On Monday 01 April 2013, Robin Atwood wrote:
> My regex fu seems to have departed me. :( Someone's trying my POP3 port
> which gets rejected with:
>
>
> Mar 31 13:07:01 opal auth: pam_unix(pop3:auth): authentication failure;
> logname= uid=0 euid=0 tty=dovecot ruser=abcd1234 rhost=223.4.209.151
>
> Based on rules I coded years ago I tried:
>
> USERDEF_FAILED_ENTRY_REGEX=.* ruser\=(?P<user>.*) rhost\=(::ffff:)?
> (?P<host>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})
>
> but it doesn't work. I am not sure about the (::ffff:) but the other rules
> have it. There used to be a handy utility (kodos?) for debugging this stuff
> but it needs Qt3 and doesn't work any more.
OK, problem solved, a google revealed the answer was in the archives [1]. What
you need is:
SSHD_FORMAT_REGEX=.* (sshd.*:|\[sshd\]|proftpd.* \-|pam_unix\(pop3:auth\):)
(?P<message>.*)
USERDEF_FAILED_ENTRY_REGEX=authentication failure.*ruser=(?P<user>\S+)
rhost=(?P<host>\S+)
where the "pam_unix\(pop3:auth\):" is the service name you currently get. You
then have to update Dovecot to use TCP wrappers, described here [2]. An
excellent hour's work!
-Robin
1.
http://www.mail-archive.com/denyhosts-user@lists.sourceforge.net/msg00405.html
2. http://wiki2.dovecot.org/LoginProcess
--
----------------------------------------------------------------------
Robin Atwood.
"Ship me somewheres east of Suez, where the best is like the worst,
Where there ain't no Ten Commandments an' a man can raise a thirst"
from "Mandalay" by Rudyard Kipling
----------------------------------------------------------------------
------------------------------------------------------------------------------
Own the Future-Intel(R) Level Up Game Demo Contest 2013
Rise to greatness in Intel's independent game demo contest. Compete
for recognition, cash, and the chance to get your game on Steam.
$5K grand prize plus 10 genre and skill prizes. Submit your demo
by 6/6/13. http://altfarm.mediaplex.com/ad/ck/12124-176961-30367-2
_______________________________________________
Denyhosts-user mailing list
Denyhosts-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/denyhosts-user
