On 11/11/2010 3:04 PM, Steve Blandford wrote: > this is my first post to the list. I'm looking to add VSFTPD as a service to > monitor…. > > Here is what I've done so far in denyhosts.cfg…. > > The issue is that the regex I'm using is not working for the vsftpd. I > adapted the regex from an older post but cannot get it to work. > > BLOCK_SERVICE = vsftpd,sshd
Wrong, only one value is allowed. Best choice: BLOCK_SERVICE = ALL > SSHD_FORMAT_REGEX=.* (sshd.*:|\[sshd\]|vsftpd:) (?P<message>.*) > USERDEF_FAILED_ENTRY_REGEX=\[(?P<user>\S+)\].*authentication > failure.*"(?P<host>\S+)" This is what I use: SSHD_FORMAT_REGEX=.* (sshd.*:|\[sshd\]|vsftpd.*:) (?P<message>.*) USERDEF_FAILED_ENTRY_REGEX=authentication failure.* ruser= rhost=(?P<host>\S+) user=(?P<user>\S+) USERDEF_FAILED_ENTRY_REGEX=authentication failure.* ruser=(?P<user>\S+) rhost=(?P<host>\S+).* You missed an important part on the first one, the other 2 are almost the same, but vsftpd somethimes leaves the ruser empty... > and here is an example of what the log is capturing; > > I attempted a login to SSH and FTP as user steve and gave bad passwords for > both > > Nov 11 12:47:21 www1 sshd[14498]: pam_unix(sshd:auth): authentication > failure; logname= uid=0 euid=0 tty=ssh ruser= > rhost=adsl-70-200-15-1.dsl.scrm01.pacbell.net user=steve > Nov 11 12:47:23 www1 sshd[14498]: Failed password for steve from 70.200.15.1 > port 34119 ssh2 > Nov 11 12:47:26 www1 sshd[14499]: Connection closed by 70.200.15.1 > > Nov 11 12:48:16 www1 vsftpd: pam_unix(vsftpd:auth): authentication failure; > logname= uid=0 euid=0 tty=ftp ruser=steve > rhost=adsl-70-200-15-1.dsl.scrm01.pacbell.net user=steve > > below I tried to SSH then FTP using a nonexistent user steveooo > > Nov 11 12:50:42 www1 sshd[14526]: Invalid user steveooo from 70.200.15.1 > Nov 11 12:50:42 www1 sshd[14527]: input_userauth_request: invalid user > steveooo > Nov 11 12:50:44 www1 sshd[14526]: pam_unix(sshd:auth): check pass; user > unknown > Nov 11 12:50:44 www1 sshd[14526]: pam_unix(sshd:auth): authentication > failure; logname= uid=0 euid=0 tty=ssh ruser= > rhost=adsl-70-200-15-1.dsl.scrm01.pacbell.net > Nov 11 12:50:44 www1 sshd[14526]: pam_succeed_if(sshd:auth): error retrieving > information about user steveooo > Nov 11 12:50:46 www1 sshd[14526]: Failed password for invalid user steveooo > from 70.200.15.1 port 42904 ssh2 > Nov 11 12:50:49 www1 sshd[14527]: Connection closed by 70.200.15.1 > > Nov 11 12:55:23 www1 vsftpd: pam_unix(vsftpd:auth): check pass; user unknown > Nov 11 12:55:23 www1 vsftpd: pam_unix(vsftpd:auth): authentication failure; > logname= uid=0 euid=0 tty=ftp ruser=steveooo > rhost=adsl-70-200-15-1.dsl.scrm01.pacbell.net > Nov 11 12:55:23 www1 vsftpd: pam_succeed_if(vsftpd:auth): error retrieving > information about user steveooo ... I guess what you didn't say is the sshd entries did appear as a hit, but the vsftpd didn't. -- René Berber ------------------------------------------------------------------------------ Centralized Desktop Delivery: Dell and VMware Reference Architecture Simplifying enterprise desktop deployment and management using Dell EqualLogic storage and VMware View: A highly scalable, end-to-end client virtualization framework. Read more! http://p.sf.net/sfu/dell-eql-dev2dev _______________________________________________ Denyhosts-user mailing list Denyhosts-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/denyhosts-user