The following auth.log line wasn't being picked up by the current sshd regex's:
sshd[5603]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=216.144.228.80
Here is the regex that seemed to take care of it: (this probably picks up the lines that the other regex does too.. But BlockHosts only adds one count per PID so you don't have to worry about doubles)
sshd\[(?P\d+)\]: \(pam_unix\) authentication failure; logname= uid=[0-9]+ euid=[0-9]+ tty=ssh ruser= rhost=(?P\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})
Travel Travel reports, it is all about food
Montreal: Schwartz's, Le Petit Alep
Albums: Pictures and some notes
ITRANS Song Book Hindi, Urdu, Marathi song lyrics
Online ITRANS Web Interface
BlockHosts block hosts
BlockHosts FAQ
BlockHosts Forum
CD Inserts & Envelopes Web Interface
Nisha Ganatra's Films
Cake: starring Heather Graham
Email: avinash@aczoom.com
Copyright © 1995-2016 Avinash Chopde, avinash@aczoom.com
PAM authentication failure not being picked up.
Hi,
I'm running RHEL4 and am auth via PAM to ldap. The following error occurs but Blockhosts is not picking it up:
Aug 7 13:04:15 www-usr sshd(pam_unix)[26124]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.99.3.99 user=jdoe
using existing posts i've come up with this, but it still doesn't work:
"SSHD-PamFailv2": re.compile(r"""sshd\[\d+\]: \(pam_unix\) authentication failure; logname= uid=[0-9]+ euidi=[0-9]+ tty=ssh ruser= rhosts=(::ffff:)?(?P\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}|.*)"""),
can anybody help me out and write a new one? thanx.
Try this
It still seems strange why SSH is not looking the other lines it logs.
But if you can't see anything else in any other log file, here's the pattern that will catch above log lines - add re.compile( ) if using older version of blockhosts, but newer (2.0.5+) can understand this
"SSHD-PamFail": r"""^[^[]+?sshd\(pam_unix\)\[\d+\]: authentication failure; .* rhost=(::ffff:)?(?P<host>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})""",