Administrator Chat-Net wrote: [snip] > The auth.log should be in a standard-format (it has timestamps) > Ex.: > > Jul 6 15:43:40 everest sshd[2642]: PAM: Authentication failure for > root from mail.cars.com.ve > Jul 6 15:43:43 everest sshd[2642]: PAM: Authentication failure for > root from mail.cars.com.ve > Jul 6 15:43:44 everest sshd: (pam_unix) 1 more authentication > failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=mail.cars.com.ve > user=root
Looks good. Do you also have some lines like: Jul 10 19:09:30 localhost sshd: PID 3840: refused connect from 211.167.225.107 in other words, is tcpwrappers support working? or is only PAM stopping the intruder? > (This is from auth.log.0, in auth.log mail.cars.com.ve doesn't appear) > >> - You have a corrupted hosts.deny and somehow denyhosts doesn't see that the >> entry is already there. > > ALL: mail.cars.com.ve > ALL: mail.cars.com.ve > ALL: mail.cars.com.ve > ALL: mail.cars.com.ve > ALL: mail.cars.com.ve > ALL: 211.155.225.215 > ALL: mail.cars.com.ve > ALL: mail.cars.com.ve Strange, that's not the format that denyhosts uses. Did you edit the normal lines for this message? I see lines like: # DenyHosts: Mon Jul 10 15:06:54 2006 | sshd: 200.47.215.82 sshd: 200.47.215.82 which is the one that corresponds to mail.cars.com.ve (don't mind about ALL vs sshd that is configurable). I'm not sure but perhaps denyhosts uses the comment as marker to find his entries. It makes sense, it has to distinguish between lines added by hand or another program, and also needs the timestamp to know what to purge. This could be the cause of your problem (i.e. it just ignores entries like the ones above). >> - You have a corrupted denyhosts (what version are you using?) and it's not >> working (you don't say if it catches other attempts for instance). > > I had v1.4 and then the problem appeared.. Then I changed from 1.4 to > the actual version 2.5 and the problem appears, too. Did you check and changed the configuration file? > Has someone changed in saving denied hosts? (e.g. i don't have your > sync-received..) No problem if you are not using sync-ing. It's one of the options in the configuration file... and what about purging? on the log below it looks like you don't purge old entries. > My workdir: > > allowed-hosts hosts-root offset users-invalid > hosts hosts-valid users-hosts users-valid > > >> Do you have anything interesting in the denyhosts log? > > Not really (I think): > > 2006-07-11 09:17:05,104 - denyhosts : INFO new denied hosts: > ['mail.cars.com.ve '] I also have numeric IPs here not hostnames... perhaps is only an option I did set or didn't set. > 2006-07-11 09:18:05,173 - denyhosts : INFO new denied hosts: > ['mail.cars.com.ve '] > 2006-07-11 09:19:35,244 - denyhosts : INFO new denied hosts: > ['mail.cars.com.ve '] > 2006-07-11 09:20:05,338 - denyhosts : INFO new denied hosts: > ['mail.cars.com.ve '] > 2006-07-11 09:21:35,424 - denyhosts : INFO new denied hosts: > ['mail.cars.com.ve '] > 2006-07-11 09:22:05,494 - denyhosts : INFO new denied hosts: > ['mail.cars.com.ve '] > 2006-07-11 10:29:43,418 - denyhosts : INFO setting debug level to: DEBUG > 2006-07-11 10:30:13,416 - denyhosts : DEBUG /var/log/auth.log has > additional data > 2006-07-11 10:30:13,452 - loginattempt: DEBUG suspicious-logins > does not exist > 2006-07-11 10:30:13,494 - denyhosts : DEBUG new hosts: [] > 2006-07-11 10:30:13,494 - denyhosts : DEBUG no new denied hosts [snip] It goes on like that? After adding it 6 times it stops adding it? > After i saw that suspicious-logins doesn't exist, I touched it in the > workdir.. > >> Have you ran the program in debug mode? > > I'm currently in debug mode after you said that ;) -- René Berber ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 _______________________________________________ Denyhosts-user mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/denyhosts-user
