Travel Travel reports, it is all about food
Montreal: Schwartz's, Le Petit Alep
Albums: Pictures and some notes
ITRANS Song Book Hindi, Urdu, Marathi song lyrics
Online ITRANS Web Interface
BlockHosts block hosts
BlockHosts FAQ
BlockHosts Forum
CD Inserts & Envelopes Web Interface
Nisha Ganatra's Films
Cake: starring Heather Graham
Email: avinash@aczoom.com
here it is
For use with the latest blockhosts, which uses the LOG_PREFIX and HOST_IP patterns, the following will work:
"courierpop3-Fail": r'{LOG_PREFIX{courierpop3login}} DISCONNECTED, user=.* ip=\[{HOST_IP}]',Put this in the place where other similar rules are present in blockhosts.cfg
Test if it is working by looking at output from blockhosts.py --debug and look for lines that say "found failed access" and see if it is for the rule courierpop3-Fail.
great! i will test it now!
great! i will test it now! :)
does "courierpop3" use the
does "courierpop3" use the host.allow (like proftpd and sshd)?
blockhosts uses blockfile
Blockhosts uses /etc/host.allow as the blockfile, --help explains this.
courierpop3login service may log to the same log file (/var/log/secure, for example) as sshd, or it may use a different log file. Finally, courierpop3login may or may not be built with TCP_WRAPPER support, so direct use of /hosts.allow may not be possible. In which case, look at the --ipblock option of blockhosts.
thank you very much for your
thank you very much for your patience! i gave you a wrong entry for failed logins! the right one is:
---
Mar 24 12:08:38 server courierpop3login: LOGIN FAILED, ip=[::ffff:91.67.10.125]
---
for this i need a regex! the other one above is for correct disconnect and should be not banned!
the failed-entry above is in
the failed-entry above is in "/var/log/mail.err" (i use ubuntu) and there is a second entry in "/var/etc/auth.log":
---
Mar 24 12:08:42 server authdaemond.plain: (pam_unix) authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= user=XXX
---
which one is better to use for a regex?
my english isn't so good.
my english isn't so good. what exactly do you mean with:
"Finally, courierpop3login may or may not be built with TCP_WRAPPER support, so direct use of /hosts.allow may not be possible. In which case, look at the --ipblock option of blockhosts."?
what is the easiest way to find out, if courierpop3 can blocked via hosts.allow (like sshd and proftpd)?
use mail.err, and --ipblock-iptables
"/var/log/mail.err" is better to use, make sure to add this to the LOGFILES line in blockhosts.cfg, or with the --logfiles= option on command lie.
As for whether courierpop3 supports TCP_WRAPPERS, you'll have to look at their source code or ask on their support mail/board.
But if you can't find out, just use the --ipblock=iptables option which will block all network packets from blocked hosts, so it does not require TCP_WRAPPERS support from courierpop3.
i use "--ipblock=iptables"!
i use "--ipblock=iptables"! it means, that the problem with tcp-wrapper is not important?
can you help me with the new regex, please? :)
yes
yes, if iptables is used, no need to look for TCP_WRAPPERS support.
thanx for your great
thanx for your great support!
today the same: i ip is blocked AND under watch. the problem is, that watched ips not to be banned :(
this is the message from my mail-alert(s):
---
Blocking hosts:
79.209.106.127
Watching hosts:
79.209.106.127 count: 55 updated at: 2008-03-29 14:05:01 CET
Log messages:
blockhosts 2.3.1 started: 2008-03-29 14:05:01 CET ... loaded /etc/hosts.allow, starting counts: blocked 1, watched 1 ... loading log file /var/log/auth.log, offset: 848868 ... loading log file /var/log/mail.err, offset: 39734 ... discarding all host entries older than 2008-03-29 02:05:01 CET
Notice: count=55, blocking host: 79.209.106.127 ... final counts: blocked 1, watched 1
---