编译安装了bolockhosts,安装完成后,按照提示将两行#---- Block.Hosts Additions .加入hosts.allow中,配置/e.tc/blockhosts.cfg,将其中的#号.去掉,修改了部分数字后,执行./bolosthosts.py电影
可是发现,secure日志中有多次非法登陆的记录,而.bolosthosts.却不能实时的在hosts.allow加入deny行,必须要再.次手动执行./bolosthosts.py,hosts.allow才被加入了.拒绝的命令。请问,可能是什么原因造成的呢?
谢谢!
bolockhosts version.: 1.0..4(广告)
secure日志中的记录
Sep 7 13:54:39 localhost sshd.[3203]: Fa.iled password for root f.rom ::ffff:192.168.101.12 port 1028 ssh2.
Sep 7 13.:54:56 lo.calhost last message repeated 5 times 女人
Sep 7 13:55:04 localhost sshd[3205]: .Failed password for root from ::ffff:192.1.68.101.12 por.t 1029 ssh2.
hosts..allow 中的记录(广告)
#---- .BlockHosts Additions.健康
A.LL: 192.16.8.101.12 : deny.
#bh: ip: 192.1.68.101..12 : 3 : 2006-09-07-13-57 健康
#bh: logfile: /var/lo.g/sec.ure--- 印刷
#bh: offset: 760.6.
#bh: first.. line:Sep 7 07:13:05 localhost sshd[2095].: Received signal 15; terminating..
#---- BlockHosts Add.i.tions<性病>
我的blockhost.s.cfg文件.
[constants]
HOSTS_BLOCKFILE = "/etc/hosts.allo.w".学习
#HO.STS_BLOCKFILE = "/etc/hosts.den.y"外贸
# the name of t.he block-file on your computer - usuall.y hosts.allow or教育
#. hosts.deny, see "man 5 .hosts_access" for details on these files. 汽车
#. default is hosts.allow[成人用品]
LO.GFILES = [ "/var/.log/secure", ] 女人
#LOGFILES = [ "/var/log/auth.lo..g", ]( 游戏 )
#L.OGFILES = [ "/var/log/secure", "/var/log/vsftpd.log.", ](广告)
# default list of logs to proce.ss, comma sep.arated, can follow Python投资
# syntax, should b.e a seque.nce (list or tuple) of strings representing.
# filenames: 1 or more files, defa.ult is single file: /var/lo.g/secure 电子
C.OUNT_THRESHOLD = 2--------------彩票
#.. number of invalid attempts after which host is blocked[成人用品]
# note that actual denial make take one or mo.re attempts -. depends on the( 游戏 )
# timing of when LOGFILES are updated by th.e system, and when this s.cript电影
# gets to run
BLO.CK_SERVICES = "ALL".
# this string use.d for "daemon_list" in hosts.deny for each. blocked电影
# IP address
AGE_THRESHOL.D = 1电脑
# number of hours after which host entry is discarde.d from hosts.den.y.
# 24 -> one day, 168 .-> one week, 720 -> 30 days, integer valu.es only 杀毒
# most. attackers go away after they are blocked, so to keep ho.sts.deny学习
# file size small, no r.eason to. make this any more than, say, half-a-day 外汇
LOCKFILE = "/tmp/b.lo.ckhosts.lock" 女人
# need. create/write acce.ss to this file, used to make sure only one<性病>
# i.nstance of this script runs at o.ne time健康
# ALL_REGEXS should not be changed, unless. you test this thor.oughly! 美容
# Use this if y.ou need to match some other li.nes in your system logfiles,健康
# other that for OpenS.SH sshd, pro.ftpd, and vsftpd, which are built-in.<性病>
# The regexps s.hould contain a P<host> to make a named. match for the IP.
# address, no othe.r P<> is requir.ed.--- 印刷
# Use t.his if you need to .match additional lines or services to block--------------彩票
# IP addresse.s based on lines in the sys.tem logs.教育
# The value for this .is a pytho.n dictionary, key is a string to label the 外汇
# .regular. expression, choose any unique string, and value is the regular--------------彩票
# expression.
# In the defaults below, the gi.ven .keys match the following example lines: 女人
# SSHD:
# Jul 19 06:47:27 hostname s.shd[1768]: Invalid us.er xxx from 10.10.58.3.
# .Nov .15 04:57:19 hostname sshd[.1668]: Illegal user yyy from ::ffff:10.6.184.165 汽车
#. Jul 19 06:58:23 hostname sshd[2821]: User root from 10.10.58.3 not allowed because non.e of user's groups are listed in AllowGro..ups 杀毒
#Apr. 20 12:34:30 hostname sshd[9701]: Failed password for invalid user root from 10.21.45.30 port 35993 .ssh2.[成人用品]
# ProFTPD:
# May 29. 22:38:10 hostname proftpd[28865]: hostname (10.0..0.1[10.0.0.1]) - USER validu.ser (Login failed): Incorrect password.学习
# May 29 22:40:20 hostname pr.oftpd[28879]:. hos.tname (10.0.0.1[10.0.0.1]) - USER a.aa: no such user found from 10.0.0.1 [10.0.0.1] to 10.0.0.1:21.
# May 30 07:31:55. hostname proftp.d[1450]: hostname (10..0.0.1[10.0.0.1]) - SECURITY VIOLATION: root login attempted.教育
# VSFTPD:
# Fri Jan 21 15:56:57 2.005 [pid 6726] [test] FAIL LO.GIN: Client "10.204.30..15"电影
# Pure-FTPd
# May 17 16:13:29 hostname pure-f.tpd: (?@10..10.199.69) [.WARNING] Authentication failed for user [username]健康
# .BE .CAREFUL UNCOMMENTING - if done incorrectly, blockhosts.py will not 乙肝
# start up.
# The best .way to uncomment is to just remove th.e single character #[成人用品]
# from the appropriate lines, and then edit the line as ..needed.
# - make sure to uncomme.nt the line: #ALL_REGEX.S = {虚拟主机
# -. make sure each uncommented rule is in. a single line (no line breaks)电影
# - if you add a rule, add a id for the ru.le - any string., like电影
# "ProFTPD-NoUser" as key, and then the re..compile(...) as v.alue.虚拟主机
# This is a "dic.t" data structure from pytho.n.(广告)
# - each rule line sh.ould be i.ndented identically - four spaces, then the电脑
# rule, for example, deleti.ng the single # character below .in all 杀毒
# example A.LL_REGEXS lines will . result in syntactically correct lines.
# - make sure the ending brace is u.n.commented, remove # character: # }教育
ALL_REGEXS = {
"SSHD-Invalid": re.compile(r"""sshd\[(?P<pid>\d+).\]: (Invalid|Illegal) user (?P<user>.*?) from (::ffff:)?(?P<h.ost>\d{1,3}\.\d{1,3}\.\d{1,3.}\.\d{.1,3})"""),学习
"SSHD.-NotAllowed": re.compile(r"""s.shd\[(?P<pid>.\d+).\]: User (?P<user>.*?) from (::ffff:)?(?P<host>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}) not allowed"""),外贸
"SSHD-Fail": re.compile(r"""sshd\[(?P<pid>\d+)\]: Failed (?P<method>.*?.) for (?P<invalid>invalid user. |illegal us.er )?(.?P<user>.*?) .from (::ffff:)?(?P<host>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"""), 杀毒
# "ProFTPD-NoPassword": re..compile(r"""proftpd\[(?P<pid>\d+)\]: [.^[]+\[(?P<host>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}).+Log.in failed"""), .( 游戏 )
# "ProFTPD-NoUser": re.compile(r"""proftpd\[(?P<pid>\d+)\]: [^.[]+\[(?P<host>\.d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}).+no s.uch user"""),. 投资
# "ProFTPD-SecurityViolation": re.compi.le(r"""proftpd\.[(?P<pid>\d+)\]: [^[]+\[(?P<host>.\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}).+SECURITY VIOLAT.ION"""), 学习
# "VSFTPD-Fail": re.comp.ile(r""".\[pid (?P<pid>.\d+)\] \[(?P<user>.*?)\] FAIL LOGIN: Client "(?P<host>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d.{1,3})"""),学习
# "PureFTPD-F.ail": re.compile(r".""pure-ftpd: \(\?\@(.?P<host>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\) \[WARNING\] Authentication fail.ed"""), 电子
}
复制代码
[ 本帖最后由 20.20 于 2006-9-6 2.0:05 编辑 ]--- 印刷
