The default SSHD_FORMAT_REGEX is used to determine which lines to consider and only matches "sshd" lines. Once if matches, it then filters entries based on the other regex'es (eg. USERDEF_FAILED_ENTRY_REGEX, etc). You likely need to override the SSHD_FORMAT_REGEX to consider those other services (ssh + pop3, postfix, etc...)
Regards, Phil On Thu, 23 Aug 2012, Phydeaux wrote: > Hi! > > After installing denyhosts I realized that quite a few of the attacks that > our server system is subject to were not being recognized. These included > dictionary attacks against services other than ssh that provided an > authentication mechanism. I decided to add matching > USERDEF_FAILED_ENTRY_REGEX > entries to the configuration file to catch these attacks and ban the > attacking IP addresses. > > I used log entries and kodos to craft regular expressions that seem to work > fine in the debugger, and that return the host/user information available > in the matching log lines. They do not, however, seem to work in our > denyhosts configuration. The IP addresses never seem to be banned despite > hundreds of access attempts from each one. I have no idea why. I am probably > missing something simple. > > I am running Gentoo Linux, and denyhosts does seem to recognize ssh attacks > and ban IP addresses appropriately, so I know the basic functionality is > configured correctly. I am receiving alert email when hosts.deny is > updated in these instances. Some configuration information: > > DENY_THRESHOLD_INVALID = 5 > DENY_THRESHOLD_VALID = 5 > DENY_THRESHOLD_ROOT = 1 > DENY_THRESHOLD_RESTRICTED = 1 > > The regular expressions and the log lines they should match are > as follows: > > --START-- > USERDEF_FAILED_ENTRY_REGEX=.*LOGIN FAILED, > user=(?P<user>\S+),.*ff:(?P<host>\S+)\] > Aug 21 13:12:36 althea pop3d: LOGIN FAILED, user=scan, > ip=[::ffff:213.197.165.84] > > USERDEF_FAILED_ENTRY_REGEX=.*lost connection after AUTH > from.*\[(?P<host>\S+)\] > Aug 21 20:17:55 althea postfix/smtpd[21204]: lost connection after AUTH from > unknown[223.68.252.240] > > USERDEF_FAILED_ENTRY_REGEX=.*\[(?P<host>\S+)\].*SASL LOGIN authentication > failed.*$ > Aug 21 20:20:04 althea postfix/smtpd[21203]: warning: unknown[223.24.12.55]: > SASL > LOGIN authentication failed: authentication failure > > --END-- > > Any advice would be appreciated, > > Thanks, > > reb > > > > > ------------------------------------------------------------------------------ > Live Security Virtual Conference > Exclusive live event will cover all the ways today's security and > threat landscape has changed and how IT managers can respond. Discussions > will include endpoint security, mobile security and the latest in malware > threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ > _______________________________________________ > Denyhosts-user mailing list > Denyhosts-user@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/denyhosts-user > -- Regards, Phil Schwartz http://www.phil-schwartz.com Open Source Projects: DenyHosts: http://www.denyhosts.net Kodos: http://kodos.sourceforge.net ReleaseForge: http://releaseforge.sourceforge.net Scratchy: http://scratchy.sourceforge.net FAQtor: http://faqtor.sourceforge.net 'Like' DenyHosts on Facebook: http://www.facebook.com/pages/DenyHosts/58269629216 ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Denyhosts-user mailing list Denyhosts-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/denyhosts-user
