Thank you René,
I've implemented the solution you suggested and have things sort of
working....
I set BLOCK_SERVICE = ALL
and changed my USERDEF_FAILED_ENTRY_REGEX to;
SSHD_FORMAT_REGEX=.* (sshd.*:|\[sshd\]|vsftpd.*:) (?P<message>.*)
USERDEF_FAILED_ENTRY_REGEX=authentication failure.* ruser=
rhost=(?P<host>\S+) user=(?P<user>\S+)
USERDEF_FAILED_ENTRY_REGEX=authentication failure.* ruser=(?P<user>\S+)
rhost=(?P<host>\S+).*
Now if I force ftp to 'fail' the hosts.deny file looks like this
# DenyHosts: Fri Nov 12 14:54:50 2010 | ALL:
adsl-70-150-74-127.dsl.scrm01.pacbell.net
ALL: adsl-70-150-74-127.dsl.scrm01.pacbell.net
When I attempt to ftp into the machine I am not blocked... and get prompted
for a pass, however if I try to SSH in I get;
ssh_exchange_identification: Connection closed by remote host
What am I missing? Does VSFTPD not look at the deny.hosts file?
Cheers
Steve
On Thu, Nov 11, 2010 at 2:41 PM, René Berber <rber...@cactus-soft.dyndns.org
> wrote:
> On 11/11/2010 3:04 PM, Steve Blandford wrote:
>
> > this is my first post to the list. I'm looking to add VSFTPD as a service
> to monitor….
> >
> > Here is what I've done so far in denyhosts.cfg….
> >
> > The issue is that the regex I'm using is not working for the vsftpd. I
> adapted the regex from an older post but cannot get it to work.
> >
> > BLOCK_SERVICE = vsftpd,sshd
>
> Wrong, only one value is allowed. Best choice:
>
> BLOCK_SERVICE = ALL
>
> > SSHD_FORMAT_REGEX=.* (sshd.*:|\[sshd\]|vsftpd:) (?P<message>.*)
> > USERDEF_FAILED_ENTRY_REGEX=\[(?P<user>\S+)\].*authentication
> failure.*"(?P<host>\S+)"
>
> This is what I use:
>
> SSHD_FORMAT_REGEX=.* (sshd.*:|\[sshd\]|vsftpd.*:) (?P<message>.*)
> USERDEF_FAILED_ENTRY_REGEX=authentication failure.* ruser=
> rhost=(?P<host>\S+) user=(?P<user>\S+)
> USERDEF_FAILED_ENTRY_REGEX=authentication failure.* ruser=(?P<user>\S+)
> rhost=(?P<host>\S+).*
>
> You missed an important part on the first one, the other 2 are almost
> the same, but vsftpd somethimes leaves the ruser empty...
>
> > and here is an example of what the log is capturing;
> >
> > I attempted a login to SSH and FTP as user steve and gave bad passwords
> for both
> >
> > Nov 11 12:47:21 www1 sshd[14498]: pam_unix(sshd:auth): authentication
> failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=
> adsl-70-200-15-1.dsl.scrm01.pacbell.net user=steve
> > Nov 11 12:47:23 www1 sshd[14498]: Failed password for steve from
> 70.200.15.1 port 34119 ssh2
> > Nov 11 12:47:26 www1 sshd[14499]: Connection closed by 70.200.15.1
> >
> > Nov 11 12:48:16 www1 vsftpd: pam_unix(vsftpd:auth): authentication
> failure; logname= uid=0 euid=0 tty=ftp ruser=steve rhost=
> adsl-70-200-15-1.dsl.scrm01.pacbell.net user=steve
> >
> > below I tried to SSH then FTP using a nonexistent user steveooo
> >
> > Nov 11 12:50:42 www1 sshd[14526]: Invalid user steveooo from 70.200.15.1
> > Nov 11 12:50:42 www1 sshd[14527]: input_userauth_request: invalid user
> steveooo
> > Nov 11 12:50:44 www1 sshd[14526]: pam_unix(sshd:auth): check pass; user
> unknown
> > Nov 11 12:50:44 www1 sshd[14526]: pam_unix(sshd:auth): authentication
> failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=
> adsl-70-200-15-1.dsl.scrm01.pacbell.net
> > Nov 11 12:50:44 www1 sshd[14526]: pam_succeed_if(sshd:auth): error
> retrieving information about user steveooo
> > Nov 11 12:50:46 www1 sshd[14526]: Failed password for invalid user
> steveooo from 70.200.15.1 port 42904 ssh2
> > Nov 11 12:50:49 www1 sshd[14527]: Connection closed by 70.200.15.1
> >
> > Nov 11 12:55:23 www1 vsftpd: pam_unix(vsftpd:auth): check pass; user
> unknown
> > Nov 11 12:55:23 www1 vsftpd: pam_unix(vsftpd:auth): authentication
> failure; logname= uid=0 euid=0 tty=ftp ruser=steveooo rhost=
> adsl-70-200-15-1.dsl.scrm01.pacbell.net
> > Nov 11 12:55:23 www1 vsftpd: pam_succeed_if(vsftpd:auth): error
> retrieving information about user steveooo
>
> ... I guess what you didn't say is the sshd entries did appear as a hit,
> but the vsftpd didn't.
> --
> René Berber
>
>
>
> ------------------------------------------------------------------------------
> Centralized Desktop Delivery: Dell and VMware Reference Architecture
> Simplifying enterprise desktop deployment and management using
> Dell EqualLogic storage and VMware View: A highly scalable, end-to-end
> client virtualization framework. Read more!
> http://p.sf.net/sfu/dell-eql-dev2dev
> _______________________________________________
> Denyhosts-user mailing list
> Denyhosts-user@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/denyhosts-user
>
------------------------------------------------------------------------------
Centralized Desktop Delivery: Dell and VMware Reference Architecture
Simplifying enterprise desktop deployment and management using
Dell EqualLogic storage and VMware View: A highly scalable, end-to-end
client virtualization framework. Read more!
http://p.sf.net/sfu/dell-eql-dev2dev
_______________________________________________
Denyhosts-user mailing list
Denyhosts-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/denyhosts-user
