List, After some research and messing around, I'm reasonable sure the problem is with the regex. Many thanks to Rene for his help, but I think I was overzealous in assuming that the regex worked, and may have been blocked due to an entry in the hosts.deny file from previous tests using SSH. I'm using a regex tester from here:
http://www.roblocher.com/technotes/regexp.aspx And can seem to get a match on my message log entries when using " .* vsftpd.* authentication failure.* rhost=.*", but when I plug that into the conf file nothing gets blocked, and in fact when watching the denyhosts daemon log file, the updates (which should happen every 10 seconds) stop altogether. Can anyone confirm that the regex below should work for redhat, and that maybe I'm just a slow kid and am doing something else wrong? If so, please give me any input. Any help is greatly appreciated. -----Original Message----- From: Dan Denton [mailto:[EMAIL PROTECTED] Sent: Wednesday, September 12, 2007 9:55 AM To: 'denyhosts-user@lists.sourceforge.net' Subject: Denyhosts for VSFTPD not blocking, again... Yesterday I was having difficulty with the getting denyhosts to properly block brute force attacks against my VSFTPD server, and Rene was kind enough to provide me with the following regex: USERDEF_FAILED_ENTRY_REGEX=.* vsftpd.* authentication failure.* rhost=(?P<host>\S+) user=(?P<user>\S+).* Since yesterday evening, after trying a few things with the config file, now the daemon doesn't seem to recognize the entries from my /var/log/messages file, and nothing gets blocked. I have been able to successfully configure the daemon to block SSHD brute force attacks, so I know the program works, but getting it to block VSFTPD attacks like it did yesterday isn't happening. I've attached the config file from my installation. Below is a snippet from my messages file for one if the failed attempts I've tried for testing. Sep 12 09:36:38 tb002 vsftpd(pam_unix)[5096]: check pass; user unknown Sep 12 09:36:38 tb002 vsftpd(pam_unix)[5096]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=192.168.100.236 Can anyone tell me why the regex doesn't seem to be working anymore? One thing I thought odd, and it may be nothing, but I have multiple names in my hosts file for this system, and yesterday's message file entries had the system name as TESTBED002, this morning (after a reboot last night), they're showing as tb002. Could this be a factor? Thanks in advance... Dan Denton Systems Administrator RemitPro 402-861-0005 [EMAIL PROTECTED] ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ _______________________________________________ Denyhosts-user mailing list Denyhosts-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/denyhosts-user
