Security :: Add blacklist to deny.hosts


Security is always a concern for all system administrators who have a server which is online and directly connected to internet like our webservers/dbservers.

fail2ban and other systems thwart the threat to some extent, but then these work on banning the IP those are already making a connection and are more helpfull in preventing a brute force attack. It is always better to ban IPs that are known to be bad. One such list that is free and can be easily used is the blacklist.

This lists abuse IP known around the world. So, if the users from this IP are denied access then the server also is not going to process the requests from these clients thus saving precious CPU on the server. maintains couple of lists that can be used to add entries to

hosts.deny. This file /etc/hosts.deny lists all the IPs that are completely blocked from having access to your server. This will ensure that the bad IPs are already in the deny list permanently and thus the chances of your server at risk is reduced. This file hosts.deny can be used to block access to any of the services that we would like to. Since we would like to protect ssh service we will use that here.

Before you BEGIN

1. This guide is intended to be used with root user as you need to create a script and add it in cron as root user.

2. Update your system.

 sudo apt-get update && sudo apt-get upgrade

This guide is written for a root user.

Getting Started

The lists can be manually downloaded from the blacklist. There are lots of lists to choose from. You can download any of these lists and add an entry in /etc/hosts.deny file. The entry looks like :

sshd: <IP Address>

This will block ssh access from that IP to your server.

Automating to download the list and populating hosts.deny

The next step is to make sure that the list is up-to date. For this we would need to download the list again. Remove the older entries and then adding the new ones.

This being a repetitive task calls for a script that can be run from the

cron job. So, here is a script, that does exactly that. The steps for the script are

1. Download the openbl list for hosts.deny, using wget. We will use -c option to ensure that if the list is not updated on remote server, we dont download it again. (We are selecting the hosts.deny file because that is already formatted for our use and lists only sshd).

2. Check if the rules from openbl exists in our current hosts.deny file. Script adds these with special comments in top and bottom to remove them easily. This will also help us identify if the rules are already present in the file.

3. If the rules exist, remove them from the file.

4. Add the new rules to the file.

5. Mail the results to specified mail address.

Note that before we do some actual work, we will set some parameters for the email so that we can directly send the output of this script to sendmail command. And while we are at it, we will set the *TO* address as well and hence for sending the mail we will use sendmail -t command.

Create the script to download the openbl list and add to hosts.deny file

Copy the below script to some location. Lets say, /root/

Make the script executable with

chmod +x /root/

and finally the script itself.



export MAILTO="<Your mail ID>"
echo "To: $MAILTO"
echo "Subject: <Subject here>"
echo "MIME-Version: 1.0"
echo "Content-Type: text/html"
echo "Content-Disposition: inline"

echo "<html><pre>"

# First we download the hosts.deny file
echo "Downloading OpenBL"
wget -c \
-O /tmp/hosts.deny.gz >/dev/null 2>$CONTENT

#Check if the rules are present in file.
if [[ $(grep -c openbladded $FILE) > 0 ]]
#Remove the currently present rules.
echo "Removing older openbl rules... "
sed -i '/openbladded/,/openbldeleted/ d' $FILE

echo "##############openbladded $(date)###################" >>$FILE
zcat /tmp/hosts.deny.gz >> $FILE
echo "##############openbldeleted $(date)#################" >>$FILE

echo "Errors :: "

You need to change the email address in `MAILTO` and subject in the `Subject` line above.

Now, add this to cron. You will need to add this to root users cron as other users will not have permission to modify /etc/hosts.deny file. In this example we are setting this to be run at 5 AM in the morning. For this, you need to run :

crontab -e

and then add the following line in file

05 00 * * * /root/ | sendmail -t

Looking for team training?