Hello,
Here is my secure.log :
Apr 28 11:44:03 server1 sshd[34360]: Invalid user klement from 38.96.175.129
Apr 28 11:44:04 server1 sshd[34362]: Invalid user zumlot from 38.96.175.129
I have tried the following regex : .*sshd\[.*\]: Invalid user (.*)
it doesn't change anything !
Do I have to put something on the SSHD_FORMAT_REGEX ?
Can you give me an example of a line DenyHosts will complain on ?
Thanks,
René Berber a écrit :
> On 4/28/2011 7:37 AM, Emmanuelle Morin wrote:
>
>
>> SSHD_FORMAT_REGEX=.* \[Sender sshd\] \[PID \d*\] \[Message .* PAM:
>> (?P<message>.*?)\].*?
>>
>
> That is the problem.
>
> I don't know how the log looks like in your Mac OSX version, but the
> question mark inside the message capture doesn't go there.
>
> It looks like you are trying to match very closely what you saw on the
> log, that is not needed, just match the beginning:
>
> SSHD_FORMAT_REGEX=.* (sshd.*:|\[sshd\]|\[Sender sshd\]) (?P<message>.*)
>
> Then see if the included regexes match the messages, if not, write your
> own USERDEF_FAILED_ENTRY_REGEX. From a previous message to this list, it
> could be something like:
>
> USERDEF_FAILED_ENTRY_REGEX=authentication error for (?P<user>.*) .*from
> (::ffff:)?(?P<host>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})
>
--
Emmanuelle MORIN
UMR 1136 INRA/UHP-Nancy 1
F-54280 Champenoux
Tel : + (33) 3 83 39 41 33
http://mycor.nancy.inra.fr
------------------------------------------------------------------------------
WhatsUp Gold - Download Free Network Management Software
The most intuitive, comprehensive, and cost-effective network
management toolset available today. Delivers lowest initial
acquisition cost and overall TCO of any competing solution.
http://p.sf.net/sfu/whatsupgold-sd
_______________________________________________
Denyhosts-user mailing list
Denyhosts-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/denyhosts-user
