blockhosts with Solaris 10

Has anyone else had experience with blockhosts on Solaris 10? I tried it last October and with the help of Avinash Chopde I was able to get blockhosts to work with ssh logins. At first it only worked (blocked) with invalid usernames but didn't work with a valid user and bad password. I used the same Avinash instructions for the SSHD-Fail rule too and got that one to work too. It seems the problem with the Solaris log looks like this
sshd[1110]: [ID 800047 auth.info]
which has this extra [ID 800047 auth.info] so Avinash showed me how to add .*? after the colon.

Now I would like to get this working for ftpd too but I see that the Solaris logfile may be significantly different than any of the sample ftp items included in blockhosts.cfg. Unfortunaltely I know very little about regexp and don't know how to create my own. for a good user/bad password and for a bad user, my logfile looks like this

Mar 23 15:31:53 ultra20.comcast.net sshd[1069]: [ID 800047 auth.notice] Failed none for foobar from 192.168.102.34 port 49437 ssh2
Mar 23 15:31:54 ultra20.comcast.net sshd[1069]: [ID 800047 auth.info] Keyboard-interactive (PAM) userauth failed[9] while authenticating: Authentication failed
Mar 23 15:31:54 ultra20.comcast.net sshd[1069]: [ID 800047 auth.notice] Failed keyboard-interactive for foobar from 192.168.102.34 port 49437 ssh2

Mar 23 15:33:05 ultra20.comcast.net sshd[1079]: [ID 800047 auth.info] Illegal user foobarbad from 192.168.102.34
Mar 23 15:33:05 ultra20.comcast.net sshd[1079]: [ID 800047 auth.info] input_userauth_request: illegal user foobarbad
Mar 23 15:33:05 ultra20.comcast.net sshd[1079]: [ID 800047 auth.info] Failed none for from 192.168.102.34 port 49446 ssh2
Mar 23 15:33:07 ultra20.comcast.net sshd[1079]: [ID 219349 auth.debug] pam_unix_auth: user foobarbad not found
Mar 23 15:33:07 ultra20.comcast.net sshd[1079]: [ID 800047 auth.info] Keyboard-interactive (PAM) userauth failed[13] while authenticating: No account present for user
Mar 23 15:33:07 ultra20.comcast.net sshd[1079]: [ID 800047 auth.info] Failed keyboard-interactive for from 192.168.102.34 port 49446 ssh2

I was hoping that maybe my log would be similar enough that I could tamper with one of the examples but it seems beyond me. Has anyone done this for Solaris 10 (or any other Solaris)?

where are the ftpd lines?

All the log lines in the post above are sshd - don't see any for ftpd, so can't help with regexp.

As for the sshd lines, the latest version of blockhosts - 2.0.1 - includes the changes to help catch Solaris sshd failures also (SSHD-Invalid rule updated).

Blockhosts with Solaris 10

That's embarrassing. I cut and pasted the wrong lines. Here are the ftpd lines. This first one is with an invalid user
Mar 23 16:52:51 ultra20.comcast.net ftpd[1322]: [ID 122736 daemon.info] failed login from 192.168.102.34 [192.168.102.34], [unknown]
and this one is with a valid user but bad password
Mar 23 16:53:04 ultra20.comcast.net ftpd[1323]: [ID 122736 daemon.info] failed login from 192.168.102.34 [192.168.102.34], foobar

rule for solaris ftpd failures

Based on above log lines, here's a pattern that might work - not tested yet!

    "Solaris-ftpd": r"""ftpd\[(?P<pid>\d+)\].*? failed login from (::ffff:)?(?P<host>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})""",

Blockhosts with Solaris 10

Thanks but now it seems I have even bigger problems. In your previous message you mentioned the latest version 2.0.1. I thought I already had that until I checked and found I had 1.4.0. I see from the version history that the very next one was the one with that extra .*? that you had helped me with last October. Anyway, I downloaded and installed the latest 2.0.1 version. I edited the blockhosts.cfg file and found that blockhosts is not happy. I went back to the default blockhosts.cfg that came with this 2.0.1 and tried running blockhosts.py --verbose --dry-run and that was ok. I started editing one item at a time in the cfg file and running the command again. When I added LOCKFILE = "/tmp/blockhosts.lock" I got an error about an invalid/unneeded definition. Most of the other items were ok until I uncommented the SSHD regexs. Then blockhosts was unhappy with AGE_THRESHOLD, COUNT_THRESHOLD, LOGFILES. Even just blockhosts.py --help gave this:
bash-3.00# blockhosts.py --help
Traceback (most recent call last):
File "/usr/sfw/bin/blockhosts.py", line 302, in _load_configfile
filedata.read(configfile)
File "/usr/sfw/lib/python2.5/ConfigParser.py", line 267, in read
self._read(fp, filename)
File "/usr/sfw/lib/python2.5/ConfigParser.py", line 490, in _read
raise e
ParsingError: File contains parsing errors: /etc/blockhosts.cfg
[line 119]: ' "SSHD-Invalid": r"""sshd\\[(?P\\d+)\\]:.*?(Invalid|Illegal) user (?P.*?) from (::ffff:)?(?P\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3})""",\n'
[line 121]: ' "SSHD-NotAllowed": r"""sshd\\[(?P\\d+)\\]: User (?P.*?) from (::ffff:)?(?P\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}) not allowed""",\n'
[line 123]: ' "SSHD-Fail": r"""sshd\\[(?P\\d+)\\]:.*?Failed (?P.*?) for (?Pinvalid user |illegal user )?(?P.*?) from (::ffff:)?(?P\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3})""",\n'
ERROR: exiting: Error reading config file: File contains parsing errors: /etc/blockhosts.cfg
[line 119]: ' "SSHD-Invalid": r"""sshd\\[(?P\\d+)\\]:.*?(Invalid|Illegal) user (?P.*?) from (::ffff:)?(?P\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3})""",\n'
[line 121]: ' "SSHD-NotAllowed": r"""sshd\\[(?P\\d+)\\]: User (?P.*?) from (::ffff:)?(?P\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}) not allowed""",\n'
[line 123]: ' "SSHD-Fail": r"""sshd\\[(?P\\d+)\\]:.*?Failed (?P.*?) for (?Pinvalid user |illegal user )?(?P.*?) from (::ffff:)?(?P\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3})""",\n'
bash-3.00#

In the installation requirements I see that Python has to be 2.3 or higher and I have 2.5.

one bug...

1) LOCKFILE not being recognized in config file is a bug, will be fixed in the next release. If you do need to use it, move that line into the [blockhosts] section, instead of the [common] section, it will work then in the config file. Or, use the --lockfile command line option.

2) The regexs do work - here are the minimum three lines that need to be uncommented:
line 117:

ALL_REGEXS_STR = {

then one or more of the lines containing the pattern
and finally line 139:

    }

Blockhosts with Solaris 10

Now I feel silly. I see I forgot to uncomment the ALL_REGEXS_STR = { line. I fixed that and now blockhosts seems to work. I even added that solaris-ftpd line you provided and it actually works. blockhosts picked up my bogus ftp test from the logfile. The only problem is that it appears that the Solaris ftpd doesn't go through tcp_wrappers. Even though the deny address is in hosts.deny, ftp is still allowed from the blocked ip but ssh is blocked. I guess I am going to have to talk to a Solaris guru at work about this one.

Thanks for your help. At this point I guess this item is finished. Your blockhosts works great. I just have to find out what mechanism controls ftp in Solaris.

another option - use TCP/IP level blocking

If you have time to experiment, try the --iproute or --iptables option - those block all network communication, so would not need ftpd to run under TCPWRAPPERs.

But - this has not been tested on Solaris, so don't know if the ip route command or the iptables command is supported, or works the way it is called by BlockHosts.

Blockhosts with Solaris 10

I was thinking about that but am not sure that it would work. Solaris uses ipfilter instead of iptables which leaves me only --iproute? Please correct me if I am wrong but aren't there two important steps in the operation of BlockHosts?
1. hosts.deny has to spawn the blockhosts.py
2. deny is put in hosts.deny or the --iproute is used
Even if the --iproute option is used to block all traffic, wouldn't step 1 still be required to trigger the process? Because in Solaris the ftpd seems to not be part of TCPWRAPPERs, step 1 is never done and BlockHosts would never have the chance to block anything. I didn't try the --iproute experiment but I did try a bunch of bogus ftp login attempts followed by a ssh login. None of the ftp attempts triggered BlockHosts and the blockhosts.log was empty. with the ssh login, BlockHosts was run and it picked up all those bogus ftp attempts. So, even if the --iproute option could blockall net traffic from the enemy address, it would only work if that enemy also happened to try an ssh login too?

Blockhosts with Solaris 10

With a little Googling, the problem is solved. I learned that by default, TCP WRAPPERS is not enabled for inetd based services like ftp. I enabled TCP WRAPPERS on my system and got BlockHosts to work with one little change. In hosts.deny I had to change to in.ftpd so the BlockHosts line looks like this
sshd, in.ftpd: ALL: spawn /usr/sfw/bin/blockhosts.py --verbose --echo "%c-%s" >> /var/log/blockhosts.log 2>&1 & : allow
Now BlockHosts was able to catch and block my test bogus ftp login. Thanks for all your help.

Blockhosts with Solaris 10

Blockhosts has been working nicely with Solaris 10. After looking at the log files I see that hosts are getting blocked but I also see a new problem. The first hack attempts I saw looked like this with numeric addresses

Apr 16 13:04:45 ultra20.comcast.net in.ftpd[10396]: [ID 927837 daemon.info] connect from 62.141.33.181
Apr 16 13:04:45 ultra20.comcast.net ftpd[10396]: [ID 122736 daemon.info] failed login from 62.141.33.181 [62.141.33.181], [unknown]

This blockhosts.cfg line was the one you provided and which worked

"Solaris-ftpd": r"""ftpd\[(?P<pid>\d+)\].*? failed login from (::ffff:)?(?P\<host>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})""",

There are some attempts that show a text address like this

Apr 16 17:01:19 ultra20.comcast.net in.ftpd[18088]: [ID 927837 daemon.info] connect from aa2003050453007.userreverse.dion.ne.jp
Apr 16 17:01:19 ultra20.comcast.net ftpd[18088]: [ID 122736 daemon.info] failed login from aa2003050453007.userreverse.dion.ne.jp [211.5.66.54], [unknown]

These don't get picked up by blockhosts so they continue to hammer.

Is it just a matter of using different expression in blockhosts.cfg or is it more complicated than that?

updated pattern

Given that the square brackets contain the numeric IP address, the regular expression needs to skip the first part that can be a hostname. Here's the updated pattern:

    "Solaris-ftpd": r"""ftpd\[\d+\].*? failed login from .*? \[(::ffff:)?(?P<host>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\],"""

BlockHosts can only deal with numeric IP addresses.

In this pattern, also removed the P<pid> since it is not necessary in this case (and most cases).

blockhosts with Solaris 10

It is a success. I tried it last week and Blockhosts crashed. I discovered that when I had copied your latest pattern, the browser had mangled the text. After copying the pattern in another browser, Blockhosts works. After a few days I have had a chance to watch for both numeric and text addresses and tonight I see that both kinds were blocked.

A summary for Solaris 10
1. use your latest pattern string in blockhosts.cfg
2. enable TCPWRAPPERS which is by default turned off

If anyone is interested, I can write more detail about how to turn on TCPWRAPPERS and how to tamper with the Solaris logging so that the appropriate messages go to /var/adm/authlog allowing for Blockhosts to see the failed login attempts

How to log failed ssh logins to syslog?

Hello Damon,

Could you please explain, how to:

1) Make Solaris10 to log failed ssh logins to syslog (my Solaris10 on SPARC won't do it)
2) How to enable TCPWRAPPERS

Best Regards,
Leon