updated blockhosts.py regex for sshd

updated blockhosts.py regex for sshd

Postby jiml8 » Nov 9th, '17, 18:51

I do not know if anyone here except me uses blockhosts (https://www.aczoom.com/archive-2016/blockhosts/), but I have used it for many years now and it is an excellent way to shut up attackers who try to brute-force their way into my web-accessible SSH port.

Well, it broke with Mageia 6 due to a changed format and syntax of the messages reported to /var/log/auth.log by sshd.

So, for anyone who needs it, here is the new regex that is needed to restore its functionality in Mageia 6. This string would go into the /etc/blockhosts.cfg file with the other regex strings.
Code: Select all
"SSHD_noAuth": r"""^[^[]+?sshd\[(?P<pid>\d+)\]: pam_unix\(sshd:auth\): authentication failure; logname=.* rhost=(::ffff:)?(?P<host>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}).+user=.*$""",
jiml8
 
Posts: 1253
Joined: Jul 7th, '13, 18:09

Return to Networking

Who is online

Users browsing this forum: No registered users and 1 guest

cron