firsly it seems to be working, i say seems as it is populating the hosts.allow but when i tail auth.log there are loads of attacks that are not being blocked. Lastly i installed the prog while logged in as root in my /home directory it has put the cfg file in
/home/BlockHosts-1.0.3/blockhosts.cfg
Any help apreciated as it seems every script kiddie wants a piece of my poor ubuntu box.
logs are below.
thanks all
/home/BlockHosts-1.0.3/blockhosts.cfg
my hosts.allow
# /etc/hosts.allow: list of hosts that are allowed to access the system.
# See the manual pages hosts_access(5), hosts_options(5)
# and /usr/doc/netbase/portmapper.txt.gz
#
# Example: ALL: LOCAL @some_netgroup
# ALL: .foobar.edu EXCEPT terminalserver.foobar.edu
#
# If you're going to protect the portmapper use the name "portmap" for the
# daemon name. Remember that you can only use the keyword "ALL" and IP
# addresses (NOT host or domain names) for the portmapper, as well as for
# rpc.mountd (the NFS mount daemon). See portmap(8), rpc.mountd(8) and
# /usr/share/doc/portmap/portmapper.txt.gz for further information.
sshd, proftpd, in.proftpd: ALL: spawn (/usr/bin/blockhosts.py --verbose --echo "
%c-%s" >> /var/log/blockhosts.log 2>&1 )& : allow
# permanent whitelist addresses - these should always be allowed access
ALL: 192.168.0.2 : allow
ALL: 83.11.130.249 : allow
# permanent blacklist addresses - these should always be denied access
ALL: 10. : deny
ALL: 192. : deny
ALL: 172. : deny
ALL: 220.194.66.57 : deny
ALL: 212.85.152.18 : deny
#---- BlockHosts Additions
#bh: ip: 72.245.176.62 : 4 : 2007-02-05-20-37
#bh: ip: 83.11.133.94 : 2 : 2007-02-05-20-36
#bh: ip: 192.168.0.2 : 1 : 2007-02-05-14-19
#bh: logfile: /var/log/auth.log
#bh: offset: 2088346
#bh: first line:Feb 4 06:47:03 devel CRON[19132]: (pam_unix) session closed for
user root
#---- BlockHosts Additions
sshd : ALL : spawn (/usr/local/bin/blockhosts.py )
sshd : ALL : allow
some of the attacks listed in /var/log/messages
Feb 4 06:47:04 devel blockhosts.py: final counts: blocking 3, watching 4
Feb 4 06:47:07 devel blockhosts.py: echo tag: ::ffff:65.205.238.12-sshd@::ffff:
192.168.0.15
Feb 4 06:47:07 devel blockhosts.py: final counts: blocking 3, watching 4
Feb 4 06:47:11 devel blockhosts.py: echo tag: ::ffff:65.205.238.12-sshd@::ffff:
192.168.0.15
Feb 4 06:47:11 devel blockhosts.py: final counts: blocking 3, watching 4
Feb 4 06:47:15 devel blockhosts.py: echo tag: ::ffff:65.205.238.12-sshd@::ffff:
192.168.0.15
Feb 4 06:47:15 devel blockhosts.py: final counts: blocking 3, watching 4
Feb 4 06:47:18 devel blockhosts.py: echo tag: ::ffff:65.205.238.12-sshd@::ffff:
192.168.0.15
Feb 4 06:47:18 devel blockhosts.py: final counts: blocking 3, watching 4
Feb 4 06:47:22 devel blockhosts.py: echo tag: ::ffff:65.205.238.12-sshd@::ffff:
192.168.0.15
Feb 4 06:47:22 devel blockhosts.py: final counts: blocking 3, watching 4
Feb 4 06:47:26 devel blockhosts.py: echo tag: ::ffff:65.205.238.12-sshd@::ffff:
192.168.0.15
Feb 4 06:47:26 devel blockhosts.py: final counts: blocking 3, watching 4
Feb 4 06:47:29 devel blockhosts.py: echo tag: ::ffff:65.205.238.12-sshd@::ffff:
192.168.0.15
Feb 4 06:47:29 devel blockhosts.py: final counts: blocking 3, watching 4
Feb 4 06:47:33 devel blockhosts.py: echo tag: ::ffff:65.205.238.12-sshd@::ffff:
192.168.0.15
Feb 4 06:47:33 devel blockhosts.py: final counts: blocking 3, watching 4
Feb 4 06:47:36 devel blockhosts.py: echo tag: ::ffff:65.205.238.12-sshd@::ffff:
192.168.0.15
Feb 4 06:47:36 devel blockhosts.py: final counts: blocking 3, watching 4
Feb 4 06:47:40 devel blockhosts.py: echo tag: ::ffff:65.205.238.12-sshd@::ffff:
192.168.0.15
Feb 4 06:47:40 devel blockhosts.py: final counts: blocking 3, watching 4
Feb 4 06:47:43 devel blockhosts.py: echo tag: ::ffff:65.205.238.12-sshd@::ffff:
192.168.0.15
Feb 4 06:47:43 devel blockhosts.py: final counts: blocking 3, watching 4
Feb 4 06:47:47 devel blockhosts.py: echo tag: ::ffff:65.205.238.12-sshd@::ffff:
192.168.0.15
Feb 4 06:47:47 devel blockhosts.py: final counts: blocking 3, watching 4
Feb 4 06:47:50 devel blockhosts.py: echo tag: ::ffff:65.205.238.12-sshd@::ffff:
192.168.0.15
Feb 4 06:47:50 devel blockhosts.py: final counts: blocking 3, watching 4
Feb 4 06:47:53 devel blockhosts.py: echo tag: ::ffff:65.205.238.12-sshd@::ffff:
192.168.0.15
Feb 4 06:47:53 devel blockhosts.py: final counts: blocking 3, watching 4
Feb 4 06:47:57 devel blockhosts.py: echo tag: ::ffff:65.205.238.12-sshd@::ffff:
192.168.0.15
Feb 4 06:47:57 devel blockhosts.py: final counts: blocking 3, watching 4
Feb 4 06:48:00 devel blockhosts.py: echo tag: ::ffff:65.205.238.12-sshd@::ffff:
192.168.0.15
Feb 4 06:48:00 devel blockhosts.py: final counts: blocking 3, watching 4
Feb 4 06:48:04 devel blockhosts.py: echo tag: ::ffff:65.205.238.12-sshd@::ffff:
192.168.0.15
Feb 4 06:48:04 devel blockhosts.py: final counts: blocking 3, watching 4
Feb 4 06:48:07 devel blockhosts.py: echo tag: ::ffff:65.205.238.12-sshd@::ffff:
192.168.0.15
The same attacks in /var/log/auth.log
Feb 4 06:47:08 devel sshd[19312]: Invalid user chris from 65.205.238.12
Feb 4 06:47:08 devel sshd[19312]: (pam_unix) check pass; user unknown
Feb 4 06:47:08 devel sshd[19312]: (pam_unix) authentication failure; logname= u
id=0 euid=0 tty=ssh ruser= rhost=65.205.238.12
Feb 4 06:47:11 devel sshd[19312]: Failed password for invalid user chris from 6
5.205.238.12 port 59843 ssh2
Feb 4 06:47:12 devel sshd[19316]: Invalid user chris from 65.205.238.12
Feb 4 06:47:12 devel sshd[19316]: (pam_unix) check pass; user unknown
Feb 4 06:47:12 devel sshd[19316]: (pam_unix) authentication failure; logname= u
id=0 euid=0 tty=ssh ruser= rhost=65.205.238.12
Feb 4 06:47:14 devel sshd[19316]: Failed password for invalid user chris from 6
5.205.238.12 port 60115 ssh2
Feb 4 06:47:16 devel sshd[19320]: Invalid user donna from 65.205.238.12
Feb 4 06:47:16 devel sshd[19320]: (pam_unix) check pass; user unknown
Feb 4 06:47:16 devel sshd[19320]: (pam_unix) authentication failure; logname= u
id=0 euid=0 tty=ssh ruser= rhost=65.205.238.12
Feb 4 06:47:18 devel sshd[19320]: Failed password for invalid user donna from 6
5.205.238.12 port 60349 ssh2
Feb 4 06:47:20 devel sshd[19324]: Invalid user donna from 65.205.238.12
Feb 4 06:47:20 devel sshd[19324]: (pam_unix) check pass; user unknown
Feb 4 06:47:20 devel sshd[19324]: (pam_unix) authentication failure; logname= u
id=0 euid=0 tty=ssh ruser= rhost=65.205.238.12
Feb 4 06:47:22 devel sshd[19324]: Failed password for invalid user donna from 6
5.205.238.12 port 60581 ssh2
Feb 4 06:47:23 devel sshd[19328]: Invalid user donna from 65.205.238.12
Feb 4 06:47:23 devel sshd[19328]: (pam_unix) check pass; user unknown
Feb 4 06:47:23 devel sshd[19328]: (pam_unix) authentication failure; logname= u
id=0 euid=0 tty=ssh ruser= rhost=65.205.238.12
Feb 4 06:47:25 devel sshd[19328]: Failed password for invalid user donna from 6
5.205.238.12 port 60838 ssh2
Feb 4 06:47:27 devel sshd[19332]: Invalid user donna from 65.205.238.12
Feb 4 06:47:27 devel sshd[19332]: (pam_unix) check pass; user unknown
Feb 4 06:47:27 devel sshd[19332]: (pam_unix) authentication failure; logname= u
id=0 euid=0 tty=ssh ruser= rhost=65.205.238.12
Feb 4 06:47:29 devel sshd[19332]: Failed password for invalid user donna from 6
5.205.238.12 port 32831 ssh2
Feb 4 06:47:30 devel sshd[19336]: Invalid user donna from 65.205.238.12
Feb 4 06:47:30 devel sshd[19336]: (pam_unix) check pass; user unknown
Feb 4 06:47:30 devel sshd[19336]: (pam_unix) authentication failure; logname= u
id=0 euid=0 tty=ssh ruser= rhost=65.205.238.12
Feb 4 06:47:32 devel sshd[19336]: Failed password for invalid user donna from 6
5.205.238.12 port 33078 ssh2
Feb 4 06:47:34 devel sshd[19340]: Invalid user donna from 65.205.238.12
Feb 4 06:47:34 devel sshd[19340]: (pam_unix) check pass; user unknown
Feb 4 06:47:34 devel sshd[19340]: (pam_unix) authentication failure; logname= u
id=0 euid=0 tty=ssh ruser= rhost=65.205.238.12
Feb 4 06:47:36 devel sshd[19340]: Failed password for invalid user donna from 6
5.205.238.12 port 33300 ssh2
Feb 4 06:47:37 devel sshd[19344]: Invalid user donna from 65.205.238.12
Feb 4 06:47:37 devel sshd[19344]: (pam_unix) check pass; user unknown
Feb 4 06:47:37 devel sshd[19344]: (pam_unix) authentication failure; logname= u
id=0 euid=0 tty=ssh ruser= rhost=65.205.238.12
Feb 4 06:47:39 devel sshd[19344]: Failed password for invalid user donna from 6
5.205.238.12 port 33538 ssh2
Feb 4 06:47:41 devel sshd[19348]: Invalid user helen from 65.205.238.12
Feb 4 06:47:41 devel sshd[19348]: (pam_unix) check pass; user unknown
Feb 4 06:47:41 devel sshd[19348]: (pam_unix) authentication failure; logname= u
id=0 euid=0 tty=ssh ruser= rhost=65.205.238.12
Feb 4 06:47:42 devel sshd[19348]: Failed password for invalid user helen from 6
5.205.238.12 port 33764 ssh2
not blocking because :allow is first line
1) /etc/hosts.allow is not correct - it has a line allowing all sshd connections up near the top - look at the line just after the comments
This is at the top, so it will allow every sshd connection, which is what you are seeing. This should be at the very bottom of the file, see INSTALL documentation file.
2) That still does not explain why the address 65.205.238.12 is not being counted - the pattern to block it is in the auth.log file, but maybe there is some other issue here too, install/config issue.
Look at the contents of the /var/log/blockhosts.log file - there is verbose data from blockhosts.py being written to it.
3) Also don't know why the cfg file got in that folder - by defalt, it installs in /etc normally - another install or config issue?