Pavel Kosina wrote: > So do I understand well, that denyhost can catch anything saved in > auth.log? Even from dovecot?
In theory yes, but not by default, as you say below you have to add/change a regex if (and only if) the log is useful. > i.e. this?: > > Apr 2 18:31:44 localhost dovecot-auth: (pam_unix) check pass; user unknown > Apr 2 18:31:44 localhost dovecot-auth: (pam_unix) authentication > failure; logname= uid=0 euid=0 tty=dovecot ruser= rhost=24.97.230.106 Looks useful. [snip] > All I have to do is to make good regex? Actually its 2 regex, put the following in denyhosts.conf : SSHD_FORMAT_REGEX=.* (sshd.*:|\[sshd\]|dovecot-auth.*:) (?P<message>.*) USERDEF_FAILED_ENTRY_REGEX=authentication failure.* ruser=(?P<user>\S+) rhost=(?P<host>\S+) The first one extends the services that DH guards, by adding the service name found in the log and passing the rest of the log message (after a blank space) to the other DH's regexes. I use a similar change to guard vsftpd. The second line (all in one line) is the one that matches the rest of the log line, looking for a user name and IP address. Your log doesn't have user name, that's OK DH uses the name to distinguish between "root" or users found in users-invalid to (usually) apply a lower threshold. This second line is exactly the same I use with vsftpd, so that one is well tested. -- René Berber ------------------------------------------------------------------------- Check out the new SourceForge.net Marketplace. It's the best place to buy or sell services for just about anything Open Source. http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace _______________________________________________ Denyhosts-user mailing list Denyhosts-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/denyhosts-user