for regex lines]

interesting...

Pretty interesting use of modified versions of blockhosts....

Just one comment - the regexs being used are very general - they may catch a lot more then just Horde login failures, here's how to tighten them up - since there may be false positives with the looser matches:

     "HORDE-Fail": re.compile(r"""\[horde\] FAILED LOGIN.* \[(::ffff:)?(?P<host>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\]"""),

for next release?

Maybe in some future release the variables you changed - BLOCK_SERVICES and HOSTS_DENY_SUFFIX and the name of the config file - all should be made configurable, that way a single blockhosts.py script can be used to run your Apache blocking method along with standard hosts.allow TCP_WRAPPERS blocking.

Or, blockhosts.py could use iptables packet filtering commands or routing table changes to reject communication - this would drop or not route packets coming from/going to the remote host IP address, so all services would be automatically covered - even without editing .htaccess or similar files.

The second one sounds interesting for adding to the next version....

thinking along

thanks for the updated regexs.
Next version idea it would be great to be able to call the conf file like:
blockhosts.py --configfile.conf
and the conf files placed in /etc/blockhosts/ dir.
so you can select witch configfile is used to reduce load of using them all at ones.

and would it be posible to run the script as a sertain user example blockhost.
now i let apache call the script and .htaccess is writble by apache.
i now let a chel script call the program witch runs as root.

greets jasper
the netherlands

Try 2.0.0

Version 2.0.0 has multiple enhancements to enable blocking of abusive IP addresses from the Apache Web service (or for that matter, any service):

  • Null-routing (--ipdrop) or packet filtering (--iptables) can be used to completely block all network activity from a specific IP address. Therefore, no need to update .htaccess file for Apache, as soon as bad IP address is detected, it can be blocked for all services running on that computer.
  • If you want to stick with .htaccess modifications, you can use the new configuration file option HOST_BLOCKLINE to provide the format of the line to use to block IP access for that service.
  • Finally, there is the --config configfilename option available to make blockhosts.py use different setups.