René Berber wrote: > Robert T Wyatt wrote: > [snip] >>> - I would use a shorter and simpler regex: >>> Authentication failure for illegal user ?P from ?P >>> >>> but perhaps that one would match bad telnet/rlogin/and local login >>> failures, you >>> may need: >>> .*Sender sshd.*Authentication failure for illegal user ?P from ?P >> >> I don't have a problem with matching bad logins from other services. Is >> there a good reason not to match bad logins from telnet, for instance? > > With the current DenyHosts it will not work because it adds entries like > "sshd: > 82.194.71.85" to hosts.deny, it is specific for sshd (unlike fail2ban which > adds > "ALL: 82.194.71.85" -- that one stops all access). But that could be easily > changed in DenyHosts.
I think it has been changed (from /etc/hosts.deny): # DenyHosts: Sat Nov 4 17:31:06 2006 | ALL: 218.106.127.116 ALL: 218.106.127.116 # DenyHosts: Sat Nov 4 17:31:06 2006 | ALL: 61.182.247.248 ALL: 61.182.247.248 Due to this setting in denyhosts.cfg: BLOCK_SERVICE = ALL (version 2.5) > >> I'm thinking: >> >> Authentication failure for illegal user (\w+) from ([0-9\.]+) >> >> This should store the username and IP by my reading. I'm concerned that >> I missed something fundamental because I don't know the purpose of ?P in >> denyhosts. Are these special? Is it something generic that I should >> already know? Perhaps the internal processing done by denyhosts comes >> into play here? > > > The notation is python's regex, in particular module re: > > http://rgruet.free.fr/PQR2.3.html#reModule > I see! Thanks, I'll work on it a little. Meanwhile, it works with this: SSHD_FORMAT_REGEX=.* \[Sender sshd\] \[PID \d*\] \[Message .* PAM: (?P<message>.*?)\].*? (not quite sure if that's the default that comes with it or not) Next, I want to see if I can use denyhosts' regex features to read my snort.org output; things like this: [Time 2006.11.03 14:53:46 UTC] [Facility authpriv] [Sender snort] [PID -1] [Message Portscan detected from 207.42.85.10 Talker(fixed: 30 sliding: 14) Scanner(fixed: 0 sliding: 0)] [Level 1] [UID -2] [GID -2] [Host robert-wyatts-emac] [Time 2006.11.03 14:53:49 UTC] [Facility authpriv] [Sender snort] [PID -1] [Message Portscan detected from 207.42.85.10 Talker(fixed: 46 sliding: 30) Scanner(fixed: 0 sliding: 0)] [Level 1] [UID -2] [GID -2] [Host robert-wyatts-emac] --rtw ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 _______________________________________________ Denyhosts-user mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/denyhosts-user
