Hi,
I installed denyhosts on a Mac OS X 10.6 machine and it runs
perfectly, except for one thing. It does not react to lines like:
Jan 19 19:46:59 MyMac sshd[97655]: error: PAM: authentication error
for root from 186.115.4.27 via 192.168.1.4
This is mentioned in the FAQ so I added the following line to the .cfg
file, but to no avail:
FAILED_ENTRY_REGEX=error: PAM: authentication error for
(?P<invalid>invalid user |illegal user )?(?P<user>.*?) from
(::ffff:)?(?P<host>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})
I also tried some variations on this regex, like adding .* to the end,
which seems unnecessary because regex matching is partial anyway. I
also tried defining it as a USERDEF_FAILED_ENTRY_REGEX. All without
success. Yet, other USERDEF regexes that I added work perfectly.
I tested the above regex in a standalone python script and it does
pick out all the correct lines from the log. But inside denyhosts it
does nothing at all. A simple way to test this is by injecting fake
entries into secure.log. When replacing "root" with "invalid user
sdgfjk", there is no trace of "sdgfjk" in any of DenyHosts' data
files, so the lines are not matched at all.
Does anyone have a similar problem, and a solution?
Lex
P.S.: the FAQ should be updated to reflect the fact that the secure
log in 10.6 is now in /private/var/log/secure.log, and the custom
SSHD_FORMAT_REGEX is no longer required.
------------------------------------------------------------------------------
Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)!
Finally, a world-class log management solution at an even better price-free!
Download using promo code Free_Logger_4_Dev2Dev. Offer expires
February 28th, so secure your free ArcSight Logger TODAY!
http://p.sf.net/sfu/arcsight-sfd2d
_______________________________________________
Denyhosts-user mailing list
Denyhosts-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/denyhosts-user
