Hi,
Can someone help me with some regex configuration problems?
I am using DenyHosts2.6 on Solaris 10 and it is not updating my
/etc/hosts.deny file.
I am receiving updates though, but with a recent rash of
attacks/botnet/script kiddies, I would like to get this pattern matching
corrected.
My USERDEF_FAILED_ENTRY_REGEX is:
SSHD_FORMAT_REGEX=.* (sshd\[.*\]: \[ID \d* auth.error\]) (?P<message>.*)
FAILED_ENTRY_REGEX=error: PAM: authentication error for (?P<invalid>invalid
user |illegal user )?(?P<user>.*?) from
(::ffff:)?(?P<host>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})
USERDEF_FAILED_ENTRY_REGEX=Failed password for invalid (?P<invalid>invalid
user |illegal user )?(?P<user>.*?) from
(::ffff:)?(?P<host>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})
Here are some examples from /var/log/syslog-ng/messages that I would like to
pattern match:
Jun 1 00:00:00 SERVER1 sshd[6898]: [ID 800047 auth.info] Failed password
for invalid user *USER_ID *from *IP_ADDRESS* port *XXXXX *ssh2
Jun 11 16:29:07 SERVER1 sshd[27344]: [ID 800047 auth.info] Failed password
for root from* IP_ADDRESS* port *XXXXX* ssh2
Jun 30 23:49:57 SERVER1 sshd[296]: [ID 800047 auth.info] Failed
keyboard-interactive/pam for invalid user *USER_ID* from *IP_ADDRESS* port *
XXXXXX* ssh2
Jun 30 23:50:03 SERVER2 sshd[29517]: [ID 800047 auth.error] error: PAM:
Authentication failed for *USER_ID* from *IP_ADDRESS
*Denyhosts logs are not reporting any errors during startup and I am not
having any daemon-hang issues.
What am I doing wrong with my pattern matching?
Thank you,
Mike Collins
-------------------------------------------------------------------------
Check out the new SourceForge.net Marketplace.
It's the best place to buy or sell services for
just about anything Open Source.
http://sourceforge.net/services/buy/index.php
_______________________________________________
Denyhosts-user mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/denyhosts-user
