Hello all,
this is my first post to the list. I'm looking to add VSFTPD as a
service to monitor….
Here is what I've done so far in denyhosts.cfg….
The issue is that the regex I'm using is not working for the vsftpd. I adapted
the regex from an older post but cannot get it to work.
Thanks in advance.
Steve
BLOCK_SERVICE = vsftpd,sshd
######################################################################
#
# USERDEF_FAILED_ENTRY_REGEX: if set, this value should contain
# a regular expression that can be used to identify additional
# hackers for your particular ssh configuration. This functionality
# extends the built-in regular expressions that DenyHosts uses.
# This parameter can be specified multiple times.
# See this faq entry for more details:
# http://denyhosts.sf.net/faq.html#userdef_regex
#
#USERDEF_FAILED_ENTRY_REGEX=
#
### adedd by SB to include failed ftp ref this URL
http://www.mail-archive.com/denyhosts-user@lists.sourceforge.net/msg00688.html
SSHD_FORMAT_REGEX=.* (sshd.*:|\[sshd\]|vsftpd:) (?P<message>.*)
USERDEF_FAILED_ENTRY_REGEX=\[(?P<user>\S+)\].*authentication
failure.*"(?P<host>\S+)"
#
######################################################################
the log file is SECURE_LOG = /var/log/secure
and here is an example of what the log is capturing;
I attempted a login to SSH and FTP as user steve and gave bad passwords for both
Nov 11 12:47:21 www1 sshd[14498]: pam_unix(sshd:auth): authentication failure;
logname= uid=0 euid=0 tty=ssh ruser=
rhost=adsl-70-200-15-1.dsl.scrm01.pacbell.net user=steve
Nov 11 12:47:23 www1 sshd[14498]: Failed password for steve from 70.200.15.1
port 34119 ssh2
Nov 11 12:47:26 www1 sshd[14499]: Connection closed by 70.200.15.1
Nov 11 12:48:16 www1 vsftpd: pam_unix(vsftpd:auth): authentication failure;
logname= uid=0 euid=0 tty=ftp ruser=steve
rhost=adsl-70-200-15-1.dsl.scrm01.pacbell.net user=steve
below I tried to SSH then FTP using a nonexistent user steveooo
Nov 11 12:50:42 www1 sshd[14526]: Invalid user steveooo from 70.200.15.1
Nov 11 12:50:42 www1 sshd[14527]: input_userauth_request: invalid user steveooo
Nov 11 12:50:44 www1 sshd[14526]: pam_unix(sshd:auth): check pass; user unknown
Nov 11 12:50:44 www1 sshd[14526]: pam_unix(sshd:auth): authentication failure;
logname= uid=0 euid=0 tty=ssh ruser=
rhost=adsl-70-200-15-1.dsl.scrm01.pacbell.net
Nov 11 12:50:44 www1 sshd[14526]: pam_succeed_if(sshd:auth): error retrieving
information about user steveooo
Nov 11 12:50:46 www1 sshd[14526]: Failed password for invalid user steveooo
from 70.200.15.1 port 42904 ssh2
Nov 11 12:50:49 www1 sshd[14527]: Connection closed by 70.200.15.1
Nov 11 12:55:23 www1 vsftpd: pam_unix(vsftpd:auth): check pass; user unknown
Nov 11 12:55:23 www1 vsftpd: pam_unix(vsftpd:auth): authentication failure;
logname= uid=0 euid=0 tty=ftp ruser=steveooo
rhost=adsl-70-200-15-1.dsl.scrm01.pacbell.net
Nov 11 12:55:23 www1 vsftpd: pam_succeed_if(vsftpd:auth): error retrieving
information about user steveooo
------------------------------------------------------------------------------
Centralized Desktop Delivery: Dell and VMware Reference Architecture
Simplifying enterprise desktop deployment and management using
Dell EqualLogic storage and VMware View: A highly scalable, end-to-end
client virtualization framework. Read more!
http://p.sf.net/sfu/dell-eql-dev2dev
_______________________________________________
Denyhosts-user mailing list
Denyhosts-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/denyhosts-user
