On 11/11/2010 3:04 PM, Steve Blandford wrote:

> this is my first post to the list. I'm looking to add VSFTPD as a service to 
> monitor….
> 
> Here is what I've done so far in denyhosts.cfg….
> 
> The issue is that the regex I'm using is not working for the vsftpd. I 
> adapted the regex from an older post but cannot get it to work.
> 
> BLOCK_SERVICE  = vsftpd,sshd

Wrong, only one value is allowed.  Best choice:

BLOCK_SERVICE = ALL

> SSHD_FORMAT_REGEX=.* (sshd.*:|\[sshd\]|vsftpd:) (?P<message>.*)
> USERDEF_FAILED_ENTRY_REGEX=\[(?P<user>\S+)\].*authentication 
> failure.*"(?P<host>\S+)"

This is what I use:

SSHD_FORMAT_REGEX=.* (sshd.*:|\[sshd\]|vsftpd.*:) (?P<message>.*)
USERDEF_FAILED_ENTRY_REGEX=authentication failure.* ruser=
rhost=(?P<host>\S+)  user=(?P<user>\S+)
USERDEF_FAILED_ENTRY_REGEX=authentication failure.* ruser=(?P<user>\S+)
rhost=(?P<host>\S+).*

You missed an important part on the first one, the other 2 are almost
the same, but vsftpd somethimes leaves the ruser empty...

> and here is an example of what the log is capturing;
> 
> I attempted a login to SSH and FTP as user steve and gave bad passwords for 
> both
> 
> Nov 11 12:47:21 www1 sshd[14498]: pam_unix(sshd:auth): authentication 
> failure; logname= uid=0 euid=0 tty=ssh ruser= 
> rhost=adsl-70-200-15-1.dsl.scrm01.pacbell.net  user=steve
> Nov 11 12:47:23 www1 sshd[14498]: Failed password for steve from 70.200.15.1 
> port 34119 ssh2
> Nov 11 12:47:26 www1 sshd[14499]: Connection closed by 70.200.15.1
> 
> Nov 11 12:48:16 www1 vsftpd: pam_unix(vsftpd:auth): authentication failure; 
> logname= uid=0 euid=0 tty=ftp ruser=steve 
> rhost=adsl-70-200-15-1.dsl.scrm01.pacbell.net  user=steve
> 
>  below I tried to SSH then FTP using a nonexistent user steveooo
> 
> Nov 11 12:50:42 www1 sshd[14526]: Invalid user steveooo from 70.200.15.1
> Nov 11 12:50:42 www1 sshd[14527]: input_userauth_request: invalid user 
> steveooo
> Nov 11 12:50:44 www1 sshd[14526]: pam_unix(sshd:auth): check pass; user 
> unknown
> Nov 11 12:50:44 www1 sshd[14526]: pam_unix(sshd:auth): authentication 
> failure; logname= uid=0 euid=0 tty=ssh ruser= 
> rhost=adsl-70-200-15-1.dsl.scrm01.pacbell.net 
> Nov 11 12:50:44 www1 sshd[14526]: pam_succeed_if(sshd:auth): error retrieving 
> information about user steveooo
> Nov 11 12:50:46 www1 sshd[14526]: Failed password for invalid user steveooo 
> from 70.200.15.1 port 42904 ssh2
> Nov 11 12:50:49 www1 sshd[14527]: Connection closed by 70.200.15.1
> 
> Nov 11 12:55:23 www1 vsftpd: pam_unix(vsftpd:auth): check pass; user unknown
> Nov 11 12:55:23 www1 vsftpd: pam_unix(vsftpd:auth): authentication failure; 
> logname= uid=0 euid=0 tty=ftp ruser=steveooo 
> rhost=adsl-70-200-15-1.dsl.scrm01.pacbell.net 
> Nov 11 12:55:23 www1 vsftpd: pam_succeed_if(vsftpd:auth): error retrieving 
> information about user steveooo

... I guess what you didn't say is the sshd entries did appear as a hit,
but the vsftpd didn't.
-- 
René Berber


------------------------------------------------------------------------------
Centralized Desktop Delivery: Dell and VMware Reference Architecture
Simplifying enterprise desktop deployment and management using
Dell EqualLogic storage and VMware View: A highly scalable, end-to-end
client virtualization framework. Read more!
http://p.sf.net/sfu/dell-eql-dev2dev
_______________________________________________
Denyhosts-user mailing list
Denyhosts-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/denyhosts-user

Reply via email to