On Tue, Jan 25, 2011 at 7:13 PM, René Berber
<rber...@cactus-soft.dyndns.org> wrote:
> On 1/25/2011 11:31 AM, Alexander Thomas wrote:
>
>> I installed denyhosts on a Mac OS X 10.6 machine and it runs
>> perfectly, except for one thing. It does not react to lines like:
>>
>> Jan 19 19:46:59 MyMac sshd[97655]: error: PAM: authentication error
>> for root from 186.115.4.27 via 192.168.1.4
>>
>> This is mentioned in the FAQ so I added the following line to the .cfg
>> file, but to no avail:
>> FAILED_ENTRY_REGEX=error: PAM: authentication error for
>> (?P<invalid>invalid user |illegal user )?(?P<user>.*?) from
>> (::ffff:)?(?P<host>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})
> [snip]
>
> Try:
>
> USERDEF_FAILED_ENTRY_REGEX=authentication error for (?P<user>.*) .*from
> (::ffff:)?(?P<host>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})
>
> Which is just a variation of FAILED_ENTRY_REGEX2 (in regex.py) which
> really should have [Aa] at the start of the word "authentication", or
> better: a case insensitive compare for all the regexes.
Well, that works. It seems that the main problem was the "error: PAM:"
at the beginning. If I strip those from the other regex, it works as
well. I suppose the log entries are split into semicolon-separated
chunks or something before being matched.
Thanks!
Lex
------------------------------------------------------------------------------
Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)!
Finally, a world-class log management solution at an even better price-free!
Download using promo code Free_Logger_4_Dev2Dev. Offer expires
February 28th, so secure your free ArcSight Logger TODAY!
http://p.sf.net/sfu/arcsight-sfd2d
_______________________________________________
Denyhosts-user mailing list
Denyhosts-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/denyhosts-user
