I'm running FreeBSD 6.0 production and I've been using blockhosts.py for quite awhile now and it's worked great, but I have a new problem that I'm not sure how to add the correct regex line to the .cfg in order to block.
What's happening is I've created a Group that is allowed to access this machine which stores all the valid users which can ssh or sftp into this box. The problem is I now have new messages being triggered in my /var/log/auth.log file that didn't exist prior to adding this group and so these intruders are not getting blocked as they should.
Can someone provide me a proper regexp for the following line so that they can be blocked?
Here is the line that is now being generated that I need to block:
Jan 2 11:58:17 mach sshd[35028]: User root from 67.77.243.134 not allowed because none of user's groups are listed in AllowGroups
Jan 2 11:58:18 mach sshd[35030]: reverse mapping checking getaddrinfo for nj-67-77-243-134.dyn.sprint-hsd.net failed - POSSIBLE BREAKIN ATTEMPT!
What is the proper format for a regexp that will block the first line?
I've seen similar posts for linux and the AllowUser lines but none for FreeBSD.
Any and all help would be greatly appreciated.
Xeon
Works fine - use latest version
This works fine with the version released in November - version 1.0.3, probably worked fine in older versions too.
Running with the debug flag on, above line was recognized as seen here:
found failed access for SSHD-NotAllowed , IP-pid: 67.77.243.134-35028
The rule matched is "SSHD-NotAllowed" - you can see the regex in the code or in the sample blockhosts.cfg file.