After instrumenting 'bruteblock' (and accidentally causing auth.log to explode), I discovered that the ssh.conf file that ships with it won't work on FreeBSD 6.1 (or at least my copy of it).
The shipped regexp looks for "illegal" users. But 'sshd' on FreeBSD 6.1 records login attempts of "invalid" users. The patch appended below got it to work on my system. My thanks to everyone who chimed in with suggestions. They were greatly appreciated. Schwab --- ssh.conf.dist Mon Oct 30 21:17:34 2006 +++ ssh.conf Wed Nov 15 00:20:29 2006 @@ -6,16 +6,16 @@ # this regexp for the OpenSSH server matches lines like: # # comment: auth via key only -#sshd[72593]: Illegal user hacker from 1.2.3.4 +#sshd[72593]: Invalid user hacker from 1.2.3.4 # # comment: pwd auth, but no such user -#sshd[72593]: Failed password for illegal user sammmm from 1.2.3.4 +#sshd[72593]: Failed password for invalid user sammmm from 1.2.3.4 # # comment: correct user, but wrong password #sshd[72626]: Failed password for samm from 1.2.3.4 # -regexp = sshd.*Illegal user \S+ from (\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}) -regexp1 = sshd.*Failed password for (?:illegal user )?\S+ from (\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}) +regexp = sshd.*Invalid user \S+ from (\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}) +regexp1 = sshd.*Failed password for (?:invalid user )?\S+ from (\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}) # Number of failed login attempts within time before we block max_count = 4 _______________________________________________ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"