I could not find the string SSHD_FORMAT_REGEX= in the .cfg file, and the few
REGEX entries I did find were already commented out.
If the .cfg file is already looking at private/var/log/secure.log, how is
that different from var/log/secure.log? Both paths point to the same file.
Is the "private/" throwing off DenyHosts?
DAEMON_SLEEP = 30s This could be where the problem is, as the time stamp of
the first attack and the last attack are 30s apart. What do you think?
Does the daemon not know that a host has attempted to login as root and
failed until it wakes from sleep and checks the secure.log file? If this is
true, does that explain what I reported at the start of this thread?
--
Jonathan S. Abrams, CEA, CBNT
Apple Certified Technical Coordinator (v10.5), Xsan 2 Admin
Treasurer, NY Section, AES
On Mon, Jan 3, 2011 at 4:31 PM, Robert Wyatt <chupacerv...@gmail.com> wrote:
> I'll bet it's your regex. From some notes specific to 10.5 (a while back)
> you'll want to make sure that you have
>
> >>> 2) In /sw/etc/denyhosts-py25 edit the denyhosts.cfg file by changing
> >>>
> >>> SECURE_LOG = /var/log/asl.log to SECURE_LOG = /var/log/secure.log
> >>>
> >>> and comment out the statement SSHD_FORMAT_REGEX=
>
> [this is from here:]
>
> http://www.mail-archive.com/fink-beginners@lists.sourceforge.net/msg22454.html
>
> Note that *the path is specific to a fink installation (in /sw)*, but your
> regex still probably needs to be commented out from the config file (since
> it was originally added for earlier versions of MacOSX and doesn't apply to
> 10.5).
>
> If it's not that, then we'd wish to look at (only) the pertinent parts of
> denyhosts.cfg to see what's going on; for instance the SECURE_LOG path,
> sleep settings (that is, how often does DH wake up to check the log?), and
> whatever regexes you have.
>
> --Robert
>
>
>
> Jonathan S. Abrams wrote:
>
> Thanks for responding.
>
> private/var/log/secure.log
>
> These are the corresponding entries in the orivate/var/log/secure.log
> file.
>
> Jan 2 14:44:42 clients sshd[22767]: Did not receive identification
> string from 92.246.211.245
> Jan 2 14:44:56 clients sshd[22772]: Failed none for invalid user root from
> 92.246.211.245 port 3206 ssh2
>
> Jan 2 14:44:57 clients sshd[22772]: error: PAM: Authentication failure
> for illegal user root from 92.246.211.245
> Jan 2 14:44:57 clients sshd[22772]: Failed keyboard-interactive/pam for
> invalid user root from 92.246.211.245 port 3206 ssh2
>
> Jan 2 14:44:58 clients sshd[22772]: error: PAM: Authentication failure
> for illegal user root from 92.246.211.245
> Jan 2 14:44:58 clients sshd[22772]: Failed keyboard-interactive/pam for
> invalid user root from 92.246.211.245 port 3206 ssh2
>
> Jan 2 14:44:59 clients sshd[22772]: error: PAM: Authentication failure
> for illegal user root from 92.246.211.245
> Jan 2 14:44:59 clients sshd[22772]: Failed keyboard-interactive/pam for
> invalid user root from 92.246.211.245 port 3206 ssh2
>
> Jan 2 14:45:03 clients sshd[22772]: error: PAM: Authentication failure
> for illegal user root from 92.246.211.245
> Jan 2 14:45:03 clients sshd[22772]: Failed keyboard-interactive/pam for
> invalid user root from 92.246.211.245 port 3206 ssh2
>
> Jan 2 14:45:08 clients sshd[22772]: error: PAM: Authentication failure
> for illegal user root from 92.246.211.245
> Jan 2 14:45:08 clients sshd[22772]: Failed keyboard-interactive/pam for
> invalid user root from 92.246.211.245 port 3206 ssh2
>
> Jan 2 14:45:12 clients sshd[22772]: error: PAM: Authentication failure
> for illegal user root from 92.246.211.245
> Jan 2 14:45:12 clients sshd[22772]: Failed keyboard-interactive/pam for
> invalid user root from 92.246.211.245 port 3206 ssh2
>
> --
> Jonathan S. Abrams, CEA, CBNT
> Apple Certified Technical Coordinator (v10.5), Xsan 2 Admin
> Treasurer, NY Section, AES
>
> On Mon, Jan 3, 2011 at 2:46 PM, Robert Wyatt <chupacerv...@gmail.com>wrote:
>
>> Which log file is denyhosts set up to look at in your installation?
>>
>>
>> Jonathan S. Abrams wrote:
>>
>>> Hello,
>>>
>>> I have installed DenyHosts on a Mac OS X v10.5.8 server. I noticed the
>>> following entries in the server's system.log file.
>>>
>>> Jan 2 14:44:56 clients sshd[22772]: Failed none for invalid user root
>>> from 92.246.211.245 port 3206 ssh2
>>> Jan 2 14:44:57 clients com.apple.SecurityServer[35]: checkpw() returned
>>> -2; failed to authenticate user root (uid 0).
>>> Jan 2 14:44:57 clients com.apple.SecurityServer[35]: Failed to authorize
>>> right system.login.tty by client /usr/sbin/sshd for authorization created by
>>> /usr/sbin/sshd.
>>>
>>> Jan 2 14:44:57 clients sshd[22772]: Failed keyboard-interactive/pam for
>>> invalid user root from 92.246.211.245 port 3206 ssh2
>>> Jan 2 14:44:58 clients com.apple.SecurityServer[35]: checkpw() returned
>>> -2; failed to authenticate user root (uid 0).
>>> Jan 2 14:44:58 clients com.apple.SecurityServer[35]: Failed to authorize
>>> right system.login.tty by client /usr/sbin/sshd for authorization created by
>>> /usr/sbin/sshd.
>>>
>>> Jan 2 14:44:58 clients sshd[22772]: Failed keyboard-interactive/pam for
>>> invalid user root from 92.246.211.245 port 3206 ssh2
>>> Jan 2 14:44:59 clients com.apple.SecurityServer[35]: checkpw() returned
>>> -2; failed to authenticate user root (uid 0).
>>> Jan 2 14:44:59 clients com.apple.SecurityServer[35]: Failed to authorize
>>> right system.login.tty by client /usr/sbin/sshd for authorization created by
>>> /usr/sbin/sshd.
>>>
>>> Jan 2 14:44:59 clients sshd[22772]: Failed keyboard-interactive/pam for
>>> invalid user root from 92.246.211.245 port 3206 ssh2
>>> Jan 2 14:45:01 clients com.apple.SecurityServer[35]: checkpw() returned
>>> -2; failed to authenticate user root (uid 0).
>>> Jan 2 14:45:03 clients com.apple.SecurityServer[35]: Failed to authorize
>>> right system.login.tty by client /usr/sbin/sshd for authorization created by
>>> /usr/sbin/sshd.
>>>
>>> Jan 2 14:45:03 clients sshd[22772]: Failed keyboard-interactive/pam for
>>> invalid user root from 92.246.211.245 port 3206 ssh2
>>> Jan 2 14:45:06 clients com.apple.SecurityServer[35]: checkpw() returned
>>> -2; failed to authenticate user root (uid 0).
>>> Jan 2 14:45:08 clients com.apple.SecurityServer[35]: Failed to authorize
>>> right system.login.tty by client /usr/sbin/sshd for authorization created by
>>> /usr/sbin/sshd.
>>>
>>> Jan 2 14:45:08 clients sshd[22772]: Failed keyboard-interactive/pam for
>>> invalid user root from 92.246.211.245 port 3206 ssh2
>>> Jan 2 14:45:10 clients com.apple.SecurityServer[35]: checkpw() returned
>>> -2; failed to authenticate user root (uid 0).
>>> Jan 2 14:45:12 clients com.apple.SecurityServer[35]: Failed to authorize
>>> right system.login.tty by client /usr/sbin/sshd for authorization created by
>>> /usr/sbin/sshd.
>>>
>>> Jan 2 14:45:12 clients sshd[22772]: Failed keyboard-interactive/pam for
>>> invalid user root from 92.246.211.245 port 3206 ssh2
>>>
>>> Someone (or something) at 92.246.211.245 attempted to login as root at
>>> least six (6) times. The denyhosts.cfg file has DENY_THRESHOLD_ROOT = 1.
>>> The IP associated with these login attempts did get added to hosts.deny,
>>> but it should it not have been added after the first failed login attempt?
>>> Should I be looking for some other setting in the .cfg file? Is this
>>> normal and expected behavior?
>>>
>>> Thanks for reading!
>>>
>>> --
>>> Jonathan S. Abrams, CEA, CBNT
>>> Apple Certified Technical Coordinator (v10.5), Xsan 2 Admin
>>> Treasurer, NY Section, AES
>>
>>
------------------------------------------------------------------------------
Learn how Oracle Real Application Clusters (RAC) One Node allows customers
to consolidate database storage, standardize their database environment, and,
should the need arise, upgrade to a full multi-node Oracle RAC database
without downtime or disruption
http://p.sf.net/sfu/oracle-sfdevnl
_______________________________________________
Denyhosts-user mailing list
Denyhosts-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/denyhosts-user
