Warning: ignoring positional arguments - there should be none! ['\xe2\x80\x93iptables', '\xe2\x80\x93verbose']

hello,

i get the warning above with Python 2.4.31! what can be done to fix it? i use ubuntu 6.06 lts!

thanxs

hahni

sounds like invalid command line

With the amount of information available, most likely this is due to invalid characters in the command line. Instead of --iptables, looks like somehow the characters -- have got munged.

Whole command

the full is (in one line):

---
sshd: ALL: spawn /usr/bin/blockhosts.py --verbose --mail --iptables --echo "%c-%s" --check-ip "%h" >> /var/log/blockhosts.log 2>&1 & : allow
---

i use phython (v2.4.3 and 2.4-dev) and the newest release of blockhosts!

try running command by hand - and make sure file is ASCII

If you run that command from the shell, do you get the same error? Make sure you cut-n-paste the exact text characters from your command.

ERROR: BHOptionParser: no such option: --iptables
is what should be printed if using the latest version of blockhosts.py, since that argument has changed, the new format is:
--ipblock=iptables

Still, that is not is causing the problem above.

I've tested with Python 2.5 right now, and don't see the above problem.

Also: I did a web search for the characters you listed - they show that a likely problem is that your /etc/hosts.allow is not an ascii file. Maybe you edited in Microsoft Word and saved as a Unicode file or other non-ASCII test?
"\xe2\x80\x93" are the codes for a "long dash".

There should be only ASCII dashes, no octal codes above 0x79 in your command line in the /etc/hosts.allow file.

Thanks for your quick und

Thanks for your quick und detailed help.

I created the file with mcedit (an linux-tool)! because of this i don't think, that it is an encoding-problem!

but i will test it! i will copy the command and execute it on the shell!

The filetype is ANSI. I

The filetype is ANSI. I think, this could not be problem :(

the error "ERROR:

the error "ERROR: BHOptionParser: no such option: --iptables" in the logfile is fixed now with the new parameter!

but my problem is, that hosts are not blocked after 3 sshd-failures. i tested it myself. i switched the sshd-port from 22 to another. may i change a setting?

these are the entries in

these are the entries in /var/log/blockhosts:

---

blockhosts 2.3.1 started: 2008-03-16 21:40:01 CET
... loaded /etc/hosts.allow, starting counts: blocked 0, watched 1
... loading log file /var/log/auth.log, offset: 55913
... discarding all host entries older than 2008-03-16 09:40:01 CET
... final counts: blocked 0, watched 1
... no email to send.
blockhosts 2.3.1 started: 2008-03-16 21:45:01 CET
... loaded /etc/hosts.allow, starting counts: blocked 0, watched 1
... loading log file /var/log/auth.log, offset: 60025
... discarding all host entries older than 2008-03-16 09:45:01 CET
... final counts: blocked 0, watched 1
... no email to send.
blockhosts 2.3.1 started: 2008-03-16 21:48:30 CET
... echo tag: ::ffff:91.67.11.87-sshd@::ffff:xxx.xxx.xxx.xxx
... loaded /etc/hosts.allow, starting counts: blocked 0, watched 1
... loading log file /var/log/auth.log, offset: 60194
... discarding all host entries older than 2008-03-16 09:48:30 CET
... final counts: blocked 0, watched 1
... no email to send.

---

and this was the tutorial for doing my job:
http://www.howtoforge.com/blockhosts_debian_etch

the paths are equal to ubuntu 6.06 lts!

what are the counts?

There are many reasons why IP may not be blocked, you may have to turn on debugging to get more info.

Some pointers:
1) a count of 3 is usually not enough to block an IP, it needs to be 7 or more failed attempts.

2) port number for SSHD is not relevant to the functioning (scanning and blocking) for blockhosts.

You can take a look at /etc/hosts.allow - and see what the count is for the 1 watched address mentioned in the log snippet above.

And then you can run blockhosts.py wth the --debug option to see if you need more details on what it is doing - but that may require reading the code also.

this is the output of

this is the output of "blockhosts.py --debug"! i can't see any problems. i think, there is everything ok! but there is no blocking of ip's! how can i test it and what is todo?

---

blockhosts 2.3.1 started: 2008-03-17 23:06:11 CET
Debug mode enabled.
Got config and options: Configuration: {'AGE_THRESHOLD': 12, 'NOTIFY_ADDRESS': 'xyz@xyz.de', 'SENDER_ADDRESS': 'BlockHosts ', 'VERBOSE': 1, 'HOSTS_BLOCKFILE': '/etc/hosts.allow', 'LOAD_ONLY': False, 'SMTP_USER': '', 'ALL_REGEXS': {'proftpd-NoPassword': '{LOG_PREFIX{proftpd}} [^[]+\\[{HOST_IP}.+Login failed', 'vsftpd-FailSyslog': '{LOG_PREFIX{vsftpd}} .* FAIL LOGIN: Client "{HOST_IP}"$', 'sshd-Invalid': '{LOG_PREFIX{sshd}} (Invalid|Illegal) user .* from {HOST_IP}', 'proftpd-SecurityViolation': '{LOG_PREFIX{proftpd}} [^[]+\\[{HOST_IP}.+SECURITY VIOLATION', 'dovecot-LoginFail': '{LOG_PREFIX{pop3-login}} Aborted login \\[{HOST_IP}]', 'proftpd-NoUser': '{LOG_PREFIX{proftpd}} [^[]+\\[{HOST_IP}.+no such user', 'ipop3d-Fail': '{LOG_PREFIX{ipop3d}} Login failed .* \\[{HOST_IP}]', 'postfix-smtpd550': '{LOG_PREFIX{postfix/smtpd}} NOQUEUE: reject: RCPT from .*?\\[{HOST_IP}]: 550 5.1.1 : Recipient address rejected: User unknown in virtual alias table;', 'sshd-Fail': '{LOG_PREFIX{sshd}} Failed .*? for (invalid user |illegal user )?.* from {HOST_IP}', 'postfix-smtpdInvalidId': '{LOG_PREFIX{postfix/smtpd}} warning: unknown\\[{HOST_IP}]: SASL (LOGIN) authentication failed: authentication failure$', 'pure-ftpd-Fail': '{LOG_PREFIX{pure-ftpd}} \\(\\?@{HOST_IP}\\) \\[WARNING] Authentication failed', 'sshd-NotAllowed': "{LOG_PREFIX{sshd}} User .* from {HOST_IP} not allowed because none of user\\'s groups are listed in AllowGroups$", 'ftpd-Solaris': '{LOG_PREFIX{ftpd}} failed login from .* \\[{HOST_IP}],', 'qpopper-Fail': '{LOG_PREFIX{qpopper}} .* \\({HOST_IP}\\): -ERR \\[AUTH] Password supplied ', 'postfix-smtpdInvalidHostname': '{LOG_PREFIX{postfix/smtpd}} warning: {HOST_IP}: address not listed for hostname ', 'vsftpd-FailVsftpd': '... ... .?\\d \\d\\d:\\d\\d:\\d\\d \\d{4} .* FAIL LOGIN: Client "{HOST_IP}"$', 'postfix-smtpdServiceUnknown': '{LOG_PREFIX{postfix/smtpd}} warning: {HOST_IP}: hostname .* verification failed: Name or service not known$', 'postfix-smtpdNonSMTPCommand': '{LOG_PREFIX{postfix/smtpd}} warning: non-SMTP command from .*\\[{HOST_IP}]: Subject:'}, 'SMTP_SERVER': 'localhost', 'COUNT_THRESHOLD': 3, 'LOGFILES': ['/var/log/auth.log'], 'BLACKLIST': (), 'ENABLE_RULES': '(sshd|.*ftpd).*', 'CONFIGFILE': '/etc/blockhosts.cfg', 'SMTP_PASSWD': '', 'HOST_BLOCKLINE': ['ALL: ', ' : deny'], 'MAIL': True, 'LOCKFILE': '/tmp/blockhosts.lock', 'WHITELIST': ('127.0.0.1',), 'IPBLOCK': 'iptables'}
Options: {'notify_address': 'xyz@xyz.de', 'blockline': ['ALL: ', ' : deny'], 'blockcount': 3, 'verbose': 4, 'dry_run': False, 'load_only': False, 'whitelist': '127.0.0.1', 'logfiles': '/var/log/auth.log', 'mail': True, 'echo': '', 'blacklist': '', 'enable_rules': '(sshd|.*ftpd).*', 'configfile': '/etc/blockhosts.cfg', 'blockfile': '/etc/hosts.allow', 'ignore_offset': False, 'discard': 12, 'lockfile': '/tmp/blockhosts.lock', 'check_ip': '', 'ipblock': 'iptables'}
File lock obtained '/tmp/blockhosts.lock' for excluding other instances
{HOST_IP} matched using this re: (::ffff:)?(?P(25[0-5]|2[0-4]\d|[01]?\d\d?)(\.(25[0-5]|2[0-4]\d|[01]?\d\d?)){3})
pattern to search for blocked ip: ALL: \s*(::ffff:)?(?P(25[0-5]|2[0-4]\d|[01]?\d\d?)(\.(25[0-5]|2[0-4]\d|[01]?\d\d?)){3})\s* : deny
... load blockfile: /etc/hosts.allow
... seen all state 1 lines, now inside blockhosts markers at offset 704
2: found logfile name line: /var/log/auth.log
... loaded /etc/hosts.allow, starting counts: blocked 0, watched 0
block-file: Got initial watched hosts data:
{}
-------------------
block-file: Got remaining lines:
['\n', '# ----------------------------------------\n', '# finally, the command to execute the blockhosts script, based on\n', '# connection to particular service or services: \n', '\n', 'sshd: ALL: spawn (/usr/bin/blockhosts.py --verbose --mail --ipblock=iptables --echo "%c-%s" --check-ip "%h" >> /var/log/blockhosts.log 2>&1 )& : allow\n', '#sshd: ALL: spawn (/usr/bin/blockhosts.py --verbose --echo "%c-%s" >> /var/log/blockhosts.log 2>&1 )& : allow\n', '\n', '#---\n', '# add --iproute to enable null-routing, or add --iptables to enable packet\n', '# filtering, which blocks all network communication from blocked hosts\n', '#---\n', '# remove >> /var/log/blockhosts.log 2>&1 if no logging to blockhosts.log\n', '# is needed - without this, it will still log to syslog (minimally)\n', '#sshd: ALL: spawn /usr/bin/blockhosts.py --verbose --echo "%c-%s" & : allow\n', '#---\n', '# above commands will use default config file - /etc/blockhosts.cfg, edit\n', '# it as needed to specify local configuration options \n', ' \n', '# See "man hosts.allow" for info on %c and %s identifiers \n', ' \n', '# for non-verbose, with identification, to syslog only (/var/log/messages),\n', '# triggered on any service (using ALL as first word):\n', '#ALL: ALL: spawn /usr/bin/blockhosts.py --echo "%c-%s" & : allow\n', '#----\n', '# To test hosts.allow, and to find out exact names of SSH/FTP services,\n', '# add this line to the beginning of hosts.allow, use ssh/ftp to connect\n', '# to your server, and then look at the log (/var/log/messages or\n', '# blockhosts.log) to see the name of the invoked service.\n', '# IMPORTANT: after your test is done, remove this line from hosts.allow!\n', '# Otherwise everyone will always have access.\n', '#ALL : ALL: spawn (/usr/bin/blockhosts.py --verbose --echo "%c-%s" >> /var/log/blockhosts.log 2>&1 )& : allow \n', ' \n', '# -------------------------------------------------------------------------\n']
-------------------
... enabled (+) and disabled (-) patterns:
+ proftpd-NoPassword ^((\w\w\w .?\d \d\d:\d\d:\d\d (([^[:\]]+ )|(\[))proftpd((\[(?P\d+)]:?)|(])|:)( \[ID [^[:\]]+])?)|(@[\d\w]+)) [^[]+\[(::ffff:)?(?P(25[0-5]|2[0-4]\d|[01]?\d\d?)(\.(25[0-5]|2[0-4]\d|[01]?\d\d?)){3}).+Login failed
+ vsftpd-FailSyslog ^((\w\w\w .?\d \d\d:\d\d:\d\d (([^[:\]]+ )|(\[))vsftpd((\[(?P\d+)]:?)|(])|:)( \[ID [^[:\]]+])?)|(@[\d\w]+)) .* FAIL LOGIN: Client "(::ffff:)?(?P(25[0-5]|2[0-4]\d|[01]?\d\d?)(\.(25[0-5]|2[0-4]\d|[01]?\d\d?)){3})"$
+ sshd-Invalid ^((\w\w\w .?\d \d\d:\d\d:\d\d (([^[:\]]+ )|(\[))sshd((\[(?P\d+)]:?)|(])|:)( \[ID [^[:\]]+])?)|(@[\d\w]+)) (Invalid|Illegal) user .* from (::ffff:)?(?P(25[0-5]|2[0-4]\d|[01]?\d\d?)(\.(25[0-5]|2[0-4]\d|[01]?\d\d?)){3})
+ proftpd-SecurityViolation ^((\w\w\w .?\d \d\d:\d\d:\d\d (([^[:\]]+ )|(\[))proftpd((\[(?P\d+)]:?)|(])|:)( \[ID [^[:\]]+])?)|(@[\d\w]+)) [^[]+\[(::ffff:)?(?P(25[0-5]|2[0-4]\d|[01]?\d\d?)(\.(25[0-5]|2[0-4]\d|[01]?\d\d?)){3}).+SECURITY VIOLATION
- dovecot-LoginFail
+ proftpd-NoUser ^((\w\w\w .?\d \d\d:\d\d:\d\d (([^[:\]]+ )|(\[))proftpd((\[(?P\d+)]:?)|(])|:)( \[ID [^[:\]]+])?)|(@[\d\w]+)) [^[]+\[(::ffff:)?(?P(25[0-5]|2[0-4]\d|[01]?\d\d?)(\.(25[0-5]|2[0-4]\d|[01]?\d\d?)){3}).+no such user
- ipop3d-Fail
- postfix-smtpd550
+ sshd-Fail ^((\w\w\w .?\d \d\d:\d\d:\d\d (([^[:\]]+ )|(\[))sshd((\[(?P\d+)]:?)|(])|:)( \[ID [^[:\]]+])?)|(@[\d\w]+)) Failed .*? for (invalid user |illegal user )?.* from (::ffff:)?(?P(25[0-5]|2[0-4]\d|[01]?\d\d?)(\.(25[0-5]|2[0-4]\d|[01]?\d\d?)){3})
- postfix-smtpdInvalidId
+ pure-ftpd-Fail ^((\w\w\w .?\d \d\d:\d\d:\d\d (([^[:\]]+ )|(\[))pure\-ftpd((\[(?P\d+)]:?)|(])|:)( \[ID [^[:\]]+])?)|(@[\d\w]+)) \(\?@(::ffff:)?(?P(25[0-5]|2[0-4]\d|[01]?\d\d?)(\.(25[0-5]|2[0-4]\d|[01]?\d\d?)){3})\) \[WARNING] Authentication failed
+ sshd-NotAllowed ^((\w\w\w .?\d \d\d:\d\d:\d\d (([^[:\]]+ )|(\[))sshd((\[(?P\d+)]:?)|(])|:)( \[ID [^[:\]]+])?)|(@[\d\w]+)) User .* from (::ffff:)?(?P(25[0-5]|2[0-4]\d|[01]?\d\d?)(\.(25[0-5]|2[0-4]\d|[01]?\d\d?)){3}) not allowed because none of user\'s groups are listed in AllowGroups$
+ ftpd-Solaris ^((\w\w\w .?\d \d\d:\d\d:\d\d (([^[:\]]+ )|(\[))ftpd((\[(?P\d+)]:?)|(])|:)( \[ID [^[:\]]+])?)|(@[\d\w]+)) failed login from .* \[(::ffff:)?(?P(25[0-5]|2[0-4]\d|[01]?\d\d?)(\.(25[0-5]|2[0-4]\d|[01]?\d\d?)){3})],
- qpopper-Fail
- postfix-smtpdInvalidHostname
+ vsftpd-FailVsftpd ... ... .?\d \d\d:\d\d:\d\d \d{4} .* FAIL LOGIN: Client "(::ffff:)?(?P(25[0-5]|2[0-4]\d|[01]?\d\d?)(\.(25[0-5]|2[0-4]\d|[01]?\d\d?)){3})"$
- postfix-smtpdServiceUnknown
- postfix-smtpdNonSMTPCommand
------- looking into log file: /var/log/auth.log
SystemLog open:
first_line: 'Mar 16 06:47:04 ultrabrain CRON[27489]: (pam_unix) session closed for user root'
file length: 137615
... loading log file /var/log/auth.log, offset: 137535
------- finished looking into log file: /var/log/auth.log
------- collecting block file updates ---
calling hosts filter >
... discarding all host entries older than 2008-03-17 11:06:11 CET
calling hosts filter >
calling hosts filter >
calling hosts filter >
add_blocked_blacklist: testing ip: ''
calling hosts filter >
------- writing final blocked/watched list ---
Collecting watched_hosts counts info for block-file
Collecting log file offset info for block-file
... final counts: blocked 0, watched 0
Running: iptables --new blockhosts
returned waitstatus: 256
output: iptables: Chain already exists
... user-defined chain blockhosts already exists, or error occurred
Running: iptables --list INPUT --numeric
returned waitstatus: 0
output: Chain INPUT (policy DROP)
target prot opt source destination
DROP tcp -- 0.0.0.0/0 127.0.0.0/8
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
DROP all -- 224.0.0.0/4 0.0.0.0/0
PUB_IN all -- 0.0.0.0/0 0.0.0.0/0
PUB_IN all -- 0.0.0.0/0 0.0.0.0/0
PUB_IN all -- 0.0.0.0/0 0.0.0.0/0
PUB_IN all -- 0.0.0.0/0 0.0.0.0/0
DROP all -- 0.0.0.0/0 0.0.0.0/0
blockhosts all -- 0.0.0.0/0 0.0.0.0/0
pattern to search for INPUT chain jump: blockhosts.+?0.0.0.0
jump rule from INPUT to blockhosts chain exists
Running: iptables --list blockhosts --numeric
returned waitstatus: 0
output: Chain blockhosts (1 references)
target prot opt source destination
pattern to search for iptables blocked ip: DROP.+?(::ffff:)?(?P(25[0-5]|2[0-4]\d|[01]?\d\d?)(\.(25[0-5]|2[0-4]\d|[01]?\d\d?)){3})\s+
... no email to send.

---

it seems to work! i had a

it seems to work! i had a user, which was blocked after 16 failed ftp-logins! i can't simulate it with ssh and ftp. in my case i can make countless attempts :(

how can i simulate it and how can i reduce the maximum retries? the key-value-pair in blockhosts.cfg seems to be ignored!

blocking counts

There is a lot more debugging that would be needed on your system to determine what is going on.

--debug is a good option to run, but you'll have to look at the output and see why it is not working, if it really is not working.
One possibility is:
1) the ssh/ftpd in your system is a different version and the logs that they print are different from the ones that are matched by blockhosts.cfg
--debug option will show if the count increased for a failure from an ip, or look at the counts in /etc/hosts.allow - if the count has not increased, then blockhosts has not found the failed login attempt.

--ipblock=iptables should block services after counts get over the threshold.

it seems to work, but the

it seems to work, but the values in /etc/blockhosts.cfg (3 attempts) are ignored!

works fine...

I tested changing the values for COUNT_THRESHOLD, made it 6 from the default 7, and edit /etc/hosts.allow of a watched host that was less than 7 to 7, and ran blockhosts.py --debug and it worked fine, it blocked that host.

take a look,

take a look, please:

---

Blocking hosts:
79.209.125.19
91.67.10.9
79.209.116.68

Watching hosts:
79.209.125.19 count: 58 updated at: 2008-03-21 23:15:02 CET
91.67.11.56 count: 3 updated at: 2008-03-21 22:20:01 CET
91.67.10.9 count: 38 updated at: 2008-03-21 22:20:01 CET
79.209.116.68 count: 16 updated at: 2008-03-21 22:20:01 CET

Log messages:
blockhosts 2.3.1 started: 2008-03-21 23:15:02 CET ... loaded /etc/hosts.allow, starting counts: blocked 3, watched 4 ... loading log file /var/log/auth.log, offset: 1643728 ... discarding all host entries older than 2008-03-21 11:15:02 CET
Notice: count=58, blocking host: 79.209.125.19
... final counts: blocked 3, watched 4

---

or should i not activate the

or should i not activate the mail-option?

--mail is unrelated

The snippet does not show any problem - for the first run, you'll see very high counts. If you are asking why the IP with count 3 is not blocked - for that to be blocked you'll have to set threshold to less than that - to 2.

And I assume you are using --ipblock=iptables option? Without out, even if a IP is blocked in /etc/hosts.allow, some services will not honor it, like the older vsftpd version, because it uses a single server connection for multiple failures.

yes, i use

yes, i use "--ipblock=iptables" and postfix and proftpd too!

the option for "threshold" decrease to 2 could be a testable option ;)

the log-entries are missing, since a activated the new rule for "/var/log/mail.err" (another thread in the forum)!