not matching

Hi could you help me with the coding?

it's not matching...

Nov 21 10:30:43 [sshd] Failed password for invalid user root from 62.193.227.26 port 48563 ssh2
Nov 21 10:31:44 [sshd] User root from 62.193.227.26 not allowed because not listed in AllowUsers

Nov 21 15:21:47 [sshd] Invalid user doah from 24.60.14.61
Nov 21 15:21:47 [sshd] Failed none for invalid user doah from 24.60.14.61 port 52242 ssh2

greatly appreciated
thanks

i have a gentoo system

i have a gentoo system

Latest version 1.0.3 should work.

What version are you using?

The latest version has checks for "Invalid .." and "Failed pasword..." lines, so both should match.

Not Matching on Debian

I'm also seeing entries not being caught. I've got a Debian (testing) box with
BlockHosts v1.0.3 and it is not picking up auth.log entries like:

Dec 7 19:15:01 webstore sshd[5608]: Invalid user admin from 69.94.14.67

it should match..

A similar issue was posted to this topic: Failed password on existing user not detected

There is a comment that shows the debug run, which does show that the IP was caught.

Note that there may be a time lag between the time blockhosts gets invoked by hosts.allow setting, and the time when the failed entry is added to auth.log or secure, in which case, that run of blockhosts will not find that last illegal IP entry.
You can always test this by running blockhosts.py by hand on the command line, at that time, it will catch all existing failed attempts in the log files.

proftpd not matching either

There are scores of entries like this not being caught:

Jan 14 19:41:09 mybox proftpd[9902]: mybox.mydomain (85.176.0.77[85.176.0.77]) - USER anonymous: no such user found from 85.176.0.77 [85.176.0.77] to x.x.x.x

I'm running Blockhosts v1.0.3 and the default Proftp lines in blockhosts.cfg are uncommented. It does seem to be catching the ssh lusers. This is on CentOS. What to do?

no idea...

Can't imagine what could be going on - that line will be matched - all I can suggest is run it

blockhosts.py --dry-run --logfiles=your_log_file_name --debug

and see if the IP address matched.
If it did, all is fine.
If not, then, send the blockhosts author an email with the log file and your debug output.