I admit it regex has never been my strong side. What I would like to match is the following
Nov 20 21:55:30 zummer sshd[21198]: error: PAM: User not known to the underlying authentication module for root from 59.6.185.37
Nov 20 21:56:30 zummer sshd[21207]: error: PAM: User not known to the underlying authentication module for root from 61.155.105.62
I'v had a lot of these lately and even though the attempt dont constitute any risk (no root login on this box) I think the attacker has demonstrated his intention. So I tried to build a new pattern like this:
"sshd-NotKnown":
r'{LOG_PREFIX{sshd}} User not known to the underlying authentication module for .* from {HOST_IP}',
but to no avail. Blockhost does not detect the attach.
What am I doing wrong?
Travel Travel reports, it is all about food
Montreal: Schwartz's, Le Petit Alep
Albums: Pictures and some notes
ITRANS Song Book Hindi, Urdu, Marathi song lyrics
Online ITRANS Web Interface
BlockHosts block hosts
BlockHosts FAQ
BlockHosts Forum
CD Inserts & Envelopes Web Interface
Nisha Ganatra's Films
Cake: starring Heather Graham
Email: avinash@aczoom.com
Copyright © 1995-2016 Avinash Chopde, avinash@aczoom.com
Initial string needed
Probably this will work - need to include text after the prefix, and also good to have a $ at end:
"sshd-NotKnown": r'{LOG_PREFIX{sshd}} error: PAM: User not known to the underlying authentication module for .* from {HOST_IP}$',thanks - and a related question
Think it works now although it is difficult to check it as i cant simulate that attach. I have the related problem that ssh reverse maps the if possible attacker and plots the result in the log, which gives some like these:
Nov 21 09:18:11 zummer sshd[29262]: error: PAM: User not known to the underlying authentication module for root from mail.nemann.deDo you know if ssh can list the ip without loosing other facilities or can blockhost reverse-reverse the address?
sshd or PAM printing that?
Not sure about sshd, but maybe that message is being composed by PAM? So will have to look into both PAM and sshd configs if they have a way to turn off IP to hostname conversion. Usually, the default is to print numeric IP address only, and there are configs to print names instead.
blockhosts only works with numeric IPv4 addresses.