Preventing Brute Force Attacks With BlockHosts

Preventing Brute Force Attacks With BlockHosts
官方網站:http://www.aczoom.com/cms/blockhosts
安裝步驟如下
1.安裝blockhosts套件,看是要用rpm或tarball安裝都可
2.修改blockhosts.cfg
3.修改 /etc/hosts.allow
4.確認要安裝的機器是否已有在使用的iptables rules,如有請修改blockhosts.py程式第861行,參閱本文最後一段,如沒有請跳過此步驟
5.crontab 設五分鐘跑一下(Romove Rules會用到)

測試環境 Fedora 5
vsftpd-2.0.4-1.2
proftpd-1.3.0a-3.fc5
openssh-4.3p2-4.12.fc5
安裝blockhosts版本是 2.3.1-1

如是用rpm 請到以下網址抓取rpm檔
http://www.aczoom.com/cms/blockhosts/download

rpm -ivh BlockHosts-2.3.1-1.noarch.rpm
vi /etc/blockhosts.cfg
修改如下
[...]
HOSTS_BLOCKFILE = "/etc/hosts.allow"
[...]
HOST_BLOCKLINE = ["ALL: ", " : deny"]
[...]
LOGFILES = [ "/var/log/secure.log", "/var/log/proftpd/proftpd.log", ]
[...]
COUNT_THRESHOLD = 7
[...]
AGE_THRESHOLD = 12
[...]
MAIL = True
[...]
NOTIFY_ADDRESS = 'root@localhost.localdomain'
[...]
SMTP_SERVER = "localhost"
SENDER_ADDRESS = 'BlockHosts '
[...]
IPBLOCK = "iptables"
In HOSTS_BLOCKFILE we can specify either /etc/hosts.allow or /etc/hosts.deny. It doesn't matter which one we choose. I'm using /etc/hosts.allow here. In the LOGFILES line we specify the log files that BlockHosts should look at. OpenSSH is logging failed login attempts to /var/log/auth.log, ProFTPd to /var/log/proftpd/proftpd.log. COUNT_THRESHOLD specifies the number of failed login attempts from the same host after which BlockHosts should block that host. AGE_THRESHOLD is the numer of hours after which blocked hosts get unblocked. IPBLOCK specifies if you'd like to block hosts with iptables or iproute in addition to adding these hosts to /etc/hosts.allow (or /etc/hosts.deny).

Next we must modify /etc/hosts.allow. First back up your current /etc/hosts.allow:
cp /etc/hosts.allow /etc/hosts.allow.bak
vi /etc/hosts.allow

# hosts.allow This file describes the names of the hosts which are
# allowed to use the local INET services, as decided
# by the '/usr/sbin/tcpd' server.
#
# ----
# see "man 5 hosts_access" for details of the format of IP addresses,
#services, allow/deny options. Also see "man hosts_options"
#
# permanent whitelist addresses - this should always be allowed access
ALL: 127.0.0.1 : allow
# ALL: 192.168.0. : allow
# permanent blacklist addresses - this should always be denied access
# ALL: 10. : deny
# ----------------------------------------
# next section is the blockhosts section - it will add/delete entries in
# between the two marker lines (#---- BlockHosts Additions)
#---- BlockHosts Additions
#---- BlockHosts Additions

# ----------------------------------------
# finally, the command to execute the blockhosts script, based on
# connection to particular service or services:
sshd: ALL: spawn /usr/bin/blockhosts.py --verbose --mail --iptables \
--echo "%c-%s" --check-ip "%h" >> /var/log/blockhosts.log 2>&1 & \
: allow

#---
# add --iproute to enable null-routing, or add --iptables to enable packet
# filtering, which blocks all network communication from blocked hosts
#---
# remove >> /var/log/blockhosts.log 2>&1 if no logging to blockhosts.log
# is needed - without this, it will still log to syslog (minimally)
#sshd: ALL: spawn /usr/bin/blockhosts.py --verbose --echo "%c-%s" & : allow
#---
# above commands will use default config file - /etc/blockhosts.cfg, edit
# it as needed to specify local configuration options
# See "man hosts.allow" for info on %c and %s identifiers
# for non-verbose, with identification, to syslog only (/var/log/messages),
# triggered on any service (using ALL as first word):
#ALL: ALL: spawn /usr/bin/blockhosts.py --echo "%c-%s" & : allow
#----
# To test hosts.allow, and to find out exact names of SSH/FTP services,
# add this line to the beginning of hosts.allow, use ssh/ftp to connect
# to your server, and then look at the log (/var/log/messages or
# blockhosts.log) to see the name of the invoked service.
# IMPORTANT: after your test is done, remove this line from hosts.allow!
# Otherwise everyone will always have access.
#ALL : ALL: spawn (/usr/bin/blockhosts.py --verbose --echo "%c-%s" >> /var/log/blockhosts.log 2>&1 )& : allow
# -------------------------------------------------------------------------

Now we need to initialize BlockHosts. First, we do this with the --dry-run option to see if there are no errors:
blockhosts.py --dry-run --verbose
The output could look like this:
[root@videotest log]# blockhosts.py --dry-run --verbose
blockhosts 2.3.1 started: 2008-03-16 16:06:55 CST
... loaded /etc/hosts.allow, starting counts: blocked 0, watched 0
... loading log file /var/log/secure, offset: 664
... loading log file /var/log/messages, offset: 406
... discarding all host entries older than 2008-03-16 15:06:55 CST
... final counts: blocked 0, watched 1
#---- BlockHosts Additions
#bh: ip: 10.1.8.232 : 1 : 2008-03-16 16:06:55 CST

#bh: logfile: /var/log/secure
#bh: offset: 2630
#bh: first line:Mar 16 14:39:43 videotest sshd[850]: Accepted password for root from 10.1.1.135 port 1436 ssh2

#bh: logfile: /var/log/messages
#bh: offset: 986
#bh: first line:Mar 16 05:07:23 videotest syslogd 1.4.1: restart.

#---- BlockHosts Additions

# ----------------------------------------
# finally, the command to execute the blockhosts script, based on
# connection to particular service or services:

proftpd, sshd: ALL: spawn /usr/bin/blockhosts.py --verbose --mail --iptables \
--echo "%c-%s" --check-ip "%h" >> /var/log/blockhosts.log 2>&1 & \
: allow
Commands (tentative) to run for IPTables filtering:
... created user-defined chain blockhosts
... creating jump from INPUT to blockhosts chain
... no email to send.

[root@videotest log]#
Looks ok (apart from the IPv6 error which you can ignore), so we can run it without the --dry-run option:
blockhosts.py --verbose
This should look like this:
blockhosts 2.3.1 started: 2008-03-16 16:10:12 CST
... loaded /etc/hosts.allow, starting counts: blocked 0, watched 1
... loading log file /var/log/secure, offset: 2630
... loading log file /var/log/messages, offset: 986
... discarding all host entries older than 2008-03-16 15:10:12 CST
... final counts: blocked 0, watched 1
... no email to send.
Creating A BlockHosts Cron Job For Non-TCP_WRAPPERS Services
To block hosts from non-TCP_WRAPPERS services such as Debian's ProFTPd, you can run
blockhosts.py --iptables --verbose
on the command line. Of course, you don't want to do this every few minutes, therefore we create a cron job for this.
First we create a little wrapper script for /usr/bin/blockhosts.py:
vi /usr/local/sbin/blockhosts

#!/bin/bash
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
/usr/bin/blockhosts.py --iptables --verbose >> /var/log/blockhosts.log 2>&1

The purpose of this wrapper script is to pass the correct PATH to the /usr/bin/blockhosts.py script; if we use /usr/bin/blockhosts.py directly in the cron job, we will get errors saying that iptables could not be found.
Of course, we must make /usr/local/sbin/blockhosts executable:
chmod 700 /usr/local/sbin/blockhosts
Then, we create a cron job like this:
crontab -e
*/5 * * * * /usr/local/sbin/blockhosts &> /dev/null

參考網址: http://howtoforge.com/blockhosts_debian_etch

測試過程中,發現如已有設iptables rules的機器會有如下的問題
Iptables firewall and blockhosts
Hi,
I use iptables based firewall and now I set up blockhosts. The problem is that when blockhosts creating the rule to the INPUT chain it uses --append. In my case the deafult policy for INPUT is DROP and there are a number of rules which allow access to the services hosted on the server. Because blockhosts rule was appended to the INPUT chain as the last rule it did not fulfill the functions.
What I did is that I modified the blockhosts.py file so that it inserts the rule before the first one in INPUT chain.
On version 2.3.1 it is in line 861. It should look like this:
cmd = path + " --insert INPUT -j %s" % chain
Hope this helps to someone!
Daniel
參考網址: http://www.aczoom.com/cms/forums/blockhosts/iptables-firewall-and-blockhosts

目前測試sshd及proftpd都沒有問題,但測試vsftpd會發生登入時卡住的情況,發現要使用super daemon 的方式,才不會有登入的問題,而在blockhosts.cfg中關於vsftpd的patterns似乎跟在log中看到的也不同,需要做個修正才行,要不然blockhosts似乎沒有判斷到vsftpd的訊息,如有那位大大知道如何修改,請指導一下

沒有留言:

張貼留言