Jul 19 06:47:35 hostname sshd[1786]: Invalid user russ from 10.23.58.3
Jul 19 06:58:23 hostname sshd[2821]: User root from 10.23.58.3 not allowed because none of user's groups are listed in AllowGroups

For all those who don't see a "Failed password..." log line but only see a "Invalid user ..." line in the sshd logs, here's a working .cfg file that I've tested with the log example given above.

To use, replace your /etc/blockhosts.cfg with this file, merging in any changes you made locally. Then the next run of blockhosts.py will pick up these changes.

[Oct 2005: Link removed - update to the latest blockhosts - version 1.0.2 or later, it includes these rules - see comment below]

This config file contains two new rules in the ALL_REGEXS section.
Note that this may cause double counting of some IP addresses, in some sshd installs. Still, better to double count than to ignore an abusive IP address. Given the double-counting, this change will not be included in the main package, so if anyone knows for sure why some sshd installs do not print the "Failed password..." line, or knows what line to look for, send me email [1]. Am looking for a line that is printed once only for each failed attempt.

[Oct 2005: Double counting fixed from version 1.0.2 onwards]