Hi! After installing denyhosts I realized that quite a few of the attacks that our server system is subject to were not being recognized. These included dictionary attacks against services other than ssh that provided an authentication mechanism. I decided to add matching USERDEF_FAILED_ENTRY_REGEX entries to the configuration file to catch these attacks and ban the attacking IP addresses.
I used log entries and kodos to craft regular expressions that seem to work fine in the debugger, and that return the host/user information available in the matching log lines. They do not, however, seem to work in our denyhosts configuration. The IP addresses never seem to be banned despite hundreds of access attempts from each one. I have no idea why. I am probably missing something simple. I am running Gentoo Linux, and denyhosts does seem to recognize ssh attacks and ban IP addresses appropriately, so I know the basic functionality is configured correctly. I am receiving alert email when hosts.deny is updated in these instances. Some configuration information: DENY_THRESHOLD_INVALID = 5 DENY_THRESHOLD_VALID = 5 DENY_THRESHOLD_ROOT = 1 DENY_THRESHOLD_RESTRICTED = 1 The regular expressions and the log lines they should match are as follows: --START-- USERDEF_FAILED_ENTRY_REGEX=.*LOGIN FAILED, user=(?P<user>\S+),.*ff:(?P<host>\S+)\] Aug 21 13:12:36 althea pop3d: LOGIN FAILED, user=scan, ip=[::ffff:213.197.165.84] USERDEF_FAILED_ENTRY_REGEX=.*lost connection after AUTH from.*\[(?P<host>\S+)\] Aug 21 20:17:55 althea postfix/smtpd[21204]: lost connection after AUTH from unknown[223.68.252.240] USERDEF_FAILED_ENTRY_REGEX=.*\[(?P<host>\S+)\].*SASL LOGIN authentication failed.*$ Aug 21 20:20:04 althea postfix/smtpd[21203]: warning: unknown[223.24.12.55]: SASL LOGIN authentication failed: authentication failure --END-- Any advice would be appreciated, Thanks, reb ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Denyhosts-user mailing list Denyhosts-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/denyhosts-user
