D, Thanks for the suggestion. I tried using your regex, and unfortunately, no luck. Correct me if I'm wrong, but shouldn't something be written to the suspicious-hosts file with all the FTP attempts I'm throwing at this server? The timestamps on all the files in the data folder are updated when I restart the daemon, but nothing else after that.
I've also noticed that user= isn't logged in the messages file unless I use a valid user. If I use an invalid one, the parameter never shows in the log. I get these entries in the denyhosts log file when the daemon runs its check. It seems to see new info in the log file, but it's not picking it up? 2007-09-12 14:44:38,494 - denyhosts : DEBUG /var/log/messages has additional data 2007-09-12 14:44:38,496 - denyhosts : DEBUG new hosts: [] 2007-09-12 14:44:38,496 - denyhosts : DEBUG no new denied hosts 2007-09-12 14:44:38,496 - denyhosts : DEBUG no new suspicious logins Thanks for your help. Any other suggestions? -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Romerstein Sent: Wednesday, September 12, 2007 2:32 PM To: denyhosts-user@lists.sourceforge.net Subject: Re: [Denyhosts-user] Denyhosts for VSFTPD not blocking, again... On Wed, 12 Sep 2007, Dan Denton wrote: > After some research and messing around, I'm reasonable sure the problem is > with the regex. Based on the log snippet you included in your mail, I think the regex you want is: .* vsftpd.* authentication failure.* rhost=(?P<host>\S+) Rene's regex is also looking for the ' user=' information, which you don't appear to be logging. -- D ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ _______________________________________________ Denyhosts-user mailing list Denyhosts-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/denyhosts-user ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ _______________________________________________ Denyhosts-user mailing list Denyhosts-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/denyhosts-user
