Here's the pertinent lines from my conf file. Hope this helps. SSHD_FORMAT_REGEX=.* (sshd.*:|\[sshd\]|vsftpd.*:) (?P<message>.*) USERDEF_FAILED_ENTRY_REGEX=authentication failure.* rhost=(?P<host>\S+) \s+user=(?P<user>\S+).* USERDEF_FAILED_ENTRY_REGEX=authentication failure.* rhost=(?P<host>\S+).*
I think I came to the conclusion that I needed more than one regex after I traded emails with Phil. The two catch the entries that do have a username, and those that don't. Thanks again for putting this out Phil. I've lost count of how many brute force FTP attempts this has blocked. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of René Berber Sent: Friday, December 28, 2007 3:36 PM To: [email protected] Subject: Re: [Denyhosts-user] filter for vsftp will not work Bart Simpson wrote: > I have try to set this to add vsftp: > USERDEF_FAILED_ENTRY_REGEX=.*vsftpd.* authentication failure.* > But denyhost will not act in case of wrong logins.:( > example of the vsftpd log in secure.log > Dec 28 15:50:01 xxxx44 vsftpd: pam_unix(vsftpd:auth): authentication > failure; logname= uid=0 euid=0 tty=ftp ruser=dgdgdg > rhost=p15181508.pureserver.info The answer is in the list archive http://sourceforge.net/mailarchive/forum.php?forum_name=denyhosts-user, on 13 Sep 2007, Phil Schwartz wrote: > I believe your problem is because DenyHosts only evaluates lines that match the > > SSHD_FORMAT_REGEX > > If it does, it then applies each of the FAILED_ENTRY_REGEX and USERDEF_FAILED_ENTRY_REGEX regex'es against it. That is, if the line doesn't match SSHD_FORMAT_REGEX it will be ignored completely by DH. > > You need to modify SSHD_FORMAT_REGEX to include VSFTPD. By default: > > SSHD_FORMAT_REGEX = re.compile(r""".* (sshd.*:|\[sshd\]) (?P<message>.*)""") > > You'll need to modify your denyhosts.cfg file and add: > > SSHD_FORMAT_REGEX=.* (sshd.*:|\[sshd\]|vsftpd) (?P<message>.*) > > (you may want to test this regex in Kodos against of the lines in your log file to ensure it matches... tweak it if necessary). > > Once that matches, you then need to modify your USEDEF_FAILED_ENTRY_REGEX and remove the prefix that contains vsftpd. That is, it should begine with "authentication ...". > > Regards, > > Phil > > On Thu, 13 Sep 2007, Dan Denton wrote: > >> List, >> >> After more testing and not much progress I started with a new installation, >> just to rule out typos or screwed up files. I've been able to get SSH >> attempts properly blocked without issue, but figuring out a regex for my >> messages file that parses VSFTPD failures is still eluding me. >> >> I've been using a program called Kodos, which is supposed to be a python >> regex debugger, and it says the following should work for lines containing >> the user: >> >> .* vsftpd.* authentication failure.* rhost=(?P<host>\S+) >> \s+user=(?P<user>\S+).* >> >> And it says the following should work for lines that don't contain a user: >> >> .* vsftpd.* authentication failure.* rhost=(?P<host>\S+) >> >> I'm not a genius when it comes to re's, so I'm not sure whether the debugger >> is correct or not, but the program shows matches for the host and user >> sections of the test string (from the log). Still, the daemon isn't catching >> anything out of my messages file. Does anyone have any input on regex >> debuggers that have been used for this purpose? And what exactly are the >> necessary parameters that need to be parsed out of the log file? Is simply >> matching the whole line enough? >> >> Thanks again to all who have helped. >> >> >> >> -----Original Message----- >> From: [EMAIL PROTECTED] >> [mailto:[EMAIL PROTECTED] On Behalf Of René >> Berber >> Sent: Wednesday, September 12, 2007 4:34 PM >> To: [email protected] >> Subject: Re: [Denyhosts-user] Denyhosts for VSFTPD not blocking, again... >> >> Dan Denton wrote: >> >>> Thanks for the suggestion. I tried using your regex, and unfortunately, no >>> luck. Correct me if I'm wrong, but shouldn't something be written to the >>> suspicious-hosts file with all the FTP attempts I'm throwing at this >> server? >> >> You mean suspicious-logins don't you? (there is no suspicious-hosts) and no, >> there shouldn't be anything in there -- better look at data/hosts, perhaps >> the >> host you used is already flagged as known so it won't be added again (did >> you >> deleted it from hosts.deny and expect DH to know about that?). >> >>> The timestamps on all the files in the data folder are updated when I >>> restart the daemon, but nothing else after that. >>> >>> I've also noticed that user= isn't logged in the messages file unless I >> use >>> a valid user. If I use an invalid one, the parameter never shows in the >> log. >> >> That's simple to handle, just make optional the last part of the regex. But >> it >> really is a fault in vsftpd. BTW your first log sample has 2 spaces before >> the >> "user=" part, so my regex shouldn't have matched anyway, it needs more >> tweaking, >> perhaps: >> >> USERDEF_FAILED_ENTRY_REGEX=.* vsftpd.* authentication failure.* >> rhost=(?P<host>\S+)[\s+user=(?P<user>\S+)].* >> >>> I get these entries in the denyhosts log file when the daemon runs its >>> check. It seems to see new info in the log file, but it's not picking it >> up? >>> >>> 2007-09-12 14:44:38,494 - denyhosts : DEBUG /var/log/messages has >>> additional data >>> 2007-09-12 14:44:38,496 - denyhosts : DEBUG new hosts: [] >>> 2007-09-12 14:44:38,496 - denyhosts : DEBUG no new denied hosts >>> 2007-09-12 14:44:38,496 - denyhosts : DEBUG no new suspicious logins >>> >>> Thanks for your help. Any other suggestions? >> >> You have to organize your tests and changes, you are seeing and reporting >> many >> different things. >> >> 1. Does DenyHosts work with a regex? Well, test it as in: >> - Stop DenyHosts as a daemon >> - Run DenyHosts on the command line with --ignore and optionally >> --debug >> >> 2. Does the regex cover all cases? The only way to be sure is to know all >> the >> possible variations on the log messages sent by the service daemon, I, like >> you, >> use testing but that will never be certain. >> >> 3. Are you testing correctly? As I said before, make sure your test host is >> not >> white listed (in allowd-hosts) or an already known and blocked host; of >> course >> make sure that DenyHosts works (the configuration is usable) -- you can test >> that by seeing if ssh is blocking (that uses the internal regex, not the one >> you >> want to test in this case). >> >> 4. Are you checking results correctly? Always check DH's log, take into >> account >> your configured cycle time (30 seconds in the configuration you sent). >> >> There are other points you showed but those are the important ones. >> > > -- > Regards, > > Phil Schwartz - http://www.phil-schwartz.com -- René Berber ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ _______________________________________________ Denyhosts-user mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/denyhosts-user ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ _______________________________________________ Denyhosts-user mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/denyhosts-user
