Also available: an email notification facility, as well as an RSS feed exporting the list of blocked addresses. Contributed extensions include web scripts for intrusion source and location mashup displaying a geographic map of the blocked IP addresses.
The patterns used to scan system logs are extendable; out-of-the-box it comes with patterns to recognize OpenSSH, ProFTPd, vsftpd, Pure-FTPd, and a few other services. All these use TCP wrappers, but blockhosts can also be extended to match patterns in non-TCP-wrappers services such as the web server Apache HTTP Server, by blocking IP addresses using null routing or packet filtering techniques.
When executed blockhosts.py scans a configured list of system log files looking for patterns matching undesirable access to the services running on the computer. A count is kept of the number of times a source IP address has made such accesses, and when the count exceeds a threshold, that IP address is blocked. blockhosts.py can be executed automatically by using TCP wrappers mechanisms or by using scheduled cron table entries.
Non-TCP-wrappers service can be protected by using ip route null-route or iptables packet filtering based blocking. Just as the blockfile size is managed by expiring old blocked IP addresses, so are the routing table and packet filtering rules pruned on expiry of a blocked IP address. Reboots are also handled automatically - even though on a reboot the routing table or packet filtering rules may be lost, on the first invocation of blockhosts.py after a reboot, all the blocked IP entries will be re-inserted, so nothing special has to be done to handle reboots.