Robert T Wyatt wrote: > René Berber wrote: >> Robert T Wyatt wrote: >> >>> 2006-11-01 18:27:21,244 - prefs : INFO SSHD_FORMAT_REGEX: >>> [.* \[Sender sshd\] \[PID \d*\] \[Message .* (?P<message>.*?)\].*?] >>> 2006-11-01 18:27:21,245 - prefs : INFO >>> SUCCESSFUL_ENTRY_REGEX: [None] >> This is the regex you defined? Where in the configuration was this defined? > > It is defined in SSHD_FORMAT_REGEX: per the instructions at: > FAQ 1.16 at
[oops!] http://denyhosts.sourceforge.net/mac_os_10_4.txt > > except that I removed "PAM:" > > With my modifications, it will match denials of attacks from already > known hosts, such as: > > [Time 2006.10.30 18:53:09 UTC] [Facility auth] [Sender sshd] [PID 876] > [Message refused connect from 62.254.183.162] [Level 4] [UID -2] [GID > -2] [Host robert-wyatts-emac] > > As you have noted, these are attacks from already known hosts that are > caught due to my sync downloads. > > > I believe these are the lines we are looking for: > > [Time 2006.11.02 06:00:28 UTC] [Facility authpriv] [Sender > com.apple.SecurityServer] [PID -1] [Message authinternal failed to > authenticate user eduardo.] [Level 3] [UID -2] [GID -2] [Host > robert-wyatts-emac] > [Time 2006.11.02 06:00:28 UTC] [Facility authpriv] [Sender > com.apple.SecurityServer] [PID -1] [Message Failed to authorize right > system.login.tty by process /usr/sbin/sshd for authorization created by > /usr/sbin/sshd.] [Level 5] [UID -2] [GID -2] [Host robert-wyatts-emac] > > > It is the first of these that contains the false user name. I don't know > why I don't get the IP address of the attacking script. I'm working on > the appropriate REGEX to get the user name, but I'm not sure if this can > help until I also get the IP address into the log.... This regex matches these lines: SSHD_FORMAT_REGEX=.* \[Sender com\.apple\.SecurityServer\] \[PID -?\d*\] \[Message .* (?P<message>.*?)\].*? But will it help without the IP address? I'll let you know.... ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 _______________________________________________ Denyhosts-user mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/denyhosts-user
