Not picking up failed attempts - "Invalid user ..." lines without "Failed password ..." lines

Jul 19 06:47:35 hostname sshd[1786]: Invalid user russ from 10.23.58.3
Jul 19 06:58:23 hostname sshd[2821]: User root from 10.23.58.3 not allowed because none of user's groups are listed in AllowGroups

For all those who don't see a "Failed password..." log line but only see a "Invalid user ..." line in the sshd logs, here's a working .cfg file that I've tested with the log example given above.

To use, replace your /etc/blockhosts.cfg with this file, merging in any changes you made locally. Then the next run of blockhosts.py will pick up these changes.

[Oct 2005: Link removed - update to the latest blockhosts - version 1.0.2 or later, it includes these rules - see comment below]

This config file contains two new rules in the ALL_REGEXS section.
Note that this may cause double counting of some IP addresses, in some sshd installs. Still, better to double count than to ignore an abusive IP address. Given the double-counting, this change will not be included in the main package, so if anyone knows for sure why some sshd installs do not print the "Failed password..." line, or knows what line to look for, send me email. Am looking for a line that is printed once only for each failed attempt.

[Oct 2005: Double counting fixed from version 1.0.2 onwards]

Figured this out.

Thanks to an email from Paul Eden <paul@benchline.org>, I think I have finally resolved this issue.

Also related to the forum posting titled FC4.

The next release of blockhosts (1.0.2) will contain updated rules with SSHD-Invalid and SSHD-NotAllowed as part of the default rules, in addition to the current SSHD-Fail.

Here's what I think the full story is:
sshd will always put out the message "Invalid user..." in case of failed login attempt, from a non-root user.
In addition, if PasswordAuthentication = yes in the sshd_config file, and it was a failed password attempt, the log will have the "Failed password" line, in addition to the "Invalid user" line.

Still, it is not always sufficient to just look for just the "Invalid user" lines to count failed attempts - in case of failed root attempts, sshd only prints a "Failed password" line, if PasswordAuthentication is set to yes.

To handle all this, version 1.0.2 now uses the process-id of the failed sshd attempts, to make sure each attempt is counted only once even if multiple lines are matched for same process-id. This will prevent double counting, and should fix the issue for both values of PasswordAuthentication.

So, release 1.0.2 onwards, will have the SSHD-Invalid and SSHD-NotAllowed rules enabled, as well as SSHD-Fail.

Debian Sarge Required Config

Add these lines to hosts.deny:

#---- BlockHosts Additions
#---- BlockHosts Additions
sshd:ALL:spawn (/usr/bin/blockhosts.py --verbose >> /var/log/blockhosts.log 2>&1 )&:allow
proftpd:ALL: spawn (/usr/bin/blockhosts.py --verbose >> /var/log/blockhosts.log 2>&1 )&:allow

and then edit blockhosts.cfg and uncomment these lines:

HOSTS_BLOCKFILE = "/etc/hosts.deny"
LOGFILES = [ "/var/log/auth.log", ]
ALL_REGEXS = {
} ( this is the next to last line with a character on it )
"SSHD-Invalid": re.compile(r"""sshd\[(?P\d+)\]: Invalid user (?P.*?) from (::ffff:)?(?P\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"""),

and then edit the last line listed above to read ' Illegal user ' instead of ' Invalid user '

I hope this helps.

Fixed in 1.0.3

The Debian installs should now work without any editing, from version 1.0.3 onwards.
Added the option to accept either "Invalid" user or "Illegal" user in the log files.