Re: [Denyhosts-user] DENY_THRESHOLD_ROOT not being respected

Mon, 03 Jan 2011 13:32:21 -0800

I'll bet it's your regex. From some notes specific to 10.5 (a while back) you'll want to make sure that you have 


 2) In /sw/etc/denyhosts-py25  edit the denyhosts.cfg file by changing

 SECURE_LOG = /var/log/asl.log   to    SECURE_LOG = /var/log/secure.log

 and comment out the statement   SSHD_FORMAT_REGEX=


[this is from here:]
http://www.mail-archive.com/fink-beginners@lists.sourceforge.net/msg22454.html
Note that *the path is specific to a fink installation (in /sw)*, but your regex still probably needs to be commented out from the config file (since it was originally added for earlier versions of MacOSX and doesn't apply to 10.5).
If it's not that, then we'd wish to look at (only) the pertinent parts of denyhosts.cfg to see what's going on; for instance the SECURE_LOG path, sleep settings (that is, how often does DH wake up to check the log?), and whatever regexes you have. 

--Robert


Jonathan S. Abrams wrote:

Thanks for responding.

private/var/log/secure.log
These are the corresponding entries in the orivate/var/log/secure.log file.
Jan 2 14:44:42 clients sshd[22767]: Did not receive identification string from 92.246.211.245 Jan 2 14:44:56 clients sshd[22772]: Failed none for invalid user root from 92.246.211.245 port 3206 ssh2
Jan 2 14:44:57 clients sshd[22772]: error: PAM: Authentication failure for illegal user root from 92.246.211.245 Jan 2 14:44:57 clients sshd[22772]: Failed keyboard-interactive/pam for invalid user root from 92.246.211.245 port 3206 ssh2
Jan 2 14:44:58 clients sshd[22772]: error: PAM: Authentication failure for illegal user root from 92.246.211.245 Jan 2 14:44:58 clients sshd[22772]: Failed keyboard-interactive/pam for invalid user root from 92.246.211.245 port 3206 ssh2
Jan 2 14:44:59 clients sshd[22772]: error: PAM: Authentication failure for illegal user root from 92.246.211.245 Jan 2 14:44:59 clients sshd[22772]: Failed keyboard-interactive/pam for invalid user root from 92.246.211.245 port 3206 ssh2
Jan 2 14:45:03 clients sshd[22772]: error: PAM: Authentication failure for illegal user root from 92.246.211.245 Jan 2 14:45:03 clients sshd[22772]: Failed keyboard-interactive/pam for invalid user root from 92.246.211.245 port 3206 ssh2
Jan 2 14:45:08 clients sshd[22772]: error: PAM: Authentication failure for illegal user root from 92.246.211.245 Jan 2 14:45:08 clients sshd[22772]: Failed keyboard-interactive/pam for invalid user root from 92.246.211.245 port 3206 ssh2
Jan 2 14:45:12 clients sshd[22772]: error: PAM: Authentication failure for illegal user root from 92.246.211.245 Jan 2 14:45:12 clients sshd[22772]: Failed keyboard-interactive/pam for invalid user root from 92.246.211.245 port 3206 ssh2 

--
Jonathan S. Abrams, CEA, CBNT
Apple Certified Technical Coordinator (v10.5), Xsan 2 Admin
Treasurer, NY Section, AES
On Mon, Jan 3, 2011 at 2:46 PM, Robert Wyatt <chupacerv...@gmail.com <mailto:chupacerv...@gmail.com>> wrote: 

    Which log file is denyhosts set up to look at in your installation?


    Jonathan S. Abrams wrote:

        Hello,

        I have installed DenyHosts on a Mac OS X v10.5.8 server.  I
        noticed the following entries in the server's system.log file.

        Jan  2 14:44:56 clients sshd[22772]: Failed none for invalid
        user root from 92.246.211.245 port 3206 ssh2
        Jan  2 14:44:57 clients com.apple.SecurityServer[35]:
        checkpw() returned -2; failed to authenticate user root (uid 0).
        Jan  2 14:44:57 clients com.apple.SecurityServer[35]: Failed
        to authorize right system.login.tty by client /usr/sbin/sshd
        for authorization created by /usr/sbin/sshd.

        Jan  2 14:44:57 clients sshd[22772]: Failed
        keyboard-interactive/pam for invalid user root from
        92.246.211.245 port 3206 ssh2
        Jan  2 14:44:58 clients com.apple.SecurityServer[35]:
        checkpw() returned -2; failed to authenticate user root (uid 0).
        Jan  2 14:44:58 clients com.apple.SecurityServer[35]: Failed
        to authorize right system.login.tty by client /usr/sbin/sshd
        for authorization created by /usr/sbin/sshd.

        Jan  2 14:44:58 clients sshd[22772]: Failed
        keyboard-interactive/pam for invalid user root from
        92.246.211.245 port 3206 ssh2
        Jan  2 14:44:59 clients com.apple.SecurityServer[35]:
        checkpw() returned -2; failed to authenticate user root (uid 0).
        Jan  2 14:44:59 clients com.apple.SecurityServer[35]: Failed
        to authorize right system.login.tty by client /usr/sbin/sshd
        for authorization created by /usr/sbin/sshd.

        Jan  2 14:44:59 clients sshd[22772]: Failed
        keyboard-interactive/pam for invalid user root from
        92.246.211.245 port 3206 ssh2
        Jan  2 14:45:01 clients com.apple.SecurityServer[35]:
        checkpw() returned -2; failed to authenticate user root (uid 0).
        Jan  2 14:45:03 clients com.apple.SecurityServer[35]: Failed
        to authorize right system.login.tty by client /usr/sbin/sshd
        for authorization created by /usr/sbin/sshd.

        Jan  2 14:45:03 clients sshd[22772]: Failed
        keyboard-interactive/pam for invalid user root from
        92.246.211.245 port 3206 ssh2
        Jan  2 14:45:06 clients com.apple.SecurityServer[35]:
        checkpw() returned -2; failed to authenticate user root (uid 0).
        Jan  2 14:45:08 clients com.apple.SecurityServer[35]: Failed
        to authorize right system.login.tty by client /usr/sbin/sshd
        for authorization created by /usr/sbin/sshd.

        Jan  2 14:45:08 clients sshd[22772]: Failed
        keyboard-interactive/pam for invalid user root from
        92.246.211.245 port 3206 ssh2
        Jan  2 14:45:10 clients com.apple.SecurityServer[35]:
        checkpw() returned -2; failed to authenticate user root (uid 0).
        Jan  2 14:45:12 clients com.apple.SecurityServer[35]: Failed
        to authorize right system.login.tty by client /usr/sbin/sshd
        for authorization created by /usr/sbin/sshd.

        Jan  2 14:45:12 clients sshd[22772]: Failed
        keyboard-interactive/pam for invalid user root from
        92.246.211.245 port 3206 ssh2

        Someone (or something) at 92.246.211.245 attempted to login as
        root at least six (6) times.  The denyhosts.cfg file has
        DENY_THRESHOLD_ROOT = 1.  The IP associated with these login
        attempts did get added to hosts.deny, but it should it not
        have been added after the first failed login attempt?  Should
        I be looking for some other setting in the .cfg file?  Is this
        normal and expected behavior?

        Thanks for reading!
-- Jonathan S. Abrams, CEA, CBNT 
        Apple Certified Technical Coordinator (v10.5), Xsan 2 Admin
        Treasurer, NY Section, AES




------------------------------------------------------------------------------
Learn how Oracle Real Application Clusters (RAC) One Node allows customers
to consolidate database storage, standardize their database environment, and, 
should the need arise, upgrade to a full multi-node Oracle RAC database 
without downtime or disruption
http://p.sf.net/sfu/oracle-sfdevnl
_______________________________________________
Denyhosts-user mailing list
Denyhosts-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/denyhosts-user

Reply via email to