Some questions about blockhosts

Hi,

I have a few questions about blockhosts that I can't find in the included docs.

1- what's the differences between blocked hosts and watched ones in this line:

updates: counts: hosts to block: 23; hosts being watched: 27

I mean, block are block, sure, but what the watch does exactly? for TCPD they are commented, so...

2- The watched ones are listed in the hosts.allow file like this:

#bh: ip: 221.134.127.26 : 1 : 2006-05-06-12-12

I understand that there is the IP and the date and time at the end. What's the number in between? In this particular case, that IP address appear 3 times in my /var/log/secure file, so that cannot be the number of lines in that files.

3- would it be possible to configure the spawn line in the hosts.allow file to send an email to someone when a host is added to the watch or block host list?

Thanks

blocked vs watched

1 and 2 -> blocked hosts are those IP addresses that have exceeded the --blockcount value of failed attempts.
By default, each IP address is watched for 12 hours (--discard), and if it exceeds 7 failed attempts, it will be blocked.

The number in the middle here is the number of failed attempts - when this exceeds 7 (or so, it is not exact), then that IP address will blocked, until then, it will not be blocked.
#bh: ip: 221.134.127.26 : 1 : 2006-05-06-12-12
The date-time in above line is the last time the IP address made the failed attempt - if this becomes more than the --discard value, then that IP address will be removed from the list.

Note that the count is of actual failed attempts - not all the times an IP address appears in a log file. And actual failed attempts are those lines that match one of the regular-expressions in the blockhosts.py/.cfg configuration files.

3-> anything can be done in the spawn command, look up "man hosts.allow", it actually has an example of how to send email using TCPD wrappers.

Why it was not blocked?

Hi,

I made some changes to the default in blockhost.cfg.

For instance, I have forced:

COUNT_THRESHOLD = 3
BLOCK_SERVICES = "ALL"
AGE_THRESHOLD = 720

But I saw in the last blockhosts.log file that a few IP addresses have make attacks (more than 3 times) and are not in the blocked list. I do not know if that have do to with the fact that my syslogd has restarted (to rotate log), or if it is simply a badly configuration I made in my cfg file.

Any help would be gratefull.

Forgot to mention

Some of the IP addresses that I see in the blockhosts.lof file appear much more than 3 times, but they do not even appear in the hosts.allow as watch or blocked. That is the problem I can see.

Thanks

More information on my issue

Hi,

Investigating a bit more, and I saw this in the blockhosts.log file:

blockhosts 1.0.4 started: 2006-05-07 05:50:59
... echo tag: 217.69.172.28-sshd@192.168.1.5
... will discard all host entries older than 2006-04-07 05:50
... load blockfile: /etc/hosts.allow
... found both markers, count of hosts being watched: 29
... securelog, loading: /var/log/secure 5512
... updates: counts: hosts to block: 24; hosts being watched: 29

This IP appears abotu 20 times in this log. It does not so far appear in secure log file or in hosts.allow file either.

Maybe because it is only a port scan behing done that it not considered as an attack, but still, that IP should be blocked because it is doing improper stuff on the server.

Any idea?

Only selected log lines matched

Maybe because it is only a port scan being done that it not considered as an attack, but still, that IP should be blocked because it is doing improper stuff on the server.

But that is not what blockhosts.py does - you may need iptables or other ip filtering tools for very precise filtering.

blockhosts.py will only consider an attack if a line in the log matches the patterns it knows about - see the variable ALL_REGEXS in blockhosts.py or blockhosts.cfg - there are also comments in the code on what lines the regular expressions match.

Port scans cannot be stopped by blockhosts actions - blockhosts only enables TCPD wrapper functionality, and anything beyond what a hosts.allow file can do, is beyond what blockhosts can do, too.