René Berber wrote: > Robert T Wyatt wrote: > >> ** I have the following in my denyhosts-py25 log: > [snip] >> 2006-11-01 18:27:21,193 - prefs : INFO FAILED_ENTRY_REGEX: >> [None] > > USERDEF_FAILED_ENTRY_REGEX= is empty, but you say below you defined your own > regex... > > [snip] >> 2006-11-01 18:27:21,238 - prefs : INFO SECURE_LOG: >> [/private/var/log/asl.log] > > So this is the sshd log. > > [snip] >> 2006-11-01 18:27:21,244 - prefs : INFO SSHD_FORMAT_REGEX: >> [.* \[Sender sshd\] \[PID \d*\] \[Message .* (?P<message>.*?)\].*?] >> 2006-11-01 18:27:21,245 - prefs : INFO >> SUCCESSFUL_ENTRY_REGEX: [None] > > This is the regex you defined? Where in the configuration was this defined?
It is defined in SSHD_FORMAT_REGEX: per the instructions at: FAQ 1.16 at except that I removed "PAM:" With my modifications, it will match denials of attacks from already known hosts, such as: [Time 2006.10.30 18:53:09 UTC] [Facility auth] [Sender sshd] [PID 876] [Message refused connect from 62.254.183.162] [Level 4] [UID -2] [GID -2] [Host robert-wyatts-emac] As you have noted, these are attacks from already known hosts that are caught due to my sync downloads. > http://denyhosts.sf.net/faq.html#userdef_regex > >> Even so, these aren't the IPs of the attack at the top of the >> page; I don't know where to find them.... > > Same log, just look at the date and time corresponding to the messages in > secure.log; you didn't show a single break attempt from an unlisted host. > > Since your log is not in the usual format, you'll need to collect a real > example > to see what syntax is needed in the regex, you don't need to declare the whole > line in the regex just the part that makes it recognizable (and sshd usually > writes 2 lines for each login failure), then put the ?P where the IP is and > the > second ?P where the user name is (this one is optional, but if you want to use > different limits for important user accounts, like root/admin/etc, then is > needed). Then I believe these are the lines we are looking for: [Time 2006.11.02 06:00:28 UTC] [Facility authpriv] [Sender com.apple.SecurityServer] [PID -1] [Message authinternal failed to authenticate user eduardo.] [Level 3] [UID -2] [GID -2] [Host robert-wyatts-emac] [Time 2006.11.02 06:00:28 UTC] [Facility authpriv] [Sender com.apple.SecurityServer] [PID -1] [Message Failed to authorize right system.login.tty by process /usr/sbin/sshd for authorization created by /usr/sbin/sshd.] [Level 5] [UID -2] [GID -2] [Host robert-wyatts-emac] It is the first of these that contains the false user name. I don't know why I don't get the IP address of the attacking script. I'm working on the appropriate REGEX to get the user name, but I'm not sure if this can help until I also get the IP address into the log.... Thanks for your pointers René! ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 _______________________________________________ Denyhosts-user mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/denyhosts-user
