Hi Linc, There's more than one way to "fix" the behavior of DenyHosts as regards MacOSX. Please see my notes below yours. Best, Robert
Linc Davis wrote: > This message concerns denyhosts-py25-2.6-1 in 10.4/unstable/main; I > haven't tested other versions of the package. <snip> > Most failed ssh login attempts specify an invalid user name, and > these are logged by sshd at priority level 6 (info). By default, > syslogd(8) only writes messages at priority levels 0-5 to asl.log. In > order for denyhosts to work, you have to change the state of syslogd. > I did this by editing the file > > /System/Library/LaunchDaemons/com.apple.syslogd.plist > > but, more appropriately for Fink, it also be done without modifying > any system files by running the following command as root, once per > session: > > syslog -c syslogd -i > > This could be added to the daemonic startup script for denyhosts. > > However, this isn't all you need to do to get denyhosts to work. The > configuration file included in the package, > > %p/etc/denyhosts-py25/denyhosts.cfg.dpkg-dist > > has an incorrect regular expression for matching sshd log entries. It > should read as follows: > > SSHD_FORMAT_REGEX=.* \[Sender sshd\] \[PID \d*\] \[Message (? > P<message>.*?)\].*? > > With these changes, DenyHosts is working for me. In the interest of helping fellow MacOS users, I've collected the following tidbits that help make denyhosts work on MacOS 10.4. In addition to modifying the denyhosts.cfg file as recommended in the denyhosts FAQ, the following settings must be made in the sshd_config file: PasswordAuthentication no UsePAM yes UseDNS no These settings 1) bypass the rudimentary password authentication so that PAM can be triggered, 2) trigger PAM, and 3) allow IP addresses to be passed to asl.log so that they may be captured by the denyhosts REGEX pattern (otherwise the associated domain name is passed). (It is also wise to set "PermitRootLogin no" since most functions requiring root access can be accessed via the sudo command. I also set "LogLevel VERBOSE". For more info, see "man sshd_config".) To make these changes, the user opens a Terminal.app window and issues these commands: cp /etc/sshd_config ~/sshd_config.bak [this makes a copy of the original sshd_config file, just in case ;-)] sudo pico /etc/sshd_config [this uses the 'pico' text editor to access the sshd_config file] After making the changes above, the user exits pico, saving the file, and must then restart the ssh daemon. One way to restart the daemon is by using the System Preferences... command under the Apple Menu and clicking on the Sharing icon in the Internet & Network group. Now clicking the check box next to Remote Login will shut down the daemon and clicking it again will restart the daemon (the daemon is running when the box is checked). Another way to restart the daemon is to restart the computer (assuming the aforementioned box is checked). Regarding allowed/denied hosts files: In this setup, (fink's denyhosts) the allowed-hosts file is here: /sw/share/denyhosts-py25/data/allowed-hosts ... while the hosts.deny file is here: /etc/hosts.deny Both of these may need to be created manually; this can be done with: sudo touch /sw/share/denyhosts-py25/data/allowed-hosts sudo touch /etc/hosts.deny ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier. Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 _______________________________________________ Fink-users mailing list Fink-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/fink-users
