blockhosts doesn't work on suse 10.2

Hello,

I want to set up blockhosts on my desktop running on suse 10.2. I installed latest rpm version (2.01) of blockhosts. I have the following /etc/blockhosts.cfg file:
HOSTS_BLOCKFILE = "/etc/hosts.allow"
LOGFILES = [ "/var/log/secure", ]
COUNT_THRESHOLD = 3
AGE_THRESHOLD = 7200
ALL_REGEXS_STR = {

"SSHD-Invalid": r"""sshd\[(?P\d+)\]:.*?(Invalid|Illegal) user (?P.*?) from (::ffff:)?(?P\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})""",

"SSHD-NotAllowed": r"""sshd\[(?P\d+)\]: User (?P.*?) from (::ffff:)?(?P\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}) not allowed""",

"SSHD-Fail": r"""sshd\[(?P\d+)\]: Failed (?P.*?) for (?Pinvalid user |illegal user )?(?P.*?) from (::ffff:)?(?P\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})""",

"ProFTPD-NoPassword": r"""proftpd\[(?P\d+)\]: [^[]+\[(?P\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}).+Login failed""",

"ProFTPD-NoUser": r"""proftpd\[(?P\d+)\]: [^[]+\[(?P\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}).+no such user""",

"ProFTPD-SecurityViolation": r"""proftpd\[(?P\d+)\]: [^[]+\[(?P\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}).+SECURITY VIOLATION""",

# "VSFTPD-Fail": r"""\[pid \d+\] \[(?P.*?)\] FAIL LOGIN: Client "(?P\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})""",

"PureFTPD-Fail": r"""pure-ftpd: \(\?\@(?P\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\) \[WARNING\] Authentication failed""",

"POP-Fail": r"""ipop3d\[(?P\d+)\]: Login failed.* \[(?P\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\]""",

"Dovecot-Fail": r"""pop3-login: Aborted login \[(::ffff:)?(?P\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\]""",
}

My hosts.allow file is :

#---- BlockHosts Additions
#bh: logfile: /var/log/secure
#bh: offset: 0
#bh: first line:

#---- BlockHosts Additions

# ----------------------------------------
# finally, the command to execute the blockhosts script, based on
# connection to particular service or services, for example, for
# sshd and proftpd - if using vsftpd, pure-ftpd, be sure to use those
# words instead:

sshd, proftpd, in.proftpd: ALL: spawn (/usr/bin/blockhosts.py --verbose --echo "%c-%s" >> /var/log/blockhosts/blockhosts.log 2>&1 )& : allow

I login to another computer and try to login on my desktop using invalid username/password. Then I looked what is the written in the blockhosts.log file:
blockhosts 2.0.1 started: 2007-03-23 09:27:12 CDT
... echo tag: xxx.xxx.xx.xxx-sshd@xxx.xxx.xxx.xx (!!!for security reason I replaced my address by XXX).
... load blockfile: /etc/hosts.allow
... found both markers, count of hosts being watched: 0
... securelog, loading file, offset: /var/log/secure 0
... will discard all host entries older than 2006-05-27 09:27:12 CDT
... updates: counts: hosts to block: 0; hosts being watched: 0

and nothing happened in /etc/hosts.allow file . Did I miss something?

Thanks,
Peter

try second invalid login

Since the execution of blockhosts is in parallel with the sshd connection, it is most likely true that the log entry for the failed connection is not made until the next run of blockhosts.

So, try another invalid login attempt, you should see all lines in the log file scanned to that point, and if there are any failed entries, should be added to the watch list.

Thank you for the help. I

Thank you for the help. I logged in on another computer and tried to connect again using invalid username/password:

ssh ddsfhwe@XXX
Password:
Password:
Password:
Received disconnect from XXX.XXX.XXX.XX: 2: Too many authentication failures for ddsfhwe

However, nothing appears in my /etc/hosts.allow or /var/log/blockhosts/blockhosts.log

By the way, What is the purpose of /var/log/secure file?

log lines not present?

The next thing to look at is to make sure the securelog file mentioned in the blockhosts.log output does have the lines BlockHosts looks for, based on patterns in your blockhosts.cfg
/var/log/secure is the file with the log lines - maybe it is a different name on your box?

cat /var/log/secure : #----

cat /var/log/secure :

#---- BlockHosts Additions
#---- BlockHosts Additions

By mistake, I removed blockhosts.log file from /var/log/blockhosts/ . I run blockhosts --verbose several times, after that logged in to another computer and tried to login on that desktop. After several attempts, I went back and looked at both /var/log/secure ; /var/log/blockhosts/blockhosts.log and /etc/hosts.allow and nothing there. I think I was doing something wrong.

so, all ok now?

Not sure if there is still a question left - I would recommend starting all over again - note the names of the files and keep hosts.allow and log files separate, follow the INSTALL doc instructions, and it should all work.

Hi, It seems to work, but

Hi,

It seems to work, but nothing is blocked. My files are there:

cat /etc/blockhosts.cfg
#-----------------------------------------------------------------------
# Sample file: rename to /etc/blockhosts.cfg for blockhosts.py use

HOSTS_BLOCKFILE = "/etc/hosts.allow"
HOST_BLOCKLINE = ["ALL: ", " : deny"]
VERBOSE = 2
LOGFILES = [ "/var/log/secure", ]
COUNT_THRESHOLD = 3
AGE_THRESHOLD = 720
ALL_REGEXS_STR = {

"SSHD-Invalid": r"""sshd\[(?P\d+)\]:.*?(Invalid|Illegal) user (?P.*?) from (::ffff:)?(?P\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})""",

"SSHD-NotAllowed": r"""sshd\[(?P\d+)\]: User (?P.*?) from (::ffff:)?(?P\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}) not allowed""",

"SSHD-Fail": r"""sshd\[(?P\d+)\]: Failed (?P.*?) for (?Pinvalid user |illegal user )?(?P.*?) from (::ffff:)?(?P\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})""",

"ProFTPD-NoPassword": r"""proftpd\[(?P\d+)\]: [^[]+\[(?P\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}).+Login failed""",

"ProFTPD-NoUser": r"""proftpd\[(?P\d+)\]: [^[]+\[(?P\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}).+no such user""",

"ProFTPD-SecurityViolation": r"""proftpd\[(?P\d+)\]: [^[]+\[(?P\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}).+SECURITY VIOLATION""",

"VSFTPD-Fail": r"""\[pid \d+\] \[(?P.*?)\] FAIL LOGIN: Client "(?P\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})""",

"PureFTPD-Fail": r"""pure-ftpd: \(\?\@(?P\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\) \[WARNING\] Authentication failed""",

"POP-Fail": r"""ipop3d\[(?P\d+)\]: Login failed.* \[(?P\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\]""",

"Dovecot-Fail": r"""pop3-login: Aborted login \[(::ffff:)?(?P\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\]""",

}

cat /etc/hosts.allow
# /etc/hosts.allow

ALL: 127.0.0.2 : allow

# permanent blacklist addresses - these should always be denied access

ALL: 10. : deny
ALL: 192. : deny
ALL: 76.164.24.162 : deny

#---- BlockHosts Additions
#bh: logfile: /var/log/secure
#bh: offset: 54
#bh: first line:#---- BlockHosts Additions

#---- BlockHosts Additions

sshd, proftpd, in.proftpd: ALL: spawn (/usr/bin/blockhosts.py --verbose --echo "%c-%s" >> /var/log/blockhosts/blockhosts.log 2>&1 )& : allow

cat /var/log/secure
#---- BlockHosts Additions
#---- BlockHosts Additions

and there are many messages in blockhosts.log file like that:
...
blockhosts 2.0.1 started: 2007-03-25 17:48:11 CDT
... echo tag: 125.133.62.5-sshd@130.184.143.33
... load blockfile: /etc/hosts.allow
... found both markers, count of hosts being watched: 0
... securelog, loading file, offset: /var/log/secure 54
... will discard all host entries older than 2007-02-23 16:48:11 CST
... updates: counts: hosts to block: 0; hosts being watched: 0
blockhosts 2.0.1 started: 2007-03-25 17:48:14 CDT
... echo tag: 125.133.62.5-sshd@130.184.143.33
... load blockfile: /etc/hosts.allow
... found both markers, count of hosts being watched: 0
... securelog, loading file, offset: /var/log/secure 54
... will discard all host entries older than 2007-02-23 16:48:14 CST
... updates: counts: hosts to block: 0; hosts being watched: 0

In /var/log/messages I see a lot of messages like that:
Mar 25 17:45:44 jaguar blockhosts: final counts: blocking 0, watching 0
Mar 25 17:45:46 jaguar sshd[2390]: Invalid user megan from 125.133.62.5
Mar 25 17:45:47 jaguar blockhosts: echo tag: 125.133.62.5-sshd@130.184.143.33
Mar 25 17:45:47 jaguar blockhosts: final counts: blocking 0, watching 0
Mar 25 17:45:49 jaguar sshd[2396]: Invalid user mel from 125.133.62.5
Mar 25 17:45:50 jaguar blockhosts: echo tag: 125.133.62.5-sshd@130.184.143.33
Mar 25 17:45:50 jaguar blockhosts: final counts: blocking 0, watching 0
Mar 25 17:45:52 jaguar sshd[2402]: Invalid user melanie from 125.133.62.5
Mar 25 17:45:53 jaguar blockhosts: echo tag: 125.133.62.5-sshd@130.184.143.33
Mar 25 17:45:53 jaguar blockhosts: final counts: blocking 0, watching 0
Mar 25 17:45:55 jaguar sshd[2408]: Invalid user melisa from 125.133.62.5
Mar 25 17:45:56 jaguar blockhosts: echo tag: 125.133.62.5-sshd@130.184.143.33
...

Why is nothing blocked? What is wrong with my settings?

wrong file being watched?

You logfile name seems to be:
"In /var/log/messages I see a lot of messages like that:..."

But your settings is watching a different file:
"... securelog, loading file, offset: /var/log/secure 54"

Honestly, I don't know what

Honestly, I don't know what '54' means. It appears in /etc/hosts.allow file between "#Blockhosts additions" after executing blockhosts. If I remove it it appears again.

no, that is fine

No, the hosts.allow file is fine.

It is the invocation of blockhosts or the blockhosts.cfg file that is not correct at your site - if you need /var/log/messages to be watched, that is the file that should listed in the --logfiles or the LOGFILES value in blockhosts.cfg

(The 54 is an internal accounting, keeping track of how much of that file blockhosts.py has seen in the last run)