updated blockhosts.py regex for sshd
Posted: Nov 9th, '17, 18:51
I do not know if anyone here except me uses blockhosts (https://www.aczoom.com/archive-2016/blockhosts/), but I have used it for many years now and it is an excellent way to shut up attackers who try to brute-force their way into my web-accessible SSH port.
Well, it broke with Mageia 6 due to a changed format and syntax of the messages reported to /var/log/auth.log by sshd.
So, for anyone who needs it, here is the new regex that is needed to restore its functionality in Mageia 6. This string would go into the /etc/blockhosts.cfg file with the other regex strings.
Well, it broke with Mageia 6 due to a changed format and syntax of the messages reported to /var/log/auth.log by sshd.
So, for anyone who needs it, here is the new regex that is needed to restore its functionality in Mageia 6. This string would go into the /etc/blockhosts.cfg file with the other regex strings.
- Code: Select all
"SSHD_noAuth": r"""^[^[]+?sshd\[(?P<pid>\d+)\]: pam_unix\(sshd:auth\): authentication failure; logname=.* rhost=(::ffff:)?(?P<host>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}).+user=.*$""",