problems parsing syslog when not ipv6?

[patrick bennett]

There appears to be an error parsing some syslog output.

Given the following log entry:
Dec 19 08:44:24 newnorcal sshd[16804]: Failed password for illegal user root from ::ffff:85.10.201.133 port 38973 ssh2

Things seem to work properly... a line gets appended to hosts.deny:
ALL: 85.10.201.133      # Added by rwsecure on Jan 03 2007 02:57:07

But on a system where the syslog output looks like this (notice the absence of "::ffff:"):
Dec 31 09:46:22 gateway sshd[24900]: Failed password for illegal user staff from 65.69.106.26 port 8084 ssh2

Results seem erratic, but are either nothing, or something like the following where the date field is used:
ALL: Dec      # Added by rwsecure on Jan 03 2007 02:57:07

[RWalz]

Yep... Your right... Sorry I havent looked at this for awhile.  They changed the logging in the newer versions.  I made an change that I appears to fix the problem and will upload it shortly

[patrick bennett]

Okay, this version *did* fix my hosts that would not work before.
Eg.:

--auth.log--
Mar 18 13:58:25 gateway sshd[7175]: Illegal user test from 219.151.8.118
--hosts.deny--
ALL: 219.151.8.118      # Added by rwsecure on Mar 20 2007 11:52:08

However, now on a host that used to work, I am now getting the following with v0.3:
--auth.log--
Mar 19 13:06:49 stockton sshd[22417]: Illegal user test from ::ffff:222.255.236.12
--hosts.deny--
ALL: ::ffff:222.255.236.12      # Added by rwsecure on Mar 20 2007 11:44:29

Is that what you intended to happen?  Will this work (ie. actually block the host)?

[patrick bennett]

I have just confirmed that this syntax does *NOT* block the host:

ALL: ::ffff:222.255.236.12 # Added by rwsecure on Mar 20 2007 11:44:29

[RWalz]

Copy from my other post :-)

"I made some small changes in v0.4 that should catch this and deal with it properly.  Thanks for the input and let me know if you find any other problems."

[patrick bennett]

Seems to be fixed in v.04, thanks!