Eugene Vilensky wrote: > I found this message through google, > > http://www.mail-archive.com/denyhosts-user@lists.sourceforge.net/msg00305.html > > but I notice that in the later packages of denyhosts that I am using > from rpmforge for RHEL5, there is not a user-configurable > SSHD_FORMAT_REGEX= directive in the .cfg file.
You mean .conf file, or is RHEL5's version that much modified? > The message is rather dated; would this regex > > authentication failure.* rhost=(?P<host>\S+) > \s+user=(?P<user>\S+).* > > still capture vsftpd login events? That always depends on what is on your SECURE_LOG, and I don't mean the configuration but the contents of the file pointed at by the configuration. Is you vsftpd logging to the same file or not? What format are vsftpd's log lines (it depends on the version of vsftpd since it had a bug before version 2.0)? The 2 configuration directives shown by Dan Denton on that message should work, give or take minor adjustments, nothing has changed in DenyHosts. It could be 3 lines or more if you have variations on the log message, the USERDEF_FAILED_ENTRY_REGEX line is repeated for each. I use 3 lines since sometimes the user name is in the "ruser" part, some times its in the "user" part of the log line: SSHD_FORMAT_REGEX=.* (sshd.*:|\[sshd\]|vsftpd.*:) (?P<message>.*) USERDEF_FAILED_ENTRY_REGEX=authentication failure.* ruser= rhost=(?P<host>\S+) user=(?P<user>\S+) USERDEF_FAILED_ENTRY_REGEX=authentication failure.* ruser=(?P<user>\S+) rhost=(?P<host>\S+).* As always, each is a complete line, not like the mail message shows it. > would I add vsftpd to blocking list like so: > > BLOCK_SERVICE = sshd,vsftpd Nope, this should be either ALL or just sshd, obviously ALL for your case. -- René Berber ------------------------------------------------------------------------------ Come build with us! The BlackBerry® Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9-12, 2009. Register now! http://p.sf.net/sfu/devconf _______________________________________________ Denyhosts-user mailing list Denyhosts-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/denyhosts-user
