As far as I can tell blockhosts (2.7.0) doesn't count refusals and/or update time based on refusals. That means that if a site gets blocked but continues to attack it could be removed from the block list when it is still active.
The SSHD refused record seems to have the IP address twice, e.g.
Oct 1 17:04:28 server sshd[16670]: refused connect from 202.117.3.104 (202.11 .3.104)
Does the Regex have to match the complete line or can it stop at the end of the first IP address. If matching the complete line how do you set up the 2nd address and the parentheses.
Thanks
Travel Travel reports, it is all about food
Montreal: Schwartz's, Le Petit Alep
Albums: Pictures and some notes
ITRANS Song Book Hindi, Urdu, Marathi song lyrics
Online ITRANS Web Interface
BlockHosts block hosts
BlockHosts FAQ
BlockHosts Forum
CD Inserts & Envelopes Web Interface
Nisha Ganatra's Films
Cake: starring Heather Graham
Email: avinash@aczoom.com
Copyright © 1995-2016 Avinash Chopde, avinash@aczoom.com
SSHD log lines
It does update the records if a remote site continues to attack, but there are a number of issues here.
1: If you are using iptables to block all traffic, then once blocked, the IP address will never make it to the applications (like SSHD), so there will be no log messages to count.
2: If you do see log messages (when not using iptables mode), then it will cause updates. For example, the /etc/hosts.allow will show updated times for that address:
But this is only if the log message is one of the strings being scanned - see /etc/blockhosts.cfg for all the patterns.
3: The example you posted - "refused connect" is not a pattern in the default /etc/blockhosts.cfg so if you see only that, and none of the other expected messages (Failed password, Invalid user, etc), then it will not cause any updates to the IP address.
4: If you wish to block on that line, will need to a new pattern for that. This might work (not tested)
"sshd-refused": r'{LOG_PREFIX{sshd}} refused connect from {HOST_IP}',Note that adding that to blockhosts.cfg requires careful attention to line indents and spaces - it is a Python file.
It is quite possible that SSHD is printing that "refused connect" based on the hosts.allow blocking - in which case, blockhosts.cfg should contain the above line. Will add it to the next release of blockhosts.
Even without that - if the IP address continues to probe your site after it is removed from the block list, it will be blocked again once its probing count reaches the trigger limit.
Monitor when blocked
The suggested new pattern works fine. Once a hosts has been blocked (OpenSuse) the refused connect is now used to keep counting and update the last attempt.