HomeForumsBlockHosts

Cannot block new string

Thu, 2007–Sep–20

Hi

Ive been randomly getting this msg below. from same ip any idea on how to setup my script in blockhosts.cfg ? to detect after 5 times to block this ip?

Sep 21 09:27:59 server sshd[2812]: Received disconnect from 203.146.249.191: 11: Bye Bye

‹ iptables and whitelist postfix/smtpd protection ›
Fri, 2007-09-21 06:59 — ac

other messages also seen?

At least in all the examples I've seen, the Bye Bye line is always preceeded by a Failed password line, for example:
Failed password for invalid user sales from 203.146.249.191 port 57590 ssh2

Therefore, it is not necessary to block hosts based on the bye bye line, they will be caught by some other more appropriate line that clearly indicates a failure.

If you do wish to block based on the Bye line, then a new pattern should be added to /etc/blockhosts.cfg

Fri, 2007-09-21 19:47 — Anonymous (not verified)

Cannot block new string

Any idea how to write this bye bye pattern?

Sun, 2007-09-30 16:30 — ac

pattern

    "SSHD-ByeBye":"""^[^[]+?sshd\[\d+\]: Received disconnect from (::ffff:)?(?P<host>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}): \d+: Bye Bye$"""

But it really should not be necessary to use the above rule - since the Bye Bye line is always preceeded by a Failed password line - which is already matched by blockhosts.cfg.