Hi, Here's a fragment of log that shows unexpected DH behaviour:
> May 6 15:34:45 LegoSoft sshd[17878]: User root from > pd907d0a7.dip0.t-ipconnect.de not allowed because not listed in AllowUsers > May 6 15:34:45 LegoSoft sshd[17880]: pam_unix(sshd:auth): authentication > failure; logname= uid=0 euid=0 tty=ssh ruser= > rhost=pd907d0a7.dip0.t-ipconnect.de user=root > May 6 15:34:48 LegoSoft sshd[17878]: error: PAM: Authentication failure for > illegal user root from pd907d0a7.dip0.t-ipconnect.de > May 6 15:34:48 LegoSoft sshd[17878]: Failed keyboard-interactive/pam for > invalid user root from 217.7.208.167 port 55907 ssh2 > May 6 15:37:46 LegoSoft sshd[17891]: User root from www1.haefft.de not > allowed because not listed in AllowUsers > May 6 15:37:47 LegoSoft sshd[17893]: pam_unix(sshd:auth): authentication > failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=www1.haefft.de user=root > May 6 15:37:49 LegoSoft sshd[17891]: error: PAM: Authentication failure for > illegal user root from www1.haefft.de > May 6 15:37:49 LegoSoft sshd[17891]: Failed keyboard-interactive/pam for > invalid user root from 194.97.156.23 port 4358 ssh2 > May 6 15:39:23 LegoSoft sshd[17899]: reverse mapping checking getaddrinfo > for hosted.by.pcextreme.nl [85.92.138.60] failed - POSSIBLE BREAK-IN ATTEMPT! > May 6 15:39:23 LegoSoft sshd[17899]: User root from 85.92.138.60 not allowed > because not listed in AllowUsers > May 6 15:39:23 LegoSoft sshd[17901]: pam_unix(sshd:auth): authentication > failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=85.92.138.60 user=root > May 6 15:39:25 LegoSoft sshd[17899]: error: PAM: Authentication failure for > illegal user root from 85.92.138.60 > May 6 15:39:25 LegoSoft sshd[17899]: Failed keyboard-interactive/pam for > invalid user root from 85.92.138.60 port 53598 ssh2 > May 6 15:39:28 LegoSoft denyhosts: Added the following hosts to > /etc/hosts.deny - 85.92.138.60 (hosted.by.pcextreme.nl) > May 6 15:40:01 LegoSoft cron[17905]: (root) CMD (test -x /usr/sbin/run-crons > && /usr/sbin/run-crons ) > May 6 15:42:07 LegoSoft sshd[17923]: User root from > 195.47.114.129.adsl.nextra.cz not allowed because not listed in AllowUsers > May 6 15:42:07 LegoSoft sshd[17925]: pam_unix(sshd:auth): authentication > failure; logname= uid=0 euid=0 tty=ssh ruser= > rhost=195.47.114.129.adsl.nextra.cz user=root > May 6 15:42:09 LegoSoft sshd[17923]: error: PAM: Authentication failure for > illegal user root from 195.47.114.129.adsl.nextra.cz > May 6 15:42:09 LegoSoft sshd[17923]: Failed keyboard-interactive/pam for > invalid user root from 195.47.114.129 port 19259 ssh2 > May 6 15:45:12 LegoSoft sshd[17935]: User root from mail.pragmaticus.ru not > allowed because not listed in AllowUsers > May 6 15:45:12 LegoSoft sshd[17937]: pam_unix(sshd:auth): authentication > failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=mail.pragmaticus.ru > user=root > May 6 15:45:15 LegoSoft sshd[17935]: error: PAM: Authentication failure for > illegal user root from mail.pragmaticus.ru > May 6 15:45:15 LegoSoft sshd[17935]: Failed keyboard-interactive/pam for > invalid user root from 62.118.68.66 port 32810 ssh2 > May 6 15:46:34 LegoSoft sshd[17943]: User root from > 213-239-204-42.clients.your-server.de not allowed because not listed in > AllowUsers > May 6 15:46:34 LegoSoft sshd[17945]: pam_unix(sshd:auth): authentication > failure; logname= uid=0 euid=0 tty=ssh ruser= > rhost=213-239-204-42.clients.your-server.de user=root > May 6 15:46:36 LegoSoft sshd[17943]: error: PAM: Authentication failure for > illegal user root from 213-239-204-42.clients.your-server.de > May 6 15:46:36 LegoSoft sshd[17943]: Failed keyboard-interactive/pam for > invalid user root from 213.239.204.42 port 4421 ssh2 > May 6 15:49:20 LegoSoft sshd[17954]: User root from > abu66.internetdsl.tpnet.pl not allowed because not listed in AllowUsers > May 6 15:49:21 LegoSoft sshd[17957]: pam_unix(sshd:auth): authentication > failure; logname= uid=0 euid=0 tty=ssh ruser= > rhost=abu66.internetdsl.tpnet.pl user=root > May 6 15:49:23 LegoSoft sshd[17954]: error: PAM: Authentication failure for > illegal user root from abu66.internetdsl.tpnet.pl > May 6 15:49:23 LegoSoft sshd[17954]: Failed keyboard-interactive/pam for > invalid user root from 83.16.46.66 port 52169 ssh2 > May 6 15:53:51 LegoSoft sshd[17986]: reverse mapping checking getaddrinfo > for 217.16.114.87.ktvpillersee.at [217.16.114.87] failed - POSSIBLE BREAK-IN > ATTEMPT! > May 6 15:53:51 LegoSoft sshd[17986]: User root from 217.16.114.87 not > allowed because not listed in AllowUsers > May 6 15:53:52 LegoSoft sshd[17988]: pam_unix(sshd:auth): authentication > failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=217.16.114.87 user=root > May 6 15:53:54 LegoSoft sshd[17986]: error: PAM: Authentication failure for > illegal user root from 217.16.114.87 > May 6 15:53:54 LegoSoft sshd[17986]: Failed keyboard-interactive/pam for > invalid user root from 217.16.114.87 port 17743 ssh2 > May 6 15:53:59 LegoSoft denyhosts: Added the following hosts to > /etc/hosts.deny - 217.16.114.87 (217.16.114.87.ktvpillersee.at) > May 6 15:55:26 LegoSoft sshd[17994]: User root from > 81-7-92-17.static.zebra.lt not allowed because not listed in AllowUsers > May 6 15:55:26 LegoSoft sshd[17996]: pam_unix(sshd:auth): authentication > failure; logname= uid=0 euid=0 tty=ssh ruser= > rhost=81-7-92-17.static.zebra.lt user=root > May 6 15:55:29 LegoSoft sshd[17994]: error: PAM: Authentication failure for > illegal user root from 81-7-92-17.static.zebra.lt ... and keeps on trying In my DH configuration I have: DENY_THRESHOLD_ROOT = 1 DAEMON_SLEEP = 10s FAILED_ENTRY_REGEX7=User (?P<user>\S+) from (?P<host>\S+) not allowed because not listed in .* The problem is that only the numeric IPs are being caught, anything with a host name is not. Why? I know the answer is because my regexes (built-in and custom) are not matching. I added this one: USERDEF_FAILED_ENTRY_REGEX=authentication failure.* ruser= rhost=(?P<host>\S+) user=(?P<user>\S+) and now all are caught as expected. I tested my FAILED_ENTRY_REGEX7 with Kodos and it works fine. The only thing I can think off is that I am not allowed to override a built-in regex (contrary to what the FAQ says), is this correct? Anybody sees a different explanation? -- René Berber ------------------------------------------------------------------------- This SF.net email is sponsored by the 2008 JavaOne(SM) Conference Don't miss this year's exciting event. There's still time to save $100. Use priority code J8TL2D2. http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone _______________________________________________ Denyhosts-user mailing list Denyhosts-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/denyhosts-user
