Hey all, so I built a new server the other day and I'm trying to get a custom regex to pickup on ProFTP login failures. Here's the line I added to my denyhosts.cfg:
USERDEF_FAILED_ENTRY_REGEX=.*proftpd.*USER (?P<user>\S+): no such user found from.*\[(?P<host>.*)\].*:21 When I restart denyhosts, I see this in my log file: 2007-10-24 22:47:59,149 - prefs : INFO USERDEF_FAILED_ENTRY_REGEX: [.*proftpd.*USER (?P<user>\S+): no such user found from.*\[(?P<host>.*)\].*:21] So I assume that it's loading and using the regex pattern properly. I have lots of log entries in my /var/log/secure that look like this: Oct 24 22:33:15 example proftpd[21250]: example.com (99.99.99.99[99.99.99.99]) - USER Administrator: no such user found from 99.99.99.99 [99.99.99.99] to 123.123.123.123:21 Using Kodos, I get a valid match, with user=Administrator and host=99.99.99.99. I have restarted denyhosts multiple times and it's never added 99.99.99.99 to my deny file. It is adding sshd login attempts, so I know that it's working for SSH. I've tried using the --ignore flag to force it to skip the offset. I've even tried wiping the data directory, yet it fails to use my regex to find a bad ftp login attempt. Any ideas? Thanks! Ray ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/ _______________________________________________ Denyhosts-user mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/denyhosts-user
