Pavel Kosina wrote:

> So do I understand well, that denyhost can catch anything saved in 
> auth.log? Even from dovecot?

In theory yes, but not by default, as you say below you have to 
add/change a regex if (and only if) the log is useful.

> i.e. this?:
> Apr  2 18:31:44 localhost dovecot-auth: (pam_unix) check pass; user unknown
> Apr  2 18:31:44 localhost dovecot-auth: (pam_unix) authentication 
> failure; logname= uid=0 euid=0 tty=dovecot ruser= rhost=

Looks useful.

> All I have to do is to make good regex?

Actually its 2 regex, put the following in denyhosts.conf :

SSHD_FORMAT_REGEX=.* (sshd.*:|\[sshd\]|dovecot-auth.*:) (?P<message>.*)
USERDEF_FAILED_ENTRY_REGEX=authentication failure.* ruser=(?P<user>\S+) 

The first one extends the services that DH guards, by adding the service 
name found in the log and passing the rest of the log message (after a 
blank space) to the other DH's regexes.  I use a similar change to guard 

The second line (all in one line) is the one that matches the rest of 
the log line, looking for a user name and IP address.  Your log doesn't 
have user name, that's OK DH uses the name to distinguish between "root" 
or users found in users-invalid to (usually) apply a lower threshold.

This second line is exactly the same I use with vsftpd, so that one is 
well tested.
René Berber

Check out the new Marketplace.
It's the best place to buy or sell services for
just about anything Open Source.;164216239;13503038;w?
Denyhosts-user mailing list

Reply via email to