Pavel Kosina wrote:

> So do I understand well, that denyhost can catch anything saved in 
> auth.log? Even from dovecot?

In theory yes, but not by default, as you say below you have to 
add/change a regex if (and only if) the log is useful.

> i.e. this?:
> 
> Apr  2 18:31:44 localhost dovecot-auth: (pam_unix) check pass; user unknown
> Apr  2 18:31:44 localhost dovecot-auth: (pam_unix) authentication 
> failure; logname= uid=0 euid=0 tty=dovecot ruser= rhost=24.97.230.106

Looks useful.

[snip]
> All I have to do is to make good regex?

Actually its 2 regex, put the following in denyhosts.conf :

SSHD_FORMAT_REGEX=.* (sshd.*:|\[sshd\]|dovecot-auth.*:) (?P<message>.*)
USERDEF_FAILED_ENTRY_REGEX=authentication failure.* ruser=(?P<user>\S+) 
rhost=(?P<host>\S+)

The first one extends the services that DH guards, by adding the service 
name found in the log and passing the rest of the log message (after a 
blank space) to the other DH's regexes.  I use a similar change to guard 
vsftpd.

The second line (all in one line) is the one that matches the rest of 
the log line, looking for a user name and IP address.  Your log doesn't 
have user name, that's OK DH uses the name to distinguish between "root" 
or users found in users-invalid to (usually) apply a lower threshold.

This second line is exactly the same I use with vsftpd, so that one is 
well tested.
-- 
René Berber


-------------------------------------------------------------------------
Check out the new SourceForge.net Marketplace.
It's the best place to buy or sell services for
just about anything Open Source.
http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace
_______________________________________________
Denyhosts-user mailing list
Denyhosts-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/denyhosts-user

Reply via email to