Dan Denton wrote:
> Thanks for the suggestion. I tried using your regex, and unfortunately, no
> luck. Correct me if I'm wrong, but shouldn't something be written to the
> suspicious-hosts file with all the FTP attempts I'm throwing at this server?
You mean suspicious-logins don't you? (there is no suspicious-hosts) and no,
there shouldn't be anything in there -- better look at data/hosts, perhaps the
host you used is already flagged as known so it won't be added again (did you
deleted it from hosts.deny and expect DH to know about that?).
> The timestamps on all the files in the data folder are updated when I
> restart the daemon, but nothing else after that.
>
> I've also noticed that user= isn't logged in the messages file unless I use
> a valid user. If I use an invalid one, the parameter never shows in the log.
That's simple to handle, just make optional the last part of the regex. But it
really is a fault in vsftpd. BTW your first log sample has 2 spaces before the
"user=" part, so my regex shouldn't have matched anyway, it needs more tweaking,
perhaps:
USERDEF_FAILED_ENTRY_REGEX=.* vsftpd.* authentication failure.*
rhost=(?P<host>\S+)[\s+user=(?P<user>\S+)].*
> I get these entries in the denyhosts log file when the daemon runs its
> check. It seems to see new info in the log file, but it's not picking it up?
>
> 2007-09-12 14:44:38,494 - denyhosts : DEBUG /var/log/messages has
> additional data
> 2007-09-12 14:44:38,496 - denyhosts : DEBUG new hosts: []
> 2007-09-12 14:44:38,496 - denyhosts : DEBUG no new denied hosts
> 2007-09-12 14:44:38,496 - denyhosts : DEBUG no new suspicious logins
>
> Thanks for your help. Any other suggestions?
You have to organize your tests and changes, you are seeing and reporting many
different things.
1. Does DenyHosts work with a regex? Well, test it as in:
- Stop DenyHosts as a daemon
- Run DenyHosts on the command line with --ignore and optionally --debug
2. Does the regex cover all cases? The only way to be sure is to know all the
possible variations on the log messages sent by the service daemon, I, like you,
use testing but that will never be certain.
3. Are you testing correctly? As I said before, make sure your test host is not
white listed (in allowd-hosts) or an already known and blocked host; of course
make sure that DenyHosts works (the configuration is usable) -- you can test
that by seeing if ssh is blocking (that uses the internal regex, not the one you
want to test in this case).
4. Are you checking results correctly? Always check DH's log, take into account
your configured cycle time (30 seconds in the configuration you sent).
There are other points you showed but those are the important ones.
--
René Berber
-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2005.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Denyhosts-user mailing list
Denyhosts-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/denyhosts-user
