Sorry or littering the mailing list. Have a correction to the last message. The first USERDEF statement blocks valid usernames. The second one blocks invalid usernames (since user is absent from log entries for invalid logins).
SSHD_FORMAT_REGEX=.* (sshd.*:|\[sshd\]|vsftpd.*:) (?P<message>.*) USERDEF_FAILED_ENTRY_REGEX=authentication failure.* rhost=(?P<host>\S+) \s+user=(?P<user>\S+).* USERDEF_FAILED_ENTRY_REGEX=authentication failure.* rhost=(?P<host>\S+).* -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan Denton Sent: Thursday, September 13, 2007 2:01 PM To: denyhosts-user@lists.sourceforge.net Subject: Re: [Denyhosts-user] Denyhosts for VSFTPD not blocking, again... In case there's anyone else out there who needs to configure denyhosts to block for VSFTPD, here are the directives that needed to be in denyhosts.cfg (credit to Phil...). This, assuming you're reading from the correct log... SSHD_FORMAT_REGEX=.* (sshd.*:|\[sshd\]|vsftpd.*:) (?P<message>.*) USERDEF_FAILED_ENTRY_REGEX=authentication failure.* rhost=(?P<host>\S+) \s+user=(?P<user>\S+).* Many thanks to all those who put up with my questions, and thanks for Phil for making such a good product! -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan Denton Sent: Thursday, September 13, 2007 12:30 PM To: 'René Berber'; denyhosts-user@lists.sourceforge.net Subject: Re: [Denyhosts-user] Denyhosts for VSFTPD not blocking, again... List, After more testing and not much progress I started with a new installation, just to rule out typos or screwed up files. I've been able to get SSH attempts properly blocked without issue, but figuring out a regex for my messages file that parses VSFTPD failures is still eluding me. I've been using a program called Kodos, which is supposed to be a python regex debugger, and it says the following should work for lines containing the user: .* vsftpd.* authentication failure.* rhost=(?P<host>\S+) \s+user=(?P<user>\S+).* And it says the following should work for lines that don't contain a user: .* vsftpd.* authentication failure.* rhost=(?P<host>\S+) I'm not a genius when it comes to re's, so I'm not sure whether the debugger is correct or not, but the program shows matches for the host and user sections of the test string (from the log). Still, the daemon isn't catching anything out of my messages file. Does anyone have any input on regex debuggers that have been used for this purpose? And what exactly are the necessary parameters that need to be parsed out of the log file? Is simply matching the whole line enough? Thanks again to all who have helped. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of René Berber Sent: Wednesday, September 12, 2007 4:34 PM To: denyhosts-user@lists.sourceforge.net Subject: Re: [Denyhosts-user] Denyhosts for VSFTPD not blocking, again... Dan Denton wrote: > Thanks for the suggestion. I tried using your regex, and unfortunately, no > luck. Correct me if I'm wrong, but shouldn't something be written to the > suspicious-hosts file with all the FTP attempts I'm throwing at this server? You mean suspicious-logins don't you? (there is no suspicious-hosts) and no, there shouldn't be anything in there -- better look at data/hosts, perhaps the host you used is already flagged as known so it won't be added again (did you deleted it from hosts.deny and expect DH to know about that?). > The timestamps on all the files in the data folder are updated when I > restart the daemon, but nothing else after that. > > I've also noticed that user= isn't logged in the messages file unless I use > a valid user. If I use an invalid one, the parameter never shows in the log. That's simple to handle, just make optional the last part of the regex. But it really is a fault in vsftpd. BTW your first log sample has 2 spaces before the "user=" part, so my regex shouldn't have matched anyway, it needs more tweaking, perhaps: USERDEF_FAILED_ENTRY_REGEX=.* vsftpd.* authentication failure.* rhost=(?P<host>\S+)[\s+user=(?P<user>\S+)].* > I get these entries in the denyhosts log file when the daemon runs its > check. It seems to see new info in the log file, but it's not picking it up? > > 2007-09-12 14:44:38,494 - denyhosts : DEBUG /var/log/messages has > additional data > 2007-09-12 14:44:38,496 - denyhosts : DEBUG new hosts: [] > 2007-09-12 14:44:38,496 - denyhosts : DEBUG no new denied hosts > 2007-09-12 14:44:38,496 - denyhosts : DEBUG no new suspicious logins > > Thanks for your help. Any other suggestions? You have to organize your tests and changes, you are seeing and reporting many different things. 1. Does DenyHosts work with a regex? Well, test it as in: - Stop DenyHosts as a daemon - Run DenyHosts on the command line with --ignore and optionally --debug 2. Does the regex cover all cases? The only way to be sure is to know all the possible variations on the log messages sent by the service daemon, I, like you, use testing but that will never be certain. 3. Are you testing correctly? As I said before, make sure your test host is not white listed (in allowd-hosts) or an already known and blocked host; of course make sure that DenyHosts works (the configuration is usable) -- you can test that by seeing if ssh is blocking (that uses the internal regex, not the one you want to test in this case). 4. Are you checking results correctly? Always check DH's log, take into account your configured cycle time (30 seconds in the configuration you sent). There are other points you showed but those are the important ones. -- René Berber ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ _______________________________________________ Denyhosts-user mailing list Denyhosts-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/denyhosts-user ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ _______________________________________________ Denyhosts-user mailing list Denyhosts-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/denyhosts-user ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ _______________________________________________ Denyhosts-user mailing list Denyhosts-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/denyhosts-user ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ _______________________________________________ Denyhosts-user mailing list Denyhosts-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/denyhosts-user
