On Aug 19, 2010, at 10:59 AM, René Berber wrote: > Luke wrote: > > [snip] >> This is how the lines look on the cfg file. The first one is on one line >> with a space at the end. 2nd line wraps around. Below is what i currently >> have in the cfg file >> >> # Mac OS X (v10.5 >> SECURE_LOG=/private/var/log/secure.log >> # MAC OS 10.5.5 regex >> SSHD_FORMAT_REGEX=.* sshd.*: (?P<message>.*) >> # for VNC blocking >> SSHD_FORMAT_REGEX=.*( sshd.*:| \[sshd\]|AppleVNCServer.*:) (?P<message>.*) > > SSHD_FORMAT_REGEX twice? only the last will be used, but it shows you > don't understand the configuration. > > When things don't work, start by running DH in debug mode, I prefer to > stop the running service, then start one in a terminal (use su or sudo > if your service runs as a different user, otherwise you'll mess file > permissions). > > http://denyhosts.sourceforge.net/faq.html > > has some documentation about this, you could enable debug on a running > DH but I would expect that it will show nothing useful, just that it > doesn't match the relevant log entries... you'll have to read carefully > to find out why it doesn't match (must be a small detail, but regexes > are strict). > -- > René Berber > > You're right i don't understand the config or the regex format, i just know enough to get my beak wet and mostly just research and by trial/error which works for most simpler things.
I did remove the first SSHD_FORMAT_REGEX=.* sshd.*: (?P<message>.*) and started dh in debug mode. The only error i see is below with allowed-hosts. There are failed authentication attempts in secure.log however they are not being picked up. Aug 19 11:07:37 - prefs : INFO SSHD_FORMAT_REGEX: [.*( sshd.*:| \[sshd\]|AppleVNCServer.*:) (?P<message>.*)] Aug 19 11:07:37 - prefs : INFO SUCCESSFUL_ENTRY_REGEX: [None] Aug 19 11:07:37 - prefs : INFO SUSPICIOUS_LOGIN_REPORT_ALLOWED_HOSTS: [YES] Aug 19 11:07:37 - prefs : INFO SYNC_DOWNLOAD: [yes] Aug 19 11:07:37 - prefs : INFO SYNC_DOWNLOAD_RESILIENCY: [18000] Aug 19 11:07:37 - prefs : INFO SYNC_DOWNLOAD_THRESHOLD: [3] Aug 19 11:07:37 - prefs : INFO SYNC_INTERVAL: [3600] Aug 19 11:07:37 - prefs : INFO SYNC_SERVER: [http://xmlrpc.denyhosts.net:9911] Aug 19 11:07:37 - prefs : INFO SYNC_UPLOAD: [yes] Aug 19 11:07:37 - prefs : INFO SYSLOG_REPORT: [no] Aug 19 11:07:37 - prefs : INFO USERDEF_FAILED_ENTRY_REGEX: [Authentication: FAILED :: User Name: (?P<user>.*) :: Viewer Address: (?P<host>\S+) .*] Aug 19 11:07:37 - prefs : INFO WORK_DIR: [/usr/share/denyhosts/data] Aug 19 11:07:37 - denyhosts : INFO restricted: set([]) Aug 19 11:07:37 - filetracker : DEBUG __get_current_offset(): Aug 19 11:07:37 - filetracker : DEBUG first_line: Jul 4 09:54:30 Crapbag newsyslog[18891]: logfile turned over due to size>1000K Aug 19 11:07:37 - filetracker : DEBUG offset: 824484 Aug 19 11:07:37 - AllowedHosts: DEBUG initializing AllowedHosts Aug 19 11:07:37 - AllowedHosts: DEBUG Could not open /usr/share/denyhosts/data/allowed-hosts - [Errno 2] No such file or directory: '/usr/share/denyhosts/data/allowed-hosts' Aug 19 11:07:37 - AllowedHosts: DEBUG done initializing AllowedHosts Aug 19 11:07:37 - filetracker : DEBUG __get_last_offset(): Aug 19 11:07:37 - filetracker : DEBUG first_line: Jul 4 09:54:30 Crapbag newsyslog[18891]: logfile turned over due to size>1000K Aug 19 11:07:37 - filetracker : DEBUG offset: 824484 Aug 19 11:07:37 - filetracker : DEBUG get_offset(): Aug 19 11:07:37 - filetracker : DEBUG offset: None Aug 19 11:07:37 - denyhosts : INFO launching DenyHosts daemon (version 2.6)... Aug 19 11:16:18 - denyhosts : DEBUG /private/var/log/secure.log has additional data Aug 19 11:16:18 - denyhosts : DEBUG no new denied hosts Aug 19 11:16:18 - denyhosts : DEBUG no new suspicious logins Aug 19 11:16:36 - denyhosts : DEBUG /private/var/log/secure.log has additional data Aug 19 11:16:36 - denyhosts : DEBUG no new denied hosts Aug 19 11:16:36 - denyhosts : DEBUG no new suspicious logins Aug 19 11:16:56 - denyhosts : DEBUG /private/var/log/secure.log has additional data Aug 19 11:16:56 - denyhosts : DEBUG no new denied hosts Aug 19 11:16:56 - denyhosts : DEBUG no new suspicious logins Aug 19 11:16:58 - denyhosts : DEBUG /private/var/log/secure.log has additional data Aug 19 11:16:58 - denyhosts : DEBUG no new denied hosts /var/log/secure.log Aug 19 11:14:15 Crapbag /System/Library/CoreServices/RemoteManagement/AppleVNCServer.bundle/Contents/MacOS/AppleVNCServer[265]: Authentication: FAILED :: User Name: N/A :: Viewer Address: 75.63.18.190 :: Type: VNC DES Aug 19 11:14:45: --- last message repeated 12 times --- Aug 19 11:15:47 Crapbag /System/Library/CoreServices/RemoteManagement/AppleVNCServer.bundle/Contents/MacOS/AppleVNCServer[265]: Authentication: FAILED :: User Name: N/A :: Viewer Address: 75.63.18.190 :: Type: VNC DES Aug 19 11:16:17: --- last message repeated 16 times --- Aug 19 11:16:17 Crapbag /System/Library/CoreServices/RemoteManagement/AppleVNCServer.bundle/Contents/MacOS/AppleVNCServer[265]: Authentication: FAILED :: User Name: N/A :: Viewer Address: 75.63.18.190 :: Type: VNC DES Aug 19 11:16:47: --- last message repeated 9 times --- Aug 19 11:17:02 Crapbag /System/Library/CoreServices/RemoteManagement/AppleVNCServer.bundle/Contents/MacOS/AppleVNCServer[265]: Authentication: FAILED :: User Name: N/A :: Viewer Address: 75.63.18.190 :: Type: VNC DES Aug 19 11:17:32: --- last message repeated 6 times --- Aug 19 11:17:41 Crapbag /System/Library/CoreServices/RemoteManagement/AppleVNCServer.bundle/Contents/MacOS/AppleVNCServer[265]: Authentication: FAILED :: User Name: N/A :: Viewer Address: 75.63.18.190 :: Type: VNC DES Aug 19 11:18:11: --- last message repeated 1 time --- Aug 19 11:19:37 Crapbag /System/Library/CoreServices/RemoteManagement/AppleVNCServer.bundle/Contents/MacOS/AppleVNCServer[265]: Authentication: FAILED :: User Name: N/A :: Viewer Address: 75.63.18.190 :: Type: VNC DES Aug 19 11:20:07: --- last message repeated 2 times --- Aug 19 11:20:35 Crapbag /System/Library/CoreServices/RemoteManagement/AppleVNCServer.bundle/Contents/MacOS/AppleVNCServer[265]: Authentication: FAILED :: User Name: N/A :: Viewer Address: 75.63.18.190 :: Type: VNC DES Aug 19 11:21:39 Crapbag /System/Library/CoreServices/RemoteManagement/AppleVNCServer.bundle/Contents/MacOS/AppleVNCServer[265]: Authentication: FAILED :: User Name: N/A :: Viewer Address: 75.63.18.190 :: Type: VNC DES > ------------------------------------------------------------------------------ > This SF.net email is sponsored by > > Make an app they can't live without > Enter the BlackBerry Developer Challenge > http://p.sf.net/sfu/RIM-dev2dev > _______________________________________________ > Denyhosts-user mailing list > Denyhosts-user@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/denyhosts-user ------------------------------------------------------------------------------ This SF.net email is sponsored by Make an app they can't live without Enter the BlackBerry Developer Challenge http://p.sf.net/sfu/RIM-dev2dev _______________________________________________ Denyhosts-user mailing list Denyhosts-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/denyhosts-user
