Travel Travel reports, it is all about food
Montreal: Schwartz's, Le Petit Alep
Albums: Pictures and some notes
ITRANS Song Book Hindi, Urdu, Marathi song lyrics
Online ITRANS Web Interface
BlockHosts block hosts
BlockHosts FAQ
BlockHosts Forum
CD Inserts & Envelopes Web Interface
Nisha Ganatra's Films
Cake: starring Heather Graham
Email: avinash@aczoom.com
Details?
Can you add more information? The problem is not clear from your message.
Blockhosts itself can't generate any "attacks", so not sure how it can increase attack counts.
And if you are running LogWatch on your system, it provides daily counts of people attacking your system, and the failure counts it mentions should be just 1 or 2 higher than the count BlockHosts is set to start blocking at.
For example, I never see any sshd "Authentication Failure" more than 9 - it used to be atleast 100 before running BlockHosts.
I'm having the same problem.
I'm having the same problem. Every time blockhosts is run it reads the whole secure-log and adds everythin again. Example: user tom has made 4 failed attempts. At the first run it adds those 4 "hosts being watched". At the next run it adds those 4 attempts again... and again and again. same failures! So eventually everyone who has made >= 1 failed attempt will get blocked.
what does hosts.allow say?
What is the first line and offset info in hosts.allow? For example, lines like these should be seen:
#bh: logfile: /var/log/secure#bh: offset: 780306
#bh: first line:Sep 5 05:10:02 hostname sshd[4667]: Did not receive identification string from 10.10.149.250
The offset should increase (or be atleast as much as the size of the logfile) on each invocation.
First run:
Second run:
#---- BlockHosts Additions
ALL: 200.25.183.58 : deny
ALL: 211.144.45.5 : deny
#bh: ip: 85.76.13.99 : 2 : 2006-01-15-18-08
#bh: ip: 85.76.12.31 : 4 : 2006-01-15-18-08
#bh: ip: 84.230.250.54 : 2 : 2006-01-15-18-08
#bh: ip: 82.181.201.210 : 2 : 2006-01-15-18-08
#bh: ip: 69.72.153.114 : 14 : 2006-01-15-18-08
#bh: ip: 217.160.243.198 : 14 : 2006-01-15-18-08
#bh: ip: 211.144.45.5 : 32 : 2006-01-15-18-08
#bh: ip: 200.25.183.58 : 22 : 2006-01-15-18-08
#bh: ip: 194.240.150.6 : 6 : 2006-01-15-18-08
#bh: logfile: /var/log/secure.1
#bh: offset: 30944
#bh: first line:Jan 8 08:35:43 router i802_1x:supplicant 00:0d:0b:0c:3a:e2 authorized
#---- BlockHosts Additions
Third run:
#---- BlockHosts Additions
ALL: 69.72.153.114 : deny
ALL: 200.25.183.58 : deny
ALL: 217.160.243.198 : deny
ALL: 211.144.45.5 : deny
#bh: ip: 85.76.13.99 : 3 : 2006-01-15-18-08
#bh: ip: 85.76.12.31 : 6 : 2006-01-15-18-08
#bh: ip: 84.230.250.54 : 3 : 2006-01-15-18-08
#bh: ip: 82.181.201.210 : 3 : 2006-01-15-18-08
#bh: ip: 69.72.153.114 : 21 : 2006-01-15-18-08
#bh: ip: 217.160.243.198 : 21 : 2006-01-15-18-08
#bh: ip: 211.144.45.5 : 48 : 2006-01-15-18-08
#bh: ip: 200.25.183.58 : 33 : 2006-01-15-18-08
#bh: ip: 194.240.150.6 : 9 : 2006-01-15-18-08
#bh: logfile: /var/log/secure.1
#bh: offset: 30944
#bh: first line:Jan 8 08:35:43 router i802_1x:supplicant 00:0d:0b:0c:3a:e2 authorized
#---- BlockHosts Additions
hmm. it seems to be working if the logfile does not contain any wireless authentications... noticed this because my secure just rotated and no wireless connections were logged yet. how is this possible.. bug? shouldn't the logfile be able to contain anything since the blockhosts should only be interested in ssh failures
second/third run doesn't make sense...
Only explanation I can see is if the
--ignore-offsetis being sent to the program - check with the --debug option.
blockhosts.py --dry-run --logfiles=your_log_file_name --debugIf you run this on a file that is not changing, the second, third, etc, run should all have the same output. You can leave out the --dry-run to just get the debug output for the 1st/2nd/3rd runs.
The second run shows two IP address with count of 14, but neither are in the blocked list... is your COUNT_THRESHOLD not the default 7? Looks like it is above 14 but less than 21.
And yes, the logfile can contain any lines, only the matched sshd/proftpd lines are matched, others are ignored.
If the debug output above does not explain the problem, send the debug output (and maybe the logfile if necessary) to the author of blockhosts.