Hi,
the following logs are not detected by the script:
Dec 4 20:15:46 bs sshd[10058]: Failed password for root from 195.140.143.60 port 53581 ssh2
Dec 4 20:15:49 bs sshd[10060]: Failed password for root from 195.140.143.60 port 54049 ssh2
Dec 4 20:15:51 bs sshd[10062]: Failed password for root from 195.140.143.60 port 54909 ssh2
Dec 4 20:15:53 bs sshd[10064]: Failed password for root from 195.140.143.60 port 55280 ssh2
Dec 4 20:15:56 bs sshd[10066]: Failed password for root from 195.140.143.60 port 56104 ssh2
Dec 4 20:15:58 bs sshd[10068]: Failed password for root from 195.140.143.60 port 56472 ssh2
Dec 4 20:16:01 bs sshd[10070]: Failed password for root from 195.140.143.60 port 57305 ssh2
Dec 4 20:16:03 bs sshd[10082]: Failed password for root from 195.140.143.60 port 58088 ssh2
It will be great if such situation could be managed...
ie : detecting a brute-force attack (exemple, 5-6 password tryed withint 4 minutes ...) and deny ip address....
Using ubuntu 5.10
Regards,
Jaycee.
Does catch those lines...
This should be caught - the regex line is meant to catch above lines, for example, I fed the first three lines from your log, and ran blockhosts in debug mode, here's the output I got:
found failed access for SSHD-Fail , IP-pid: 195.140.143.60-10058
found failed access for SSHD-Fail , IP-pid: 195.140.143.60-10060
found failed access for SSHD-Fail , IP-pid: 195.140.143.60-10062
So, it got the host, and added the count to the hosts.allow file:
#bh: ip: 195.140.143.60 : 3 : 2005-12-05-09-58
I am using the latest version 1.0.3 - but this regex pattern has always existed, so should work in previous versions also.