Hello,
I noticed new entries for hosts.deny on Solaris 10 were not happening,
mainly because of difficulty parsing the logs for illegal/invalid users.
I tried coming up with new REGEX settings and somehow I'm getting
bizarre pairs of user names and IPs in hosts.deny
Here are some samples from authlog I'd like to block:
Mar 13 13:27:07 t2000 sshd[15288]: [ID 800047 auth.info] Illegal user
mp3 from 140.114.23.66
Mar 24 20:34:00 t2000 sshd[16917]: [ID 800047 auth.info] Failed
keyboard-interactive for <invalid username> from 222.122.38.82 port
60040 ssh2
Mar 30 04:02:51 enif sshd[18386]: [ID 800047 auth.info] Failed
password for root from 149.255.38.229 port 59486 ssh2
Using this simple setting to start...
SSHD_FORMAT_REGEX=.* (sshd\[.*\]: \[ID \d* auth\.info\]) (?P<message>.*)
FAILED_ENTRY_REGEX=Illegal user \w from
(?P<host>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})
I get entries like:
sshd: regsend - 111.222.333.444
where 111.222.333.444 is my IP which was not involved in logins with
that username,
and if I grep for the user 'regsend' in the authlog file, it does not
exist. Most of the
other entries like the above show real users and my own remote IP.
I also get some good entries with only an IP. I'm not using sync.
I've had no problem using this in any Linux system.
------------------------------------------------------------------------------
Better than sec? Nothing is better than sec when it comes to
monitoring Big Data applications. Try Boundary one-second
resolution app monitoring today. Free.
http://p.sf.net/sfu/Boundary-dev2dev
_______________________________________________
Denyhosts-user mailing list
Denyhosts-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/denyhosts-user
