I believe your problem is because DenyHosts only evaluates lines that
match the
SSHD_FORMAT_REGEX
If it does, it then applies each of the FAILED_ENTRY_REGEX and
USERDEF_FAILED_ENTRY_REGEX regex'es against it. That is, if the line
doesn't match SSHD_FORMAT_REGEX it will be ignored completely by DH.
You need to modify SSHD_FORMAT_REGEX to include VSFTPD. By default:
SSHD_FORMAT_REGEX = re.compile(r""".* (sshd.*:|\[sshd\]) (?P<message>.*)""")
You'll need to modify your denyhosts.cfg file and add:
SSHD_FORMAT_REGEX=.* (sshd.*:|\[sshd\]|vsftpd) (?P<message>.*)
(you may want to test this regex in Kodos against of the lines in your log
file to ensure it matches... tweak it if necessary).
Once that matches, you then need to modify your USEDEF_FAILED_ENTRY_REGEX
and remove the prefix that contains vsftpd. That is, it should begine
with "authentication ...".
Regards,
Phil
On Thu, 13 Sep 2007, Dan Denton wrote:
List,
After more testing and not much progress I started with a new installation,
just to rule out typos or screwed up files. I've been able to get SSH
attempts properly blocked without issue, but figuring out a regex for my
messages file that parses VSFTPD failures is still eluding me.
I've been using a program called Kodos, which is supposed to be a python
regex debugger, and it says the following should work for lines containing
the user:
.* vsftpd.* authentication failure.* rhost=(?P<host>\S+)
\s+user=(?P<user>\S+).*
And it says the following should work for lines that don't contain a user:
.* vsftpd.* authentication failure.* rhost=(?P<host>\S+)
I'm not a genius when it comes to re's, so I'm not sure whether the debugger
is correct or not, but the program shows matches for the host and user
sections of the test string (from the log). Still, the daemon isn't catching
anything out of my messages file. Does anyone have any input on regex
debuggers that have been used for this purpose? And what exactly are the
necessary parameters that need to be parsed out of the log file? Is simply
matching the whole line enough?
Thanks again to all who have helped.
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of René
Berber
Sent: Wednesday, September 12, 2007 4:34 PM
To: denyhosts-user@lists.sourceforge.net
Subject: Re: [Denyhosts-user] Denyhosts for VSFTPD not blocking, again...
Dan Denton wrote:
Thanks for the suggestion. I tried using your regex, and unfortunately, no
luck. Correct me if I'm wrong, but shouldn't something be written to the
suspicious-hosts file with all the FTP attempts I'm throwing at this
server?
You mean suspicious-logins don't you? (there is no suspicious-hosts) and no,
there shouldn't be anything in there -- better look at data/hosts, perhaps
the
host you used is already flagged as known so it won't be added again (did
you
deleted it from hosts.deny and expect DH to know about that?).
The timestamps on all the files in the data folder are updated when I
restart the daemon, but nothing else after that.
I've also noticed that user= isn't logged in the messages file unless I
use
a valid user. If I use an invalid one, the parameter never shows in the
log.
That's simple to handle, just make optional the last part of the regex. But
it
really is a fault in vsftpd. BTW your first log sample has 2 spaces before
the
"user=" part, so my regex shouldn't have matched anyway, it needs more
tweaking,
perhaps:
USERDEF_FAILED_ENTRY_REGEX=.* vsftpd.* authentication failure.*
rhost=(?P<host>\S+)[\s+user=(?P<user>\S+)].*
I get these entries in the denyhosts log file when the daemon runs its
check. It seems to see new info in the log file, but it's not picking it
up?
2007-09-12 14:44:38,494 - denyhosts : DEBUG /var/log/messages has
additional data
2007-09-12 14:44:38,496 - denyhosts : DEBUG new hosts: []
2007-09-12 14:44:38,496 - denyhosts : DEBUG no new denied hosts
2007-09-12 14:44:38,496 - denyhosts : DEBUG no new suspicious logins
Thanks for your help. Any other suggestions?
You have to organize your tests and changes, you are seeing and reporting
many
different things.
1. Does DenyHosts work with a regex? Well, test it as in:
- Stop DenyHosts as a daemon
- Run DenyHosts on the command line with --ignore and optionally
--debug
2. Does the regex cover all cases? The only way to be sure is to know all
the
possible variations on the log messages sent by the service daemon, I, like
you,
use testing but that will never be certain.
3. Are you testing correctly? As I said before, make sure your test host is
not
white listed (in allowd-hosts) or an already known and blocked host; of
course
make sure that DenyHosts works (the configuration is usable) -- you can test
that by seeing if ssh is blocking (that uses the internal regex, not the one
you
want to test in this case).
4. Are you checking results correctly? Always check DH's log, take into
account
your configured cycle time (30 seconds in the configuration you sent).
There are other points you showed but those are the important ones.
--
Regards,
Phil Schwartz
- http://www.phil-schwartz.com
Open Source Projects:
- DenyHosts: http://www.denyhosts.net
- Kodos: http://kodos.sourceforge.net
- ReleaseForge: http://releaseforge.sourceforge.net
- Scratchy: http://scratchy.sourceforge.net
- FAQtor: http://faqtor.sourceforge.net
-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2005.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Denyhosts-user mailing list
Denyhosts-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/denyhosts-user
