请教blockhosts的问题

2020

编译安装了bolockhosts，安装完成后，按照提示将两行#---- BlockHosts Additions 加入hosts.allow中，配置/etc/blockhosts.cfg，将其中的＃号去掉，修改了部分数字后，执行./bolosthosts.py
可是发现，secure日志中有多次非法登陆的记录，而bolosthosts却不能实时的在hosts.allow加入deny行，必须要再次手动执行./bolosthosts.py，hosts.allow才被加入了拒绝的命令。请问，可能是什么原因造成的呢？
谢谢！

bolockhosts version: 1.0.4

secure日志中的记录
Sep  7 13:54:39 localhost sshd[3203]: Failed password for root from ::ffff:192.168.101.12 port 1028 ssh2
Sep  7 13:54:56 localhost last message repeated 5 times
Sep  7 13:55:04 localhost sshd[3205]: Failed password for root from ::ffff:192.168.101.12 port 1029 ssh2


hosts.allow 中的记录
#---- BlockHosts Additions
ALL:  192.168.101.12 : deny

#bh: ip:  192.168.101.12 :   3 : 2006-09-07-13-57

#bh: logfile: /var/log/secure
#bh: offset: 7606
#bh: first line:Sep  7 07:13:05 localhost sshd[2095]: Received signal 15; terminating.

#---- BlockHosts Additions


我的blockhosts.cfg文件

1. [constants]
   
2. HOSTS_BLOCKFILE = "/etc/hosts.allow"
   
3. #HOSTS_BLOCKFILE = "/etc/hosts.deny"
   
4. # the name of the block-file on your computer - usually hosts.allow or
   
5. # hosts.deny, see "man 5 hosts_access" for details on these files.
   
6. # default is hosts.allow
   
7. 
   
8. LOGFILES = [ "/var/log/secure", ]
   
9. #LOGFILES = [ "/var/log/auth.log", ]
   
10. #LOGFILES = [ "/var/log/secure", "/var/log/vsftpd.log", ]
    
11. # default list of logs to process, comma separated, can follow Python
    
12. # syntax, should be a sequence (list or tuple) of strings representing
    
13. # filenames: 1 or more files, default is single file: /var/log/secure
    
14. 
    
15. COUNT_THRESHOLD = 2
    
16. # number of invalid attempts after which host is blocked
    
17. # note that actual denial make take one or more attempts - depends on the
    
18. # timing of when LOGFILES are updated by the system, and when this script
    
19. # gets to run
    
20. 
    
21. BLOCK_SERVICES = "ALL"
    
22. # this string used for "daemon_list" in hosts.deny for each blocked
    
23. # IP address
    
24. 
    
25. AGE_THRESHOLD = 1
    
26. # number of hours after which host entry is discarded from hosts.deny
    
27. # 24 -> one day, 168 -> one week, 720 -> 30 days, integer values only
    
28. # most attackers go away after they are blocked, so to keep hosts.deny
    
29. # file size small, no reason to make this any more than, say, half-a-day
    
30. 
    
31. LOCKFILE = "/tmp/blockhosts.lock"
    
32. # need create/write access to this file, used to make sure only one
    
33. # instance of this script runs at one time
    
34. 
    
35. # ALL_REGEXS should not be changed, unless you test this thoroughly!
    
36. # Use this if you need to match some other lines in your system logfiles,
    
37. # other that for OpenSSH sshd, proftpd, and vsftpd, which are built-in.
    
38. # The regexps should contain a P<host> to make a named match for the IP
    
39. # address, no other P<> is required.
    
40. # Use this if you need to match additional lines or services to block
    
41. # IP addresses based on lines in the system logs.
    
42. # The value for this is a python dictionary, key is a string to label the
    
43. # regular expression, choose any unique string, and value is the regular
    
44. # expression.
    
45. 
    
46. # In the defaults below, the given keys match the following example lines:
    
47. 
    
48. # SSHD:
    
49. # Jul 19 06:47:27 hostname sshd[1768]: Invalid user xxx from 10.10.58.3
    
50. # Nov 15 04:57:19 hostname sshd[1668]: Illegal user yyy from ::ffff:10.6.184.165
    
51. # Jul 19 06:58:23 hostname sshd[2821]: User root from 10.10.58.3 not allowed because none of user's groups are listed in AllowGroups
    
52. #Apr 20 12:34:30 hostname sshd[9701]: Failed password for invalid user root from 10.21.45.30 port 35993 ssh2
    
53. 
    
54. # ProFTPD:
    
55. # May 29 22:38:10 hostname proftpd[28865]: hostname (10.0.0.1[10.0.0.1]) - USER validuser (Login failed): Incorrect password.
    
56. # May 29 22:40:20 hostname proftpd[28879]: hostname (10.0.0.1[10.0.0.1]) - USER aaa: no such user found from 10.0.0.1 [10.0.0.1] to 10.0.0.1:21
    
57. # May 30 07:31:55 hostname proftpd[1450]: hostname (10.0.0.1[10.0.0.1]) - SECURITY VIOLATION: root login attempted.
    
58. 
    
59. # VSFTPD:
    
60. # Fri Jan 21 15:56:57 2005 [pid 6726] [test] FAIL LOGIN: Client "10.204.30.15"
    
61. 
    
62. # Pure-FTPd
    
63. # May 17 16:13:29 hostname pure-ftpd: (?@10.10.199.69) [WARNING] Authentication failed for user [username]
    
64. 
    
65. # BE CAREFUL UNCOMMENTING - if done incorrectly, blockhosts.py will not
    
66. # start up.
    
67. # The best way to uncomment is to just remove the single character #
    
68. # from the appropriate lines, and then edit the line as needed
    
69. # - make sure to uncomment the line: #ALL_REGEXS = {
    
70. # - make sure each uncommented rule is in a single line (no line breaks)
    
71. # - if you add a rule, add a id for the rule - any string, like
    
72. #   "ProFTPD-NoUser" as key, and then the re.compile(...) as value.
    
73. #   This is a "dict" data structure from python.
    
74. # - each rule line should be indented identically - four spaces, then the
    
75. #   rule, for example, deleting the single # character below in all
    
76. #   example ALL_REGEXS lines will  result in syntactically correct lines
    
77. # - make sure the ending brace is uncommented, remove # character: #    }
    
78. 
    
79. ALL_REGEXS = {
    
80. 
    
81.     "SSHD-Invalid": re.compile(r"""sshd\[(?P<pid>\d+)\]: (Invalid|Illegal) user (?P<user>.*?) from (::ffff:)?(?P<host>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"""),
    
82. 
    
83.     "SSHD-NotAllowed": re.compile(r"""sshd\[(?P<pid>\d+)\]: User (?P<user>.*?) from (::ffff:)?(?P<host>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}) not allowed"""),
    
84. 
    
85.     "SSHD-Fail": re.compile(r"""sshd\[(?P<pid>\d+)\]: Failed (?P<method>.*?) for (?P<invalid>invalid user |illegal user )?(?P<user>.*?) from (::ffff:)?(?P<host>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"""),
    
86. 
    
87. #    "ProFTPD-NoPassword": re.compile(r"""proftpd\[(?P<pid>\d+)\]: [^[]+\[(?P<host>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}).+Login failed"""),
    
88. 
    
89. #    "ProFTPD-NoUser": re.compile(r"""proftpd\[(?P<pid>\d+)\]: [^[]+\[(?P<host>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}).+no such user"""),
    
90. 
    
91. #    "ProFTPD-SecurityViolation": re.compile(r"""proftpd\[(?P<pid>\d+)\]: [^[]+\[(?P<host>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}).+SECURITY VIOLATION"""),
    
92. 
    
93. #    "VSFTPD-Fail": re.compile(r"""\[pid (?P<pid>\d+)\] \[(?P<user>.*?)\] FAIL LOGIN: Client "(?P<host>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"""),
    
94. 
    
95. #    "PureFTPD-Fail": re.compile(r"""pure-ftpd: \(\?\@(?P<host>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\) \[WARNING\] Authentication failed"""),
    
96. 
    
97.     }

复制代码

[ 本帖最后由 2020 于 2006-9-6 20:05 编辑 ]