blockhosts not working with DNS names, plus: added one regex for PAM login failures (openSUSE 10.1)

Hi @all,

at least on openSUSE 10.1, I get such an entry when a failed ssh access was received:

error: PAM: Authentication failure for root from 1.2.3.4

and I wrote this regex for blockhosts.cfg (maybe it could be included as an example?):

"SSHD-wrongpass": re.compile(r"""sshd\[(?P<pid>\d+)\]: error: PAM: Authentication failure for (?P<user>.*?) from (::ffff:)?(?P<host>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"""),

but then I found such entries can also happen:

sshd[2505]: error: PAM: Authentication failure for root from badhost.example.foo

and I wanted to extend the regex:

"SSHD-wrongpass": re.compile(r"""sshd\[(?P<pid>\d+)\]: error: PAM: Authentication failure for (?P<user>.*?) from (::ffff:)?(?P<host>(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}|,*\..*))$"""),

but I only get a "watched" status for such host, it never gets blocked. Any ideas?

Also, I call

/usr/bin/blockhosts.py --ignore-offset -v -g

but it doesn't ignore the offset. Something broken?

thanks,
mfg zmi

[Editor: modified Jan 20, 2007 - changed all less-than and greater-than characters to HTML named-entities, for example < is now &lt;]

PAM may result in multiple counts

Watching PAM lines may result in multiple counts being alloted to a single attacker, since SSH will also print failures, so failures will be counted multiple times.

As for just getting a "watched" status - are you also saying that the host gets watched, and that count keeps going up, but it never makes it to the blocked state? After the threshold has been reached, it would go blocked, until then, it will stay in the watched state.

As for --ignore-offset, yes, that is a bug. Will be fixed in the next release [now fixed in release 1.0.5]

PAM rules in standard config?

Would be nice to see that in the standard blockhosts.cfg.

Programming-string incorrect

I think, your string is false. Have a look at ?P<user> and ?P<host> . You only wrote ?P . I hope to solve your ans my problem too.
cu Blade

[Editor: modified Jan 20, 2007 - changed all less-than and greater-than characters to HTML named-entities, for example < is now &lt;]

Note: bare less-than and greater than characters don't display

Note: bare less-than and greater-than characters don't display correctly in HTML text, to make them display need to use HTML named-entities, for example for < use &lt;]

same problem

Hi, I have the same problem here. I have just been put in charge of a suse 10.1 machine and trying to configure blockhost for it seems to be a nightmare. I have tried the line mentioned in the original post but it doesn't work at all for me.

Now I must admit that I am completely ignorant in python regexp syntax, which of course doesn't really help.

I am using blockhost 2.0.1 so I change the line to no include the "re.compile" bit as is seems not to be neccessary anymore. I guess we need to keep the IP bit (in case some hosts do not resolve) and add a field to get the hostname, or reconfigure PAM/sshd to not resolve the IP for the logs.

using the --debug flag to blockhost I get this in the log which seems to show that the "|,*\..*" is completely ignored:

pattern to search for blocked ip: ALL: \s*(::ffff:)?(?P<host>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\s* : deny

I am not quite sure what AC means by the fact that with PAM you will get more than one entry per attempt. on the system I have, only the PAM line appears in the log and nothing else.

Any help would be grately appriciated.

Cheers

must use numeric ip address

BlockHosts does not handle named IP addresses, only numeric address will be handled, so there is no way the second wrongpass rule will work, this line:
sshd[2505]: error: PAM: Authentication failure for root from badhost.example.foo
cannot be matched by blockhosts because the host name is not a numeric IP address.

The only rule that will work:

    "SSHD-wrongpass": r"""sshd\[(?P<pid>\d+)\]: error: PAM: Authentication failure for (?P<user>.*?) from (::ffff:)?(?P<host>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})""",

And you are correct, don't need the re.compile anymore in 2.0 or newer.

Finally - on most systems I looked at, the PAM lines are in addition to the lines that OpenSSH sshd server prints out - which SSHD server are you using? If OpenSSH, it must be able to print lines such as:
Jul 19 06:47:27 hostname sshd[1768]: Invalid user xxx from 10.10.58.3
Nov 15 04:57:19 hostname sshd[1668]: Illegal user yyy from ::ffff:10.6.184.165
Jul 19 06:58:23 hostname sshd[2821]: User root from 10.10.58.3 not allowed because none of user's groups are listed in AllowGroups
Apr 20 12:34:30 hostname sshd[9701]: Failed password for invalid user root from 10.21.45.30 port 35993 ssh2

all of which are processed by blockhosts. Normally, these lines are seen in /var/log/secure, therefore, there is no need to look at PAM lines.

But there may be some systems where this is not happening, would be good to get at the bottom of this....

only PAM lines

freebsd 5.5, 6.2 Openssh, only PAM lines are in file /var/log/auth:

Apr 28 11:53:51 host sshd[38198]: Did not receive identification string from 211.147.17.110
Apr 28 11:56:16 host sshd[42700]: error: PAM: authentication error for root from 211.147.17.110
Apr 28 11:56:17 host sshd[42700]: error: PAM: authentication error for root from 211.147.17.110
Apr 28 11:58:53 host sshd[47740]: error: PAM: authentication error for root from 211.147.17.110
Apr 28 11:58:54 host sshd[47740]: error: PAM: authentication error for root from 211.147.17.110
and so on.

blockhosts on Gentoo

That's my output on Gentoo Linux with (a nearly) default sshd_config:
Jun 25 12:59:04 jutta sshd[4142]: Server listening on 0.0.0.0 port 88.
Jun 25 20:11:41 jutta sshd(pam_unix)[16720]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=xx.xx.48.5 user=krf
Jun 25 20:11:43 jutta sshd[16714]: error: PAM: Authentication failure for krf from xx.xx.48.5
Jun 25 20:11:43 jutta sshd(pam_unix)[16721]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=xx.xx.48.5 user=krf
Jun 25 20:11:46 jutta sshd[16714]: error: PAM: Authentication failure for krf from xx.xx.48.5
Jun 25 20:11:47 jutta sshd(pam_unix)[16722]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=xx.xx.48.5 user=krf
Jun 25 20:11:49 jutta sshd[16714]: error: PAM: Authentication failure for krf from xx.xx.48.5

I'm using this solution which is working fine for me:
"SSHD-wrongpass": r"""sshd\[\d+\]: error: PAM: Authentication failure for (?P<user>.*?) from (::ffff:)?(?P<host>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})""",

blockhosts PAM on OpenSuSe

I know this thread is a little old but I recently noticed that PAM entries in /var/log/messages were not being used and so I added a regex to the cfg file and then found the same problem as one of the previous messages, i.e. there are host names and not IP addresses present.

Having read this thread I added /var/log/warn to the list of files for blockhosts to analyse and now the PAM entries are being picked up without needing the regex.