Re: [Denyhosts-user] What's going on here?

Phil Schwartz Wed, 07 May 2008 09:42:20 -0700

Strange, because the DEBUG entries shows that he was blocked prettyquickly. Maybe you didn't restart DH after you initially changed theconfig?


Phil


On Tue, 6 May 2008, René Berber wrote:

Phil Schwartz wrote:

That particular output indicates the your changed regex is being
recognized by DH.  Whether or not it's working properly, that's another
matter.

If you restart in --debug mode, you can tail -f the denyhosts.log and
then append similar lines (as those that seem problematic) to your
secure.log, save it, and see what DH is reporting in it's log.


Is there an additional option to see what regex is matched?

I had to add my own lines to the code to get this:

2008-05-06 18:15:12,474 - denyhosts   : DEBUG    /var/log/messages has 
additional data
2008-05-06 18:15:12,500 - denyhosts   : INFO     checked: Failed (?P<method>.*) for 
(?P<invalid>invalid user |illegal user )?(?P<user>.*?) .*from 
(::ffff:)?(?P<host>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})
2008-05-06 18:15:12,501 - denyhosts   : INFO     checked: (?P<invalid>(Illegal|Invalid)) 
user (?P<user>.*?) .*from (::ffff:)?(?P<host>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})
2008-05-06 18:15:12,501 - denyhosts   : INFO     checked: Authentication failure for 
(?P<user>.*) .*from (::ffff:)?(?P<host>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})
2008-05-06 18:15:12,501 - denyhosts   : INFO     checked: Authentication failure for 
(?P<user>.*) .*from (?P<host>.*)
2008-05-06 18:15:12,501 - denyhosts   : INFO     checked: User (?P<user>.*) .*from 
(?P<host>.*) not allowed because none of user's groups are listed in AllowGroups$
2008-05-06 18:15:12,501 - denyhosts   : INFO     checked: Did not receive 
identification string .*from 
(::ffff:)?(?P<host>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})
2008-05-06 18:15:12,501 - denyhosts   : INFO     checked: User (?P<user>\S+) from 
(?P<host>\S+) not allowed because not listed in .*
2008-05-06 18:15:12,501 - denyhosts   : INFO     matched: User (?P<user>\S+) from 
(?P<host>\S+) not allowed because not listed in .*
2008-05-06 18:15:12,502 - denyhosts   : DEBUG    user: root - host: 
43.220.forpsi.net - success: 0 - invalid: 1
2008-05-06 18:15:12,513 - denyhosts   : INFO     checked: Failed (?P<method>.*) for 
(?P<invalid>invalid user |illegal user )?(?P<user>.*?) .*from 
(::ffff:)?(?P<host>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})
2008-05-06 18:15:12,514 - denyhosts   : INFO     checked: (?P<invalid>(Illegal|Invalid)) 
user (?P<user>.*?) .*from (::ffff:)?(?P<host>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})
2008-05-06 18:15:12,514 - denyhosts   : INFO     checked: Authentication failure for 
(?P<user>.*) .*from (::ffff:)?(?P<host>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})
2008-05-06 18:15:12,514 - denyhosts   : INFO     checked: Authentication failure for 
(?P<user>.*) .*from (?P<host>.*)
2008-05-06 18:15:12,514 - denyhosts   : INFO     checked: User (?P<user>.*) .*from 
(?P<host>.*) not allowed because none of user's groups are listed in AllowGroups$
2008-05-06 18:15:12,514 - denyhosts   : INFO     checked: Did not receive 
identification string .*from 
(::ffff:)?(?P<host>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})
2008-05-06 18:15:12,514 - denyhosts   : INFO     checked: User (?P<user>\S+) from 
(?P<host>\S+) not allowed because not listed in .*
2008-05-06 18:15:12,515 - denyhosts   : INFO     checked: authentication failure.* ruser= 
rhost=(?P<host>\S+)  user=(?P<user>\S+)
2008-05-06 18:15:12,515 - denyhosts   : INFO     matched: authentication failure.* ruser= 
rhost=(?P<host>\S+)  user=(?P<user>\S+)
2008-05-06 18:15:12,515 - denyhosts   : DEBUG    user: root - host: 
43.220.forpsi.net - success: 0 - invalid: 1
2008-05-06 18:15:12,516 - denyhosts   : INFO     checked: Failed (?P<method>.*) for 
(?P<invalid>invalid user |illegal user )?(?P<user>.*?) .*from 
(::ffff:)?(?P<host>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})
2008-05-06 18:15:12,516 - denyhosts   : INFO     checked: (?P<invalid>(Illegal|Invalid)) 
user (?P<user>.*?) .*from (::ffff:)?(?P<host>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})
2008-05-06 18:15:12,516 - denyhosts   : INFO     checked: Authentication failure for 
(?P<user>.*) .*from (::ffff:)?(?P<host>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})
2008-05-06 18:15:12,516 - denyhosts   : INFO     checked: Authentication failure for 
(?P<user>.*) .*from (?P<host>.*)
2008-05-06 18:15:12,516 - denyhosts   : INFO     matched: Authentication failure for 
(?P<user>.*) .*from (?P<host>.*)
2008-05-06 18:15:12,516 - denyhosts   : DEBUG    user: illegal user root - 
host: 43.220.forpsi.net - success: 0 - invalid: 1
2008-05-06 18:15:12,517 - denyhosts   : INFO     checked: Failed (?P<method>.*) for 
(?P<invalid>invalid user |illegal user )?(?P<user>.*?) .*from 
(::ffff:)?(?P<host>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})
2008-05-06 18:15:12,517 - denyhosts   : INFO     matched: Failed (?P<method>.*) for 
(?P<invalid>invalid user |illegal user )?(?P<user>.*?) .*from 
(::ffff:)?(?P<host>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})
2008-05-06 18:15:12,517 - denyhosts   : DEBUG    user: root - host: 81.2.220.43 
- success: 0 - invalid: 1
2008-05-06 18:15:12,528 - denyhosts   : DEBUG    new hosts: 
['43.220.forpsi.net']


The INFOs are from what I added.

The modified REGEX7 is working (the first match).  I'm not sure what
happened before, it didn't start working until I added the other regex
(second match).

Good news is that I don't need to simulate anything, the guy keeps
trying, one attempt from one IP address, and he seems to have a very
long list of hosts he's using... and will be reported to the sync
server, so he's burning his list :-)


--
Regards,

Phil Schwartz
- http://www.phil-schwartz.com

Open Source Projects:
- DenyHosts: http://www.denyhosts.net
- Kodos: http://kodos.sourceforge.net
- ReleaseForge: http://releaseforge.sourceforge.net
- Scratchy: http://scratchy.sourceforge.net
- FAQtor: http://faqtor.sourceforge.net

-------------------------------------------------------------------------
This SF.net email is sponsored by the 2008 JavaOne(SM) Conference 
Don't miss this year's exciting event. There's still time to save $100. 
Use priority code J8TL2D2. 
http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone

_______________________________________________
Denyhosts-user mailing list
Denyhosts-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/denyhosts-user

Re: [Denyhosts-user] What's going on here?

Reply via email to