HomeForumsBlockHosts

sshd log and blockhosts.cfg

Mon, 2007–Dec–17

I'm running sourcemage linux and my sshd logs are spit out a little different than the stock ones in blockhosts.cfg. I was wondering if I could get some help getting the correct blockhosts.cfg line down so it blocks sshd logins?

my log shows:

Dec 17 11:57:08 [sshd] Failed password for invalid user administrator from 127.0.0.1 port 25132 ssh2

I've tried editing the stock blockhosts.cfg to no avail. When I run blockhosts -v, it looks at the log fine, but none of the failed attempts are making it to watching or blocking status.

Thanks,
-baggar11

‹ Installation of BlockHosts-2.3.1.tar.gz on SuSe 10.3 blockhosts email notification question ›
Mon, 2007-12-17 22:42 — ac

which sshd? here's the pattern

Since there is no existing pattern for the log line you posted, a new pattern has to be added, here's one that will work:

    "sshd-SourceMage-Fail": r"""^[^[]+?\[sshd\] Failed password for (?P<invalid>invalid user |illegal user )?.* from (::ffff:)?(?P<host>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"""

Add above line, with correct indentation, to the blockhosts.cfg file in the appropriate place, ALL_REGEXS_STR = { ....

Also, can you post what version of sshd is running at your site? Probably some configuration is making syslog appear without pid, not sure if that is the sshd config on Source Mage linux, or some Source Mage config itself.
sshd -? usually prints out version, like this, on a Fedora FC7 system:
sshd -?
sshd: illegal option -- ?
OpenSSH_4.5p1, OpenSSL 0.9.8b 04 May 2006

Tue, 2007-12-18 15:38 — baggar11 (not verified)

Thanks! Worked like a

Thanks! Worked like a charm.

Here's my sshd version printout:
OpenSSH_4.7p1, OpenSSL 0.9.8g 19 Oct 2007

-baggar11

Thu, 2007-12-27 11:17 — ac

Source Mage logs now supported

All patterns now can handle the log format of Source Mage Linux - it is probably metalog format? Download blockhosts version 2.3.0 or newer.