ACZoom

Hi @all,

at least on openSUSE 10.1, I get such an entry when a failed ssh access was received:

error: PAM: Authentication failure for root from 1.2.3.4

and I wrote this regex for blockhosts.cfg (maybe it could be included as an example?):

"SSHD-wrongpass": re.compile(r"""sshd\[(?P<pid>\d+)\]: error: PAM: Authentication failure for (?P<user>.*?) from (::ffff:)?(?P<host>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"""),

but then I found such entries can also happen:

sshd[2505]: error: PAM: Authentication failure for root from badhost.example.foo

and I wanted to extend the regex:

"SSHD-wrongpass": re.compile(r"""sshd\[(?P<pid>\d+)\]: error: PAM: Authentication failure for (?P<user>.*?) from (::ffff:)?(?P<host>(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}|,*\..*))$"""),

but I only get a "watched" status for such host, it never gets blocked. Any ideas?

Also, I call

/usr/bin/blockhosts.py --ignore-offset -v -g

but it doesn't ignore the offset. Something broken?

thanks,
mfg zmi

[Editor: modified Jan 20, 2007 - changed all less-than and greater-than characters to HTML named-entities, for example < is now &lt;]