Bart Simpson wrote: > I have try to set this to add vsftp: > USERDEF_FAILED_ENTRY_REGEX=.*vsftpd.* authentication failure.* > But denyhost will not act in case of wrong logins.:( > example of the vsftpd log in secure.log > Dec 28 15:50:01 xxxx44 vsftpd: pam_unix(vsftpd:auth): authentication > failure; logname= uid=0 euid=0 tty=ftp ruser=dgdgdg > rhost=p15181508.pureserver.info
The answer is in the list archive http://sourceforge.net/mailarchive/forum.php?forum_name=denyhosts-user, on 13 Sep 2007, Phil Schwartz wrote: > I believe your problem is because DenyHosts only evaluates lines that match > the > > SSHD_FORMAT_REGEX > > If it does, it then applies each of the FAILED_ENTRY_REGEX and > USERDEF_FAILED_ENTRY_REGEX regex'es against it. That is, if the line doesn't > match SSHD_FORMAT_REGEX it will be ignored completely by DH. > > You need to modify SSHD_FORMAT_REGEX to include VSFTPD. By default: > > SSHD_FORMAT_REGEX = re.compile(r""".* (sshd.*:|\[sshd\]) (?P<message>.*)""") > > You'll need to modify your denyhosts.cfg file and add: > > SSHD_FORMAT_REGEX=.* (sshd.*:|\[sshd\]|vsftpd) (?P<message>.*) > > (you may want to test this regex in Kodos against of the lines in your log > file to ensure it matches... tweak it if necessary). > > Once that matches, you then need to modify your USEDEF_FAILED_ENTRY_REGEX and > remove the prefix that contains vsftpd. That is, it should begine with > "authentication ...". > > Regards, > > Phil > > On Thu, 13 Sep 2007, Dan Denton wrote: > >> List, >> >> After more testing and not much progress I started with a new installation, >> just to rule out typos or screwed up files. I've been able to get SSH >> attempts properly blocked without issue, but figuring out a regex for my >> messages file that parses VSFTPD failures is still eluding me. >> >> I've been using a program called Kodos, which is supposed to be a python >> regex debugger, and it says the following should work for lines containing >> the user: >> >> .* vsftpd.* authentication failure.* rhost=(?P<host>\S+) >> \s+user=(?P<user>\S+).* >> >> And it says the following should work for lines that don't contain a user: >> >> .* vsftpd.* authentication failure.* rhost=(?P<host>\S+) >> >> I'm not a genius when it comes to re's, so I'm not sure whether the debugger >> is correct or not, but the program shows matches for the host and user >> sections of the test string (from the log). Still, the daemon isn't catching >> anything out of my messages file. Does anyone have any input on regex >> debuggers that have been used for this purpose? And what exactly are the >> necessary parameters that need to be parsed out of the log file? Is simply >> matching the whole line enough? >> >> Thanks again to all who have helped. >> >> >> >> -----Original Message----- >> From: [EMAIL PROTECTED] >> [mailto:[EMAIL PROTECTED] On Behalf Of René >> Berber >> Sent: Wednesday, September 12, 2007 4:34 PM >> To: [email protected] >> Subject: Re: [Denyhosts-user] Denyhosts for VSFTPD not blocking, again... >> >> Dan Denton wrote: >> >>> Thanks for the suggestion. I tried using your regex, and unfortunately, no >>> luck. Correct me if I'm wrong, but shouldn't something be written to the >>> suspicious-hosts file with all the FTP attempts I'm throwing at this >> server? >> >> You mean suspicious-logins don't you? (there is no suspicious-hosts) and no, >> there shouldn't be anything in there -- better look at data/hosts, perhaps >> the >> host you used is already flagged as known so it won't be added again (did >> you >> deleted it from hosts.deny and expect DH to know about that?). >> >>> The timestamps on all the files in the data folder are updated when I >>> restart the daemon, but nothing else after that. >>> >>> I've also noticed that user= isn't logged in the messages file unless I >> use >>> a valid user. If I use an invalid one, the parameter never shows in the >> log. >> >> That's simple to handle, just make optional the last part of the regex. But >> it >> really is a fault in vsftpd. BTW your first log sample has 2 spaces before >> the >> "user=" part, so my regex shouldn't have matched anyway, it needs more >> tweaking, >> perhaps: >> >> USERDEF_FAILED_ENTRY_REGEX=.* vsftpd.* authentication failure.* >> rhost=(?P<host>\S+)[\s+user=(?P<user>\S+)].* >> >>> I get these entries in the denyhosts log file when the daemon runs its >>> check. It seems to see new info in the log file, but it's not picking it >> up? >>> >>> 2007-09-12 14:44:38,494 - denyhosts : DEBUG /var/log/messages has >>> additional data >>> 2007-09-12 14:44:38,496 - denyhosts : DEBUG new hosts: [] >>> 2007-09-12 14:44:38,496 - denyhosts : DEBUG no new denied hosts >>> 2007-09-12 14:44:38,496 - denyhosts : DEBUG no new suspicious logins >>> >>> Thanks for your help. Any other suggestions? >> >> You have to organize your tests and changes, you are seeing and reporting >> many >> different things. >> >> 1. Does DenyHosts work with a regex? Well, test it as in: >> - Stop DenyHosts as a daemon >> - Run DenyHosts on the command line with --ignore and optionally >> --debug >> >> 2. Does the regex cover all cases? The only way to be sure is to know all >> the >> possible variations on the log messages sent by the service daemon, I, like >> you, >> use testing but that will never be certain. >> >> 3. Are you testing correctly? As I said before, make sure your test host is >> not >> white listed (in allowd-hosts) or an already known and blocked host; of >> course >> make sure that DenyHosts works (the configuration is usable) -- you can test >> that by seeing if ssh is blocking (that uses the internal regex, not the one >> you >> want to test in this case). >> >> 4. Are you checking results correctly? Always check DH's log, take into >> account >> your configured cycle time (30 seconds in the configuration you sent). >> >> There are other points you showed but those are the important ones. >> > > -- > Regards, > > Phil Schwartz - http://www.phil-schwartz.com -- René Berber ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ _______________________________________________ Denyhosts-user mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/denyhosts-user
