BlockHosts does not work with ipop3d

BlockHosts is working well on my system. Since a few days I have pop3 attacks and I'm getting auth.log entries like this:

Aug 18 16:27:36 hostname ipop3d[2540]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=10.3.32.17 user=username
Aug 18 16:27:38 hostname ipop3d[2540]: Login failed user=username auth=username host=badhostname [10.3.32.17]

I inserted following lines into ALL_REGEXS:

# IPOP3D -----------------------
"POP-Fail": re.compile(r"""ipop3d\[(?P<pid>\d+)\]: Login failed.* \[(?P<host>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\]"""),

blockhosts.py --debug gives:

Using ALL_REGEXS: {<snip> 'POP-Fail': <_sre.SRE_Pattern object at 0x8198fb8>, <snip>}

So far, so good. My Problem is, that blockhosts.py does not regard the ipop3d entries in auth.log and I can't find the mistake.

works fine.

I just tested the above, and it works fine, running with debug, here's what I got:


....
... In increment host, created host entry 10.3.32.17
found failed access for POP-Fail , IP-pid: 10.3.32.17-2540
...

Use the exact log line you have above, and the exact regexp also.

To test, here's a sample run: create a file called "testlog", with the log lines (with correct line, watch end of line breaks), and then edit blockhosts.py (or .cfg file, as needed) and add your regexp, and then test it:

./blockhosts.py --dry-run --logfiles=testlog --debug