Hello,
I've configured Blockhosts quite a while ago, almost a year and it worked like a charm since then, haven't touched the config file or anything.
This morning at work I started my mail client which connects to my imapd server through ssh pipeline.
That was at 8:15 in the morning.
Now I needed to do something on the server and it just refused my connection when trying to connect. So I have a VPN configuration on the work machine and I started it and then connected to the server and checked the logs, when I found this, and I can't explain:
blockhosts 2.0.2 started: 2008-05-09 08:15:39 CEST
... echo tag: ::ffff:193.77.185.4-sshd@::ffff:193.77.54.220
... load blockfile: /etc/hosts.allow
... found both markers, count of hosts being watched: 4
... loading log file, offset: /var/log/secure 0
... loading log file, offset: /var/log/messages 29365213
... loading log file, offset: /var/log/proftpd.log 9414697
... loading log file, offset: /var/log/maillog 29338731
... will discard all host entries older than 2008-05-08 08:15:39 CEST
... updates: counts: hosts to block: 3; hosts being watched: 4
... mail: found check-ip -- blockhosts: Blocked 193.77.185.4
... sending email notification
ERROR: SMTP AUTH extension not supported by server.
... created user-defined chain blockhosts
... creating jump from INPUT to blockhosts chain
... iptables, adding rule to block: 74.208.15.220
... iptables, adding rule to block: 61.132.139.38
... iptables, adding rule to block: 193.77.185.4
The previus connection from this IP was one day before at around the same time, so blockhosts shouldn't be blocking this.
So I then removed it from the iptables and /etc/hosts.allow connected once more, and guess what? It blocked again.
blockhosts 2.0.2 started: 2008-05-09 14:03:34 CEST
... echo tag: ::ffff:193.77.185.4-sshd@::ffff:193.77.54.220
... load blockfile: /etc/hosts.allow
... found both markers, count of hosts being watched: 4
... loading log file, offset: /var/log/secure 0
... loading log file, offset: /var/log/messages 29377426
... loading log file, offset: /var/log/proftpd.log 9414697
... loading log file, offset: /var/log/maillog 29379409
... will discard all host entries older than 2008-05-08 14:03:34 CEST
... updates: counts: hosts to block: 3; hosts being watched: 4
... mail: found check-ip -- blockhosts: Blocked 193.77.185.4
... sending email notification
What could sudenly be wrong with it?
gone mad?
The subject line is pretty cool - "gone mad" :-) Not possible really, just code behaving in a way we need to explain now!
Is the count really one? Check the actual count for the IP address in hosts.allow, in the second section - lines starting with #bh: ip:
If that count is at threshold, then the next attempt would block the IP.
The above logs seem to indicate that --blacklist option is not being used, so that may not be a factor here, but that is another way an IP would be immediately blocked.
Last resort is to retry the test, and rung with --debug option - lot of output, but it may provide a better clue.