Hello Ray, You shouldn't be editing the regex.py file directly anyway-- since your changes will get blown away w/ each new version of DH. Rather, you should place the overridden regexes in your denyhosts.cfg file instead. There are examples in the FAQ, for instance:
http://www.denyhosts.net/faq.html#custom_regex I've never added proftpd support to DH because everybody that emails me (or the list) appears to have a different log format. I'm not sure if your log snippet is standard or not. I can't easily view it due to wrapping, if you'd like me to provide a regex please re-send it to me (not the list) as an attachment. Regards, Phil On Wed, 25 Oct 2006, Ray Collett wrote: > I'm wanting to add a regex line for catching log entries for proftpd. I > saw several requests for this functionality, but I didn't see any > solutions so I have tried editing the DenyHosts/regex.py file with the > following changes: > > # I added proftpd to SSHD_FORMAT_REGEX > SSHD_FORMAT_REGEX = re.compile(r""".* (sshd.*:|\[sshd\]|proftpd.*:) > (?P<message>.*)""") > > # then I commented-out the existing regex statement FAILED_ENTRY_REGEX7 > and added this in its place > FAILED_ENTRY_REGEX7 = > re.compile(r""".*\[(?P<host>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}).* USER > (?P<user>.*?): (?P<invalid>no such user found).*""") > > and then I set the FAILED_ENTRY_REGEX_NUM = 7 > > After reinstalling DenyHosts (with 'python setup.py install'), it runs > without error, but does not appear to find any of the proftpd error > messages. I am deleting /usr/share/denyhosts/data/offset so that > DenyHosts rescans the log file. Do I have a typo in my regex, or is > there another problem with what I'm trying to do? I have DenyHosts > configured to set the deny to ALL, so if I can get this to pick up on > proftpd log entries and successfully find the IP, I think that this > should work, but I'm currently stumped. Any help would be appreciated. > > -Ray > > > P.S., Here's a snippet of some proftpd messages: > > Sep 28 18:22:10 example proftpd[29042]: example.com > (60.12.138.17[60.12.138.17]) - USER Administrator: no such user found > from 60.12.138.17 [60.12.138.17] to xx.xx.xx.xx:21 > Sep 28 18:22:11 example proftpd[29044]: example.com > (60.12.138.17[60.12.138.17]) - USER admin: no such user found from > 60.12.138.17 [60.12.138.17] to xx.xx.xx.xx:21 > Sep 28 18:22:12 example proftpd[29042]: example.com > (60.12.138.17[60.12.138.17]) - USER steve: no such user found from > 60.12.138.17 [60.12.138.17] to xx.xx.xx.xx:21 > Sep 28 18:22:13 example proftpd[29044]: example.com > (60.12.138.17[60.12.138.17]) - USER Administrator: no such user found > from 60.12.138.17 [60.12.138.17] to xx.xx.xx.xx:21 > Sep 28 18:22:14 example proftpd[29042]: example.com > (60.12.138.17[60.12.138.17]) - USER steve: no such user found from > 60.12.138.17 [60.12.138.17] to xx.xx.xx.xx:21 > > > P.P.S., the reason I'm currently replacing rule number 7 instead of > using slot 8, is that I get an error when I try to use slot 7. The > regex.py file (in the currently latest version 2.5) had the max rule > number set to 6 even though rule 7 exists. I don't know what's wrong > with rule 7, but here's the rule: > > FAILED_ENTRY_REGEX7 = re.compile(r"""User (?P<user>.*) not allowed > because not listed in AllowUsers""") > > and here's the error message I get: > > # >service denyhosts start > starting DenyHosts: /usr/bin/env python /usr/bin/denyhosts.py > --daemon --config=/usr/share/denyhosts/denyhosts.cfg > Traceback (most recent call last): > File "/usr/bin/denyhosts.py", line 164, in ? > first_time, noemail, daemon) > File "/usr/lib/python2.3/site-packages/DenyHosts/deny_hosts.py", line > 60, in __init__ > self.init_regex() > File "/usr/lib/python2.3/site-packages/DenyHosts/deny_hosts.py", line > 500, in init_regex > FAILED_ENTRY_REGEX_MAP[i]) > File "/usr/lib/python2.3/site-packages/DenyHosts/deny_hosts.py", line > 482, in get_regex > val = self.__prefs.get(name) > File "/usr/lib/python2.3/site-packages/DenyHosts/prefs.py", line 204, > in get > return self.__data[name] > KeyError: 'FAILED_ENTRY_REGEX7' > > DenyHosts exited abnormally > #> > > > > > > ------------------------------------------------------------------------- > Using Tomcat but need to do more? Need to support web services, security? > Get stuff done quickly with pre-integrated technology to make your job easier > Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo > http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 > _______________________________________________ > Denyhosts-user mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/denyhosts-user > -- Regards, Phil Schwartz - http://www.phil-schwartz.com Open Source Projects: - DenyHosts: http://www.denyhosts.net - Kodos: http://kodos.sourceforge.net - ReleaseForge: http://releaseforge.sourceforge.net - Scratchy: http://scratchy.sourceforge.net - FAQtor: http://faqtor.sourceforge.net ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 _______________________________________________ Denyhosts-user mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/denyhosts-user
