Hi could you help me with the coding?
it's not matching...
Nov 21 10:30:43 [sshd] Failed password for invalid user root from 62.193.227.26 port 48563 ssh2
Nov 21 10:31:44 [sshd] User root from 62.193.227.26 not allowed because not listed in AllowUsers
Nov 21 15:21:47 [sshd] Invalid user doah from 24.60.14.61
Nov 21 15:21:47 [sshd] Failed none for invalid user doah from 24.60.14.61 port 52242 ssh2
greatly appreciated
thanks
Travel Travel reports, it is all about food
Montreal: Schwartz's, Le Petit Alep
Albums: Pictures and some notes
ITRANS Song Book Hindi, Urdu, Marathi song lyrics
Online ITRANS Web Interface
BlockHosts block hosts
BlockHosts FAQ
BlockHosts Forum
CD Inserts & Envelopes Web Interface
Nisha Ganatra's Films
Cake: starring Heather Graham
Email: avinash@aczoom.com
Copyright © 1995-2016 Avinash Chopde, avinash@aczoom.com
i have a gentoo system
i have a gentoo system
Latest version 1.0.3 should work.
What version are you using?
The latest version has checks for "Invalid .." and "Failed pasword..." lines, so both should match.
Not Matching on Debian
I'm also seeing entries not being caught. I've got a Debian (testing) box with
BlockHosts v1.0.3 and it is not picking up auth.log entries like:
Dec 7 19:15:01 webstore sshd[5608]: Invalid user admin from 69.94.14.67
it should match..
A similar issue was posted to this topic: Failed password on existing user not detected
There is a comment that shows the debug run, which does show that the IP was caught.
Note that there may be a time lag between the time blockhosts gets invoked by hosts.allow setting, and the time when the failed entry is added to auth.log or secure, in which case, that run of blockhosts will not find that last illegal IP entry.
You can always test this by running blockhosts.py by hand on the command line, at that time, it will catch all existing failed attempts in the log files.
proftpd not matching either
There are scores of entries like this not being caught:
Jan 14 19:41:09 mybox proftpd[9902]: mybox.mydomain (85.176.0.77[85.176.0.77]) - USER anonymous: no such user found from 85.176.0.77 [85.176.0.77] to x.x.x.x
I'm running Blockhosts v1.0.3 and the default Proftp lines in blockhosts.cfg are uncommented. It does seem to be catching the ssh lusers. This is on CentOS. What to do?
no idea...
Can't imagine what could be going on - that line will be matched - all I can suggest is run it
blockhosts.py --dry-run --logfiles=your_log_file_name --debug
and see if the IP address matched.
If it did, all is fine.
If not, then, send the blockhosts author an email with the log file and your debug output.