On 1/22/2011 3:05 PM, dhosts.20.k...@neverbox.com wrote: [snip] > USERDEF_FAILED_ENTRY_REGEX=.*USER (?P<user>.*):.* from ::ffff:(?P<host>.*) > \[.*
Try: USERDEF_FAILED_ENTRY_REGEX=USER (?P<user>\S+): no such user .* (?P<host>\[\S+\]) to .* > Log entries look like this: > > Jan 22 21:15:48 www proftpd[20397]: 192.168.x.y > (::ffff:288.22.132.59[::ffff:188.22.132.59]) - USER ab12312b321: no such > user found from ::ffff:288.22.132.59 [::ffff:288.22.132.59] to > ::ffff:192.168.y.y:21 > > The regular expression is matching fine, tested here: > http://www.regular-expressions.info/reference.html Regular expressions and Python regular expressions are not the same. More important, even if it matched how do you know that it doesn't match valid users? (i.e. your expression is too general) and definitely it doesn't match password attacks with existing user's names (they try root, admin, apache, webmaster, oracle, ... many others that have a good probability of being in a system). A note about IPv6 notation, the way you handled it suspect, the tcp_wrappers (7.6-ipv6.2) documentation says you have to include the brackets; I know, you saw a constant prefix and a IPv4 address and "extracted" the IPv4 address, but what if a real IPv6 address comes along? -- René Berber ------------------------------------------------------------------------------ Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)! Finally, a world-class log management solution at an even better price-free! Download using promo code Free_Logger_4_Dev2Dev. Offer expires February 28th, so secure your free ArcSight Logger TODAY! http://p.sf.net/sfu/arcsight-sfd2d _______________________________________________ Denyhosts-user mailing list Denyhosts-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/denyhosts-user
