On Aug 19, 2010, at 7:49 AM, Terry Barnum wrote: > > On Aug 18, 2010, at 6:51 PM, René Berber <rber...@cactus-soft.dyndns.org> > wrote: > >> Luke wrote: >> >>> Is there any way to block both ssh and apple remote desktop (VNC) >>> requests at the same time. I currently have it setup for ssh only, >>> but it seems that more and more authentication attempts happen on >>> this port. I tried searching the lists but didn't come up with >>> something definitive. >>> >>> Aug 14 10:53:51 Crapbag >>> /System/Library/CoreServices/RemoteManagement/AppleVNCServer.bundle/Contents/MacOS/AppleVNCServer[550]: >>> Authentication: FAILED :: User Name: N/A :: Viewer Address: >>> 186.87.135.11 :: Type: VNC DES Aug 14 10:54:26 Crapbag >>> /System/Library/CoreServices/RemoteManagement/AppleVNCServer.bundle/Contents/MacOS/AppleVNCServer[550]: >>> Authentication: FAILED :: User Name: N/A :: Viewer Address: >>> 186.87.135.11 :: Type: VNC DES >> >> Yes. There was a recent (this month) thread about this, but I don't >> know if it finally worked. > > That may have been my thread. There was very generous help from the list but > unfortunately I was unable to get denyhosts to pick up failed VNC attempts. > I'm also running macports denyhosts and am curious to hear if these lines > work for Luke > > -Terry. >
Yes thats the thread i've found, it doesn't seem to work. This is how the lines look on the cfg file. The first one is on one line with a space at the end. 2nd line wraps around. Below is what i currently have in the cfg file # Mac OS X (v10.5 SECURE_LOG=/private/var/log/secure.log # MAC OS 10.5.5 regex SSHD_FORMAT_REGEX=.* sshd.*: (?P<message>.*) # for VNC blocking SSHD_FORMAT_REGEX=.*( sshd.*:| \[sshd\]|AppleVNCServer.*:) (?P<message>.*) USERDEF_FAILED_ENTRY_REGEX=Authentication: FAILED :: User Name: (?P<user>.*) :: Viewer Address: (?P<host>\S+) .* Seems that when restarting only one regex shows up in the log. However ssh attacks are still blocked and VNC are not. Maybe i'm missing something Aug 19 09:01:15 - prefs : INFO SMTP_USERNAME: [None] Aug 19 09:01:15 - prefs : INFO SSHD_FORMAT_REGEX: [.*( sshd.*:| \[sshd\]|AppleVNCServer.*:) (?P<message>.*)] Aug 19 09:01:15 - prefs : INFO SUCCESSFUL_ENTRY_REGEX: [None] Aug 19 09:01:15 - prefs : INFO SUSPICIOUS_LOGIN_REPORT_ALLOWED_HOSTS: [YES] >> It boils down to adding these 2 lines to your configuration: >> >> SSHD_FORMAT_REGEX=.*(sshd.*:|\[sshd\]|AppleVNCServer\[\d+\]:) >> (?P<message>.*) >> >> USERDEF_FAILED_ENTRY_REGEX=Authentication: FAILED :: User Name: >> (?P<user>\S+) :: Viewer Address: (?P<host>\S+) .* >> >> Its really 2 lines, the mail message is wrapping things, and there is a >> space in there, at the end of what looks like the first line. >> -- >> René Berber >> >> >> ------------------------------------------------------------------------------ >> This SF.net email is sponsored by >> >> Make an app they can't live without >> Enter the BlackBerry Developer Challenge >> http://p.sf.net/sfu/RIM-dev2dev >> _______________________________________________ >> Denyhosts-user mailing list >> Denyhosts-user@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/denyhosts-user >> > > ------------------------------------------------------------------------------ > This SF.net email is sponsored by > > Make an app they can't live without > Enter the BlackBerry Developer Challenge > http://p.sf.net/sfu/RIM-dev2dev > _______________________________________________ > Denyhosts-user mailing list > Denyhosts-user@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/denyhosts-user ------------------------------------------------------------------------------ This SF.net email is sponsored by Make an app they can't live without Enter the BlackBerry Developer Challenge http://p.sf.net/sfu/RIM-dev2dev _______________________________________________ Denyhosts-user mailing list Denyhosts-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/denyhosts-user
