Phil Schwartz wrote:
> That particular output indicates the your changed regex is being
> recognized by DH. Whether or not it's working properly, that's another
> matter.
>
> If you restart in --debug mode, you can tail -f the denyhosts.log and
> then append similar lines (as those that seem problematic) to your
> secure.log, save it, and see what DH is reporting in it's log.
Is there an additional option to see what regex is matched?
I had to add my own lines to the code to get this:
> 2008-05-06 18:15:12,474 - denyhosts : DEBUG /var/log/messages has
> additional data
> 2008-05-06 18:15:12,500 - denyhosts : INFO checked: Failed
> (?P<method>.*) for (?P<invalid>invalid user |illegal user )?(?P<user>.*?)
> .*from (::ffff:)?(?P<host>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})
> 2008-05-06 18:15:12,501 - denyhosts : INFO checked:
> (?P<invalid>(Illegal|Invalid)) user (?P<user>.*?) .*from
> (::ffff:)?(?P<host>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})
> 2008-05-06 18:15:12,501 - denyhosts : INFO checked: Authentication
> failure for (?P<user>.*) .*from
> (::ffff:)?(?P<host>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})
> 2008-05-06 18:15:12,501 - denyhosts : INFO checked: Authentication
> failure for (?P<user>.*) .*from (?P<host>.*)
> 2008-05-06 18:15:12,501 - denyhosts : INFO checked: User (?P<user>.*)
> .*from (?P<host>.*) not allowed because none of user's groups are listed in
> AllowGroups$
> 2008-05-06 18:15:12,501 - denyhosts : INFO checked: Did not receive
> identification string .*from
> (::ffff:)?(?P<host>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})
> 2008-05-06 18:15:12,501 - denyhosts : INFO checked: User (?P<user>\S+)
> from (?P<host>\S+) not allowed because not listed in .*
> 2008-05-06 18:15:12,501 - denyhosts : INFO matched: User (?P<user>\S+)
> from (?P<host>\S+) not allowed because not listed in .*
> 2008-05-06 18:15:12,502 - denyhosts : DEBUG user: root - host:
> 43.220.forpsi.net - success: 0 - invalid: 1
> 2008-05-06 18:15:12,513 - denyhosts : INFO checked: Failed
> (?P<method>.*) for (?P<invalid>invalid user |illegal user )?(?P<user>.*?)
> .*from (::ffff:)?(?P<host>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})
> 2008-05-06 18:15:12,514 - denyhosts : INFO checked:
> (?P<invalid>(Illegal|Invalid)) user (?P<user>.*?) .*from
> (::ffff:)?(?P<host>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})
> 2008-05-06 18:15:12,514 - denyhosts : INFO checked: Authentication
> failure for (?P<user>.*) .*from
> (::ffff:)?(?P<host>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})
> 2008-05-06 18:15:12,514 - denyhosts : INFO checked: Authentication
> failure for (?P<user>.*) .*from (?P<host>.*)
> 2008-05-06 18:15:12,514 - denyhosts : INFO checked: User (?P<user>.*)
> .*from (?P<host>.*) not allowed because none of user's groups are listed in
> AllowGroups$
> 2008-05-06 18:15:12,514 - denyhosts : INFO checked: Did not receive
> identification string .*from
> (::ffff:)?(?P<host>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})
> 2008-05-06 18:15:12,514 - denyhosts : INFO checked: User (?P<user>\S+)
> from (?P<host>\S+) not allowed because not listed in .*
> 2008-05-06 18:15:12,515 - denyhosts : INFO checked: authentication
> failure.* ruser= rhost=(?P<host>\S+) user=(?P<user>\S+)
> 2008-05-06 18:15:12,515 - denyhosts : INFO matched: authentication
> failure.* ruser= rhost=(?P<host>\S+) user=(?P<user>\S+)
> 2008-05-06 18:15:12,515 - denyhosts : DEBUG user: root - host:
> 43.220.forpsi.net - success: 0 - invalid: 1
> 2008-05-06 18:15:12,516 - denyhosts : INFO checked: Failed
> (?P<method>.*) for (?P<invalid>invalid user |illegal user )?(?P<user>.*?)
> .*from (::ffff:)?(?P<host>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})
> 2008-05-06 18:15:12,516 - denyhosts : INFO checked:
> (?P<invalid>(Illegal|Invalid)) user (?P<user>.*?) .*from
> (::ffff:)?(?P<host>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})
> 2008-05-06 18:15:12,516 - denyhosts : INFO checked: Authentication
> failure for (?P<user>.*) .*from
> (::ffff:)?(?P<host>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})
> 2008-05-06 18:15:12,516 - denyhosts : INFO checked: Authentication
> failure for (?P<user>.*) .*from (?P<host>.*)
> 2008-05-06 18:15:12,516 - denyhosts : INFO matched: Authentication
> failure for (?P<user>.*) .*from (?P<host>.*)
> 2008-05-06 18:15:12,516 - denyhosts : DEBUG user: illegal user root -
> host: 43.220.forpsi.net - success: 0 - invalid: 1
> 2008-05-06 18:15:12,517 - denyhosts : INFO checked: Failed
> (?P<method>.*) for (?P<invalid>invalid user |illegal user )?(?P<user>.*?)
> .*from (::ffff:)?(?P<host>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})
> 2008-05-06 18:15:12,517 - denyhosts : INFO matched: Failed
> (?P<method>.*) for (?P<invalid>invalid user |illegal user )?(?P<user>.*?)
> .*from (::ffff:)?(?P<host>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})
> 2008-05-06 18:15:12,517 - denyhosts : DEBUG user: root - host:
> 81.2.220.43 - success: 0 - invalid: 1
> 2008-05-06 18:15:12,528 - denyhosts : DEBUG new hosts:
> ['43.220.forpsi.net']
The INFOs are from what I added.
The modified REGEX7 is working (the first match). I'm not sure what
happened before, it didn't start working until I added the other regex
(second match).
Good news is that I don't need to simulate anything, the guy keeps
trying, one attempt from one IP address, and he seems to have a very
long list of hosts he's using... and will be reported to the sync
server, so he's burning his list :-)
--
René Berber
-------------------------------------------------------------------------
This SF.net email is sponsored by the 2008 JavaOne(SM) Conference
Don't miss this year's exciting event. There's still time to save $100.
Use priority code J8TL2D2.
http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
_______________________________________________
Denyhosts-user mailing list
Denyhosts-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/denyhosts-user
