Thanks for the info Rene. Yes, suspicious-hosts was a typo. I'll try your suggestions.
Quick question though... How should the data/offset file be formatted? I ask because this is what's in mine: Sep 12 16:23:06 TESTBED002 syslogd 1.4.1: restart. 28391 These messages appear in the denyhosts log file: 2007-09-12 16:42:49,848 - filetracker : DEBUG get_offset(): 2007-09-12 16:42:49,848 - filetracker : DEBUG offset: None Thanks again... -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of René Berber Sent: Wednesday, September 12, 2007 4:34 PM To: denyhosts-user@lists.sourceforge.net Subject: Re: [Denyhosts-user] Denyhosts for VSFTPD not blocking, again... Dan Denton wrote: > Thanks for the suggestion. I tried using your regex, and unfortunately, no > luck. Correct me if I'm wrong, but shouldn't something be written to the > suspicious-hosts file with all the FTP attempts I'm throwing at this server? You mean suspicious-logins don't you? (there is no suspicious-hosts) and no, there shouldn't be anything in there -- better look at data/hosts, perhaps the host you used is already flagged as known so it won't be added again (did you deleted it from hosts.deny and expect DH to know about that?). > The timestamps on all the files in the data folder are updated when I > restart the daemon, but nothing else after that. > > I've also noticed that user= isn't logged in the messages file unless I use > a valid user. If I use an invalid one, the parameter never shows in the log. That's simple to handle, just make optional the last part of the regex. But it really is a fault in vsftpd. BTW your first log sample has 2 spaces before the "user=" part, so my regex shouldn't have matched anyway, it needs more tweaking, perhaps: USERDEF_FAILED_ENTRY_REGEX=.* vsftpd.* authentication failure.* rhost=(?P<host>\S+)[\s+user=(?P<user>\S+)].* > I get these entries in the denyhosts log file when the daemon runs its > check. It seems to see new info in the log file, but it's not picking it up? > > 2007-09-12 14:44:38,494 - denyhosts : DEBUG /var/log/messages has > additional data > 2007-09-12 14:44:38,496 - denyhosts : DEBUG new hosts: [] > 2007-09-12 14:44:38,496 - denyhosts : DEBUG no new denied hosts > 2007-09-12 14:44:38,496 - denyhosts : DEBUG no new suspicious logins > > Thanks for your help. Any other suggestions? You have to organize your tests and changes, you are seeing and reporting many different things. 1. Does DenyHosts work with a regex? Well, test it as in: - Stop DenyHosts as a daemon - Run DenyHosts on the command line with --ignore and optionally --debug 2. Does the regex cover all cases? The only way to be sure is to know all the possible variations on the log messages sent by the service daemon, I, like you, use testing but that will never be certain. 3. Are you testing correctly? As I said before, make sure your test host is not white listed (in allowd-hosts) or an already known and blocked host; of course make sure that DenyHosts works (the configuration is usable) -- you can test that by seeing if ssh is blocking (that uses the internal regex, not the one you want to test in this case). 4. Are you checking results correctly? Always check DH's log, take into account your configured cycle time (30 seconds in the configuration you sent). There are other points you showed but those are the important ones. -- René Berber ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ _______________________________________________ Denyhosts-user mailing list Denyhosts-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/denyhosts-user ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ _______________________________________________ Denyhosts-user mailing list Denyhosts-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/denyhosts-user
