ACZoom  ·  Archive-2016

this is the output of "blockhosts.py --debug"! i can't see any problems. i think, there is everything ok! but there is no blocking of ip's! how can i test it and what is todo?

---

blockhosts 2.3.1 started: 2008-03-17 23:06:11 CET
Debug mode enabled.
Got config and options: Configuration: {'AGE_THRESHOLD': 12, 'NOTIFY_ADDRESS': 'xyz@xyz.de', 'SENDER_ADDRESS': 'BlockHosts ', 'VERBOSE': 1, 'HOSTS_BLOCKFILE': '/etc/hosts.allow', 'LOAD_ONLY': False, 'SMTP_USER': '', 'ALL_REGEXS': {'proftpd-NoPassword': '{LOG_PREFIX{proftpd}} [^[]+\\[{HOST_IP}.+Login failed', 'vsftpd-FailSyslog': '{LOG_PREFIX{vsftpd}} .* FAIL LOGIN: Client "{HOST_IP}"$', 'sshd-Invalid': '{LOG_PREFIX{sshd}} (Invalid|Illegal) user .* from {HOST_IP}', 'proftpd-SecurityViolation': '{LOG_PREFIX{proftpd}} [^[]+\\[{HOST_IP}.+SECURITY VIOLATION', 'dovecot-LoginFail': '{LOG_PREFIX{pop3-login}} Aborted login \\[{HOST_IP}]', 'proftpd-NoUser': '{LOG_PREFIX{proftpd}} [^[]+\\[{HOST_IP}.+no such user', 'ipop3d-Fail': '{LOG_PREFIX{ipop3d}} Login failed .* \\[{HOST_IP}]', 'postfix-smtpd550': '{LOG_PREFIX{postfix/smtpd}} NOQUEUE: reject: RCPT from .*?\\[{HOST_IP}]: 550 5.1.1 : Recipient address rejected: User unknown in virtual alias table;', 'sshd-Fail': '{LOG_PREFIX{sshd}} Failed .*? for (invalid user |illegal user )?.* from {HOST_IP}', 'postfix-smtpdInvalidId': '{LOG_PREFIX{postfix/smtpd}} warning: unknown\\[{HOST_IP}]: SASL (LOGIN) authentication failed: authentication failure$', 'pure-ftpd-Fail': '{LOG_PREFIX{pure-ftpd}} \\(\\?@{HOST_IP}\\) \\[WARNING] Authentication failed', 'sshd-NotAllowed': "{LOG_PREFIX{sshd}} User .* from {HOST_IP} not allowed because none of user\\'s groups are listed in AllowGroups$", 'ftpd-Solaris': '{LOG_PREFIX{ftpd}} failed login from .* \\[{HOST_IP}],', 'qpopper-Fail': '{LOG_PREFIX{qpopper}} .* \\({HOST_IP}\\): -ERR \\[AUTH] Password supplied ', 'postfix-smtpdInvalidHostname': '{LOG_PREFIX{postfix/smtpd}} warning: {HOST_IP}: address not listed for hostname ', 'vsftpd-FailVsftpd': '... ... .?\\d \\d\\d:\\d\\d:\\d\\d \\d{4} .* FAIL LOGIN: Client "{HOST_IP}"$', 'postfix-smtpdServiceUnknown': '{LOG_PREFIX{postfix/smtpd}} warning: {HOST_IP}: hostname .* verification failed: Name or service not known$', 'postfix-smtpdNonSMTPCommand': '{LOG_PREFIX{postfix/smtpd}} warning: non-SMTP command from .*\\[{HOST_IP}]: Subject:'}, 'SMTP_SERVER': 'localhost', 'COUNT_THRESHOLD': 3, 'LOGFILES': ['/var/log/auth.log'], 'BLACKLIST': (), 'ENABLE_RULES': '(sshd|.*ftpd).*', 'CONFIGFILE': '/etc/blockhosts.cfg', 'SMTP_PASSWD': '', 'HOST_BLOCKLINE': ['ALL: ', ' : deny'], 'MAIL': True, 'LOCKFILE': '/tmp/blockhosts.lock', 'WHITELIST': ('127.0.0.1',), 'IPBLOCK': 'iptables'}
Options: {'notify_address': 'xyz@xyz.de', 'blockline': ['ALL: ', ' : deny'], 'blockcount': 3, 'verbose': 4, 'dry_run': False, 'load_only': False, 'whitelist': '127.0.0.1', 'logfiles': '/var/log/auth.log', 'mail': True, 'echo': '', 'blacklist': '', 'enable_rules': '(sshd|.*ftpd).*', 'configfile': '/etc/blockhosts.cfg', 'blockfile': '/etc/hosts.allow', 'ignore_offset': False, 'discard': 12, 'lockfile': '/tmp/blockhosts.lock', 'check_ip': '', 'ipblock': 'iptables'}
File lock obtained '/tmp/blockhosts.lock' for excluding other instances
{HOST_IP} matched using this re: (::ffff:)?(?P(25[0-5]|2[0-4]\d|[01]?\d\d?)(\.(25[0-5]|2[0-4]\d|[01]?\d\d?)){3})
pattern to search for blocked ip: ALL: \s*(::ffff:)?(?P(25[0-5]|2[0-4]\d|[01]?\d\d?)(\.(25[0-5]|2[0-4]\d|[01]?\d\d?)){3})\s* : deny
... load blockfile: /etc/hosts.allow
... seen all state 1 lines, now inside blockhosts markers at offset 704
2: found logfile name line: /var/log/auth.log
... loaded /etc/hosts.allow, starting counts: blocked 0, watched 0
block-file: Got initial watched hosts data:
{}
-------------------
block-file: Got remaining lines:
['\n', '# ----------------------------------------\n', '# finally, the command to execute the blockhosts script, based on\n', '# connection to particular service or services: \n', '\n', 'sshd: ALL: spawn (/usr/bin/blockhosts.py --verbose --mail --ipblock=iptables --echo "%c-%s" --check-ip "%h" >> /var/log/blockhosts.log 2>&1 )& : allow\n', '#sshd: ALL: spawn (/usr/bin/blockhosts.py --verbose --echo "%c-%s" >> /var/log/blockhosts.log 2>&1 )& : allow\n', '\n', '#---\n', '# add --iproute to enable null-routing, or add --iptables to enable packet\n', '# filtering, which blocks all network communication from blocked hosts\n', '#---\n', '# remove >> /var/log/blockhosts.log 2>&1 if no logging to blockhosts.log\n', '# is needed - without this, it will still log to syslog (minimally)\n', '#sshd: ALL: spawn /usr/bin/blockhosts.py --verbose --echo "%c-%s" & : allow\n', '#---\n', '# above commands will use default config file - /etc/blockhosts.cfg, edit\n', '# it as needed to specify local configuration options \n', ' \n', '# See "man hosts.allow" for info on %c and %s identifiers \n', ' \n', '# for non-verbose, with identification, to syslog only (/var/log/messages),\n', '# triggered on any service (using ALL as first word):\n', '#ALL: ALL: spawn /usr/bin/blockhosts.py --echo "%c-%s" & : allow\n', '#----\n', '# To test hosts.allow, and to find out exact names of SSH/FTP services,\n', '# add this line to the beginning of hosts.allow, use ssh/ftp to connect\n', '# to your server, and then look at the log (/var/log/messages or\n', '# blockhosts.log) to see the name of the invoked service.\n', '# IMPORTANT: after your test is done, remove this line from hosts.allow!\n', '# Otherwise everyone will always have access.\n', '#ALL : ALL: spawn (/usr/bin/blockhosts.py --verbose --echo "%c-%s" >> /var/log/blockhosts.log 2>&1 )& : allow \n', ' \n', '# -------------------------------------------------------------------------\n']
-------------------
... enabled (+) and disabled (-) patterns:
+ proftpd-NoPassword ^((\w\w\w .?\d \d\d:\d\d:\d\d (([^[:\]]+ )|(\[))proftpd((\[(?P\d+)]:?)|(])|:)( \[ID [^[:\]]+])?)|(@[\d\w]+)) [^[]+\[(::ffff:)?(?P(25[0-5]|2[0-4]\d|[01]?\d\d?)(\.(25[0-5]|2[0-4]\d|[01]?\d\d?)){3}).+Login failed
+ vsftpd-FailSyslog ^((\w\w\w .?\d \d\d:\d\d:\d\d (([^[:\]]+ )|(\[))vsftpd((\[(?P\d+)]:?)|(])|:)( \[ID [^[:\]]+])?)|(@[\d\w]+)) .* FAIL LOGIN: Client "(::ffff:)?(?P(25[0-5]|2[0-4]\d|[01]?\d\d?)(\.(25[0-5]|2[0-4]\d|[01]?\d\d?)){3})"$
+ sshd-Invalid ^((\w\w\w .?\d \d\d:\d\d:\d\d (([^[:\]]+ )|(\[))sshd((\[(?P\d+)]:?)|(])|:)( \[ID [^[:\]]+])?)|(@[\d\w]+)) (Invalid|Illegal) user .* from (::ffff:)?(?P(25[0-5]|2[0-4]\d|[01]?\d\d?)(\.(25[0-5]|2[0-4]\d|[01]?\d\d?)){3})
+ proftpd-SecurityViolation ^((\w\w\w .?\d \d\d:\d\d:\d\d (([^[:\]]+ )|(\[))proftpd((\[(?P\d+)]:?)|(])|:)( \[ID [^[:\]]+])?)|(@[\d\w]+)) [^[]+\[(::ffff:)?(?P(25[0-5]|2[0-4]\d|[01]?\d\d?)(\.(25[0-5]|2[0-4]\d|[01]?\d\d?)){3}).+SECURITY VIOLATION
- dovecot-LoginFail
+ proftpd-NoUser ^((\w\w\w .?\d \d\d:\d\d:\d\d (([^[:\]]+ )|(\[))proftpd((\[(?P\d+)]:?)|(])|:)( \[ID [^[:\]]+])?)|(@[\d\w]+)) [^[]+\[(::ffff:)?(?P(25[0-5]|2[0-4]\d|[01]?\d\d?)(\.(25[0-5]|2[0-4]\d|[01]?\d\d?)){3}).+no such user
- ipop3d-Fail
- postfix-smtpd550
+ sshd-Fail ^((\w\w\w .?\d \d\d:\d\d:\d\d (([^[:\]]+ )|(\[))sshd((\[(?P\d+)]:?)|(])|:)( \[ID [^[:\]]+])?)|(@[\d\w]+)) Failed .*? for (invalid user |illegal user )?.* from (::ffff:)?(?P(25[0-5]|2[0-4]\d|[01]?\d\d?)(\.(25[0-5]|2[0-4]\d|[01]?\d\d?)){3})
- postfix-smtpdInvalidId
+ pure-ftpd-Fail ^((\w\w\w .?\d \d\d:\d\d:\d\d (([^[:\]]+ )|(\[))pure\-ftpd((\[(?P\d+)]:?)|(])|:)( \[ID [^[:\]]+])?)|(@[\d\w]+)) \(\?@(::ffff:)?(?P(25[0-5]|2[0-4]\d|[01]?\d\d?)(\.(25[0-5]|2[0-4]\d|[01]?\d\d?)){3})\) \[WARNING] Authentication failed
+ sshd-NotAllowed ^((\w\w\w .?\d \d\d:\d\d:\d\d (([^[:\]]+ )|(\[))sshd((\[(?P\d+)]:?)|(])|:)( \[ID [^[:\]]+])?)|(@[\d\w]+)) User .* from (::ffff:)?(?P(25[0-5]|2[0-4]\d|[01]?\d\d?)(\.(25[0-5]|2[0-4]\d|[01]?\d\d?)){3}) not allowed because none of user\'s groups are listed in AllowGroups$
+ ftpd-Solaris ^((\w\w\w .?\d \d\d:\d\d:\d\d (([^[:\]]+ )|(\[))ftpd((\[(?P\d+)]:?)|(])|:)( \[ID [^[:\]]+])?)|(@[\d\w]+)) failed login from .* \[(::ffff:)?(?P(25[0-5]|2[0-4]\d|[01]?\d\d?)(\.(25[0-5]|2[0-4]\d|[01]?\d\d?)){3})],
- qpopper-Fail
- postfix-smtpdInvalidHostname
+ vsftpd-FailVsftpd ... ... .?\d \d\d:\d\d:\d\d \d{4} .* FAIL LOGIN: Client "(::ffff:)?(?P(25[0-5]|2[0-4]\d|[01]?\d\d?)(\.(25[0-5]|2[0-4]\d|[01]?\d\d?)){3})"$
- postfix-smtpdServiceUnknown
- postfix-smtpdNonSMTPCommand
------- looking into log file: /var/log/auth.log
SystemLog open:
first_line: 'Mar 16 06:47:04 ultrabrain CRON[27489]: (pam_unix) session closed for user root'
file length: 137615
... loading log file /var/log/auth.log, offset: 137535
------- finished looking into log file: /var/log/auth.log
------- collecting block file updates ---
calling hosts filter >
... discarding all host entries older than 2008-03-17 11:06:11 CET
calling hosts filter >
calling hosts filter >
calling hosts filter >
add_blocked_blacklist: testing ip: ''
calling hosts filter >
------- writing final blocked/watched list ---
Collecting watched_hosts counts info for block-file
Collecting log file offset info for block-file
... final counts: blocked 0, watched 0
Running: iptables --new blockhosts
returned waitstatus: 256
output: iptables: Chain already exists
... user-defined chain blockhosts already exists, or error occurred
Running: iptables --list INPUT --numeric
returned waitstatus: 0
output: Chain INPUT (policy DROP)
target prot opt source destination
DROP tcp -- 0.0.0.0/0 127.0.0.0/8
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
DROP all -- 224.0.0.0/4 0.0.0.0/0
PUB_IN all -- 0.0.0.0/0 0.0.0.0/0
PUB_IN all -- 0.0.0.0/0 0.0.0.0/0
PUB_IN all -- 0.0.0.0/0 0.0.0.0/0
PUB_IN all -- 0.0.0.0/0 0.0.0.0/0
DROP all -- 0.0.0.0/0 0.0.0.0/0
blockhosts all -- 0.0.0.0/0 0.0.0.0/0
pattern to search for INPUT chain jump: blockhosts.+?0.0.0.0
jump rule from INPUT to blockhosts chain exists
Running: iptables --list blockhosts --numeric
returned waitstatus: 0
output: Chain blockhosts (1 references)
target prot opt source destination
pattern to search for iptables blocked ip: DROP.+?(::ffff:)?(?P(25[0-5]|2[0-4]\d|[01]?\d\d?)(\.(25[0-5]|2[0-4]\d|[01]?\d\d?)){3})\s+
... no email to send.

---