Robert T Wyatt wrote:
[snip]
>> from man sshd_config:
>>
>> LogLevel
>> Gives the verbosity level that is used when logging
>> messages from
>> sshd. The possible values are: QUIET, FATAL, ERROR, INFO,
>> VER-
>> BOSE, DEBUG, DEBUG1, DEBUG2 and DEBUG3. The default is INFO.
>> DEBUG and DEBUG1 are equivalent. DEBUG2 and DEBUG3 each
>> specify
>> higher levels of debugging output. Logging with a DEBUG level
>> violates the privacy of users and is not recommended.
OK, I learned something new... Mac OS-X is no-standard in this respect, no other
operating system that I know has VERBOSE (and I don't see any good reason to
have it).
[snip]
>> I think that I have made progress by setting "UsePAM yes" in sshd_config.
This just solved a little annoying logging I had with Solaris, thanks!
>> Now I can see this in asl.log:
>> [Time 2006.11.03 20:40:38 UTC] [Facility auth] [Sender sshd] [PID 400]
>> [Message error: PAM: Authentication failure for illegal user bentones
>> from reg066.reg.utexas.edu] [Level 3] [UID -2] [GID -2] [Host
>> rgrtw-05s-power-mac-g5]
>>
>> (which I did as a test)
>>
>> The corresponding REGEX for denyhosts becomes:
>> SSHD_FORMAT_REGEX:.* \[Sender sshd\] \[PID \d*\] \[Message .* PAM:
>> (?P<message>.*?)\].*?
>>
[snip]
> additionally setting
>
> UseDNS no
>
> in /etc/sshd_config finishes the process yielding this in asl.log:
>
> [Time 2006.11.03 21:46:20 UTC] [Facility auth] [Sender sshd] [PID 284]
> [Message error: PAM: Authentication failure for illegal user baduser
> from 128.83.86.67] [Level 3] [UID -2] [GID -2] [Host rgrtw-05s-power-mac-g5]
>
> After the requisite number of attempts, denyhosts gives:
>
> 2006-11-03 15:46:31,432 - denyhosts : INFO new denied hosts:
> ['128.83.86.67']
>
> (I'm 6 hours behind UTC)
>
> I think it is now working as intended!
Nice work.
A couple of comments:
- Why is "Level 3"? Weird stuff from OS-X, INFO is level 6, ERR is level 3.
- I would use a shorter and simpler regex:
Authentication failure for illegal user ?P from ?P
but perhaps that one would match bad telnet/rlogin/and local login failures, you
may need:
.*Sender sshd.*Authentication failure for illegal user ?P from ?P
--
René Berber
-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
Denyhosts-user mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/denyhosts-user
