not picking up failed logins

I have looked through this forum and have found a few messages related to my problem but still I am not having any success with blockhosts. I am running on Solaris 10. The blockhosts.cfg is edited and in place. The logflle is /var/adm/authlog. I tried first using just hosts.allow and then later tried just hosts.deny. /var/log/blockhosts.log shows several lines for each time I try a bad login from another computer. In hosts.deny there is (comments trimmed)
#---- BlockHosts Additions
#bh: logfile: /var/adm/authlog
#bh: offset: 9700
#bh: first line:Oct 4 12:03:10 ultra20.comcast.net sshd[1089]: [ID 800047 auth.info] Illegal user slime from 192.168.102.101

#---- BlockHosts Additions

sshd:ALL:spawn (/usr/sfw/bin/blockhosts.py --verbose --echo "%c-%s" >> /var/log/blockhosts.log 2>&1 )& : allow

I tried blockhosts ----dry-run --logfiles=/var/adm/authlog --debug as suggested in this forum but I don't really know what to do with what I got.

bash-3.00# blockhosts.py --dry-run --logfiles=/var/adm/authlog --debug
blockhosts 1.0.4 started: 2006-10-04 12:11:20
Got options: {'blockcount': 4, 'lockfile': '/tmp/blockhosts.lock', 'verbose': 3, 'dry_run': True, 'echo': '', 'blockfile': '/etc/hosts.deny', 'ignore_offset': False, 'discard': 12, 'logfiles': '/var/adm/authlog', 'block_services': 'ALL'}
Using ALL_REGEXS: {'SSHD-Invalid': <_sre.SRE_Pattern object at 0x825bbd0>, 'SSHD-NotAllowed': <_sre.SRE_Pattern object at 0x825c060>, 'SSHD-Fail': <_sre.SRE_Pattern object at 0x825ebb8>}
Debug mode enabled.
from config file, got logfiles: ['/var/adm/authlog']
... will discard all host entries older than 2006-10-04 00:11
... load blockfile: /etc/hosts.deny
1: got line: # ----------------------------------------
1: got line: # next section is the blockhosts section - it will add/delete entries in
1: got line: # between the two marker lines (#---- BlockHosts Additions)
1: got line: #---- BlockHosts Additions
... seen all state 1 lines, now inside blockhosts markers at offset 177
2: found logfile name line: /var/adm/authlog
... found both markers, count of hosts being watched: 0
block-file: Got previous abusive hosts data:
{}
-------------------
block-file: Got remaining lines:
['\n', '# ----------------------------------------\n', '# finally, the command to execute the blockhosts script, based on\n', '# connection to particular service or services, for example, for\n', '# sshd and proftpd - if using vsftpd, pure-ftpd, be sure to use those\n', '# words instead:\n', '\n', 'sshd:ALL:spawn (/usr/sfw/bin/blockhosts.py --verbose --echo "%c-%s" >> /var/log/blockhosts.log 2>&1 )& : allow\n', '\n', '#ALL : ALL: spawn (/usr/bin/blockhosts.py --verbose --echo "%c-%s" >> /var/log/blockhosts.log 2>&1 )& : allow\n', '# -------------------------------------------------------------------------\n']
-------------------
------- looking into log file: /var/adm/authlog
SecureLog open:
first_line: Oct 4 12:03:10 ultra20.comcast.net sshd[1089]: [ID 800047 auth.info] Illegal user slime from 192.168.102.101
file length: 9700
... securelog, loading: /var/adm/authlog 9700
------- finished looking into log file: /var/adm/authlog
------- collecting block file updates ---
Collecting abusive_hosts counts info for block-file
Collecting log file offset info for block-file
... updates: counts: hosts to block: 0; hosts being watched: 0
#---- BlockHosts Additions
#bh: logfile: /var/adm/authlog
#bh: offset: 9700
#bh: first line:Oct 4 12:03:10 ultra20.comcast.net sshd[1089]: [ID 800047 auth.info] Illegal user slime from 192.168.102.101

#---- BlockHosts Additions

# ----------------------------------------
# finally, the command to execute the blockhosts script, based on
# connection to particular service or services, for example, for
# sshd and proftpd - if using vsftpd, pure-ftpd, be sure to use those
# words instead:

sshd:ALL:spawn (/usr/sfw/bin/blockhosts.py --verbose --echo "%c-%s" >> /var/log/blockhosts.log 2>&1 )& : allow

#ALL : ALL: spawn (/usr/bin/blockhosts.py --verbose --echo "%c-%s" >> /var/log/blockhosts.log 2>&1 )& : allow
# -------------------------------------------------------------------------
bash-3.00#

Sun OS? Solaris 10? SSHD-Invalid needs change

What SSH server are you using? The log line is different from the one put out by OpenSSH, which is why blockhosts.py fails to catch it - there is an extra [ID...] section in the log line.

Oct 4 12:03:10 ultra20.comcast.net sshd[1089]: [ID 800047 auth.info] Illegal user slime from 192.168.102.101

If Solaris 10 ships with that server, then it would make sense to update the regexp script in the shipping version to catch this, here's a changed line that should work (replace this line in blockhosts.py, and try again):


"SSHD-Invalid": re.compile(r"""sshd\[(?P<pid>\d+)\]:.*?(Invalid|Illegal) user (?P<user>.*?) from (::ffff:)?(?P<host>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"""),

[Note: this is python, so spacing is important - must have 8 spaces in front of "SSHD-Invalid" above]

8 spaces? The stock .cfg

8 spaces? The stock .cfg file I got only uses 4, and all the filters I uncommented are working fine. I just need something that works with the new vsftpd. The python I have *must* be different than the guy who posted what should work for me. I see no obvious format error. All the spacing seems to be the same as your stock filter, too. But if I use it, blockhosts.py errors out and catches nothing.

Thx, I had the same issue. I

Thx, I had the same issue. I am also running solaris 10.
This one helped me.

Thx again,

Erwin