Robert T Wyatt wrote: > René Berber wrote: >> Robert T Wyatt wrote: >> [snip] >>> The *only* messages sshd is sending to asl.log (with sshd_config using >>> loglevel=verbose) >> What is "loglevel=verbose"? that is wrong, the default sshd loglevel is INFO >> and there is no "verbose" level. I noticed, in your first message, that the >> log >> included the level as numeric, which is unusual, and it was logging "[Level >> 4]" >> which is "WARNING", 2 levels below "INFO" (level 6)... so that might be the >> problem: the default log level in OS-X is too low. > > from man sshd_config: > > LogLevel > Gives the verbosity level that is used when logging > messages from > sshd. The possible values are: QUIET, FATAL, ERROR, INFO, > VER- > BOSE, DEBUG, DEBUG1, DEBUG2 and DEBUG3. The default is INFO. > DEBUG and DEBUG1 are equivalent. DEBUG2 and DEBUG3 each > specify > higher levels of debugging output. Logging with a DEBUG level > violates the privacy of users and is not recommended. > > > Yes, INFO is the default. I set it to VERBOSE in the hopes that it would > yield more data. > > > I think that I have made progress by setting "UsePAM yes" in sshd_config. > > Now I can see this in asl.log: > [Time 2006.11.03 20:40:38 UTC] [Facility auth] [Sender sshd] [PID 400] > [Message error: PAM: Authentication failure for illegal user bentones > from reg066.reg.utexas.edu] [Level 3] [UID -2] [GID -2] [Host > rgrtw-05s-power-mac-g5] > > (which I did as a test) > > The corresponding REGEX for denyhosts becomes: > SSHD_FORMAT_REGEX:.* \[Sender sshd\] \[PID \d*\] \[Message .* PAM: > (?P<message>.*?)\].*? > > Which then matches this portion of the line from asl.log: > > [Time 2006.11.03 20:40:38 UTC] [Facility auth] [Sender sshd] [PID 400] > [Message error: PAM: Authentication failure for illegal user bentones > from reg066.reg.utexas.edu]
additionally setting UseDNS no in /etc/sshd_config finishes the process yielding this in asl.log: [Time 2006.11.03 21:46:20 UTC] [Facility auth] [Sender sshd] [PID 284] [Message error: PAM: Authentication failure for illegal user baduser from 128.83.86.67] [Level 3] [UID -2] [GID -2] [Host rgrtw-05s-power-mac-g5] After the requisite number of attempts, denyhosts gives: 2006-11-03 15:46:31,432 - denyhosts : INFO new denied hosts: ['128.83.86.67'] (I'm 6 hours behind UTC) I think it is now working as intended! Thanks, Robert ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 _______________________________________________ Denyhosts-user mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/denyhosts-user
