Re: [Denyhosts-user] Certain asl.log entries cause error in DenyHosts (Mac OS X Server 10.4.9)

Thu, 17 May 2007 12:28:28 -0700 

> Here are some examples of asl.log entries that had to be removed before
> DenyHosts could keep running.
>
> [Time 2007.05.14 16:32:17 UTC] [Facility local2] [Sender sudo] [PID -1]
> [Message     turindot : TTY=ttyp1 ; PWD=/Users/turindot ; USER=root ;
> COMMAND=/usr/bin/grep failed to auth /var/log/secure.log] [Level 5] [UID -2]
> [GID -2] [Host fledge]
>
> [Time 2007.05.17 15:35:22 UTC] [Facility daemon] [Sender diskarbitrationd]
> [PID 57] [Message disk1s10   hfs      7291CDB1-85D9-3925-9983-1ED4FCA418B6
> FWB48                   /Volumes/FWB48] [Level 5] [UID -2] [GID -2] [Host
> localhost]
>
> Here's the error encountered.
>
> starting DenyHosts:    /usr/bin/env python
> /System/Library/Frameworks/...denyhosts.py --daemon
> --config=/usr/...denyhosts.cfg
> Traceback (most recent call last):
>   File "/System/Library/Frameworks/...denyhosts.py", line 164, in ?
>     first_time, noemail, daemon)
>   File "/System/Library/Frameworks/...deny_hosts.py", line 82, in __init__
>     offset = self.process_log(logfile, last_offset)
>   File "/System/Library/Frameworks/...deny_hosts.py", line 380, in
> process_log
>     message = sshd_m.group('message')
> IndexError: no such group
>
> DenyHosts exited abnormally
>
> Can the secure.log file be monitored rather than the asl.log file in Mac OS
> X Server? I'm asking partly because of the above problem, and partly because
> the secure.log appears to contain IP addresses of attackers that don't seem
> to appear in the asl.log. Thanks.

Hi,

I observed something similar in my logs.  One of the recent OS X 10.4.x
updates changed the contents and format of the logs.  I now monitor
/var/log/system.log and secure.log for failed logins, in addition to
asl.log.  ipfw.log has a significant amount of data as well.

denyhosts worked nicely for a while, but my hosts.deny file grew to be
gargantuan, so I just decided to deny ALL and allow a few domains
(hosts.allow), and turn off denyhosts to reduce a little load on my
machine.

Fang



-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
_______________________________________________
Denyhosts-user mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/denyhosts-user

Reply via email to