Re: [Denyhosts-user] What's going on here?
Strange, because the DEBUG entries shows that he was blocked pretty quickly. Maybe you didn't restart DH after you initially changed the config? Phil On Tue, 6 May 2008, René Berber wrote: Phil Schwartz wrote: That particular output indicates the your changed regex is being recognized by DH. Whether or not it's working properly, that's another matter. If you restart in --debug mode, you can tail -f the denyhosts.log and then append similar lines (as those that seem problematic) to your secure.log, save it, and see what DH is reporting in it's log. Is there an additional option to see what regex is matched? I had to add my own lines to the code to get this: 2008-05-06 18:15:12,474 - denyhosts : DEBUG/var/log/messages has additional data 2008-05-06 18:15:12,500 - denyhosts : INFO checked: Failed (?Pmethod.*) for (?Pinvalidinvalid user |illegal user )?(?Puser.*?) .*from (:::)?(?Phost\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}) 2008-05-06 18:15:12,501 - denyhosts : INFO checked: (?Pinvalid(Illegal|Invalid)) user (?Puser.*?) .*from (:::)?(?Phost\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}) 2008-05-06 18:15:12,501 - denyhosts : INFO checked: Authentication failure for (?Puser.*) .*from (:::)?(?Phost\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}) 2008-05-06 18:15:12,501 - denyhosts : INFO checked: Authentication failure for (?Puser.*) .*from (?Phost.*) 2008-05-06 18:15:12,501 - denyhosts : INFO checked: User (?Puser.*) .*from (?Phost.*) not allowed because none of user's groups are listed in AllowGroups$ 2008-05-06 18:15:12,501 - denyhosts : INFO checked: Did not receive identification string .*from (:::)?(?Phost\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}) 2008-05-06 18:15:12,501 - denyhosts : INFO checked: User (?Puser\S+) from (?Phost\S+) not allowed because not listed in .* 2008-05-06 18:15:12,501 - denyhosts : INFO matched: User (?Puser\S+) from (?Phost\S+) not allowed because not listed in .* 2008-05-06 18:15:12,502 - denyhosts : DEBUGuser: root - host: 43.220.forpsi.net - success: 0 - invalid: 1 2008-05-06 18:15:12,513 - denyhosts : INFO checked: Failed (?Pmethod.*) for (?Pinvalidinvalid user |illegal user )?(?Puser.*?) .*from (:::)?(?Phost\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}) 2008-05-06 18:15:12,514 - denyhosts : INFO checked: (?Pinvalid(Illegal|Invalid)) user (?Puser.*?) .*from (:::)?(?Phost\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}) 2008-05-06 18:15:12,514 - denyhosts : INFO checked: Authentication failure for (?Puser.*) .*from (:::)?(?Phost\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}) 2008-05-06 18:15:12,514 - denyhosts : INFO checked: Authentication failure for (?Puser.*) .*from (?Phost.*) 2008-05-06 18:15:12,514 - denyhosts : INFO checked: User (?Puser.*) .*from (?Phost.*) not allowed because none of user's groups are listed in AllowGroups$ 2008-05-06 18:15:12,514 - denyhosts : INFO checked: Did not receive identification string .*from (:::)?(?Phost\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}) 2008-05-06 18:15:12,514 - denyhosts : INFO checked: User (?Puser\S+) from (?Phost\S+) not allowed because not listed in .* 2008-05-06 18:15:12,515 - denyhosts : INFO checked: authentication failure.* ruser= rhost=(?Phost\S+) user=(?Puser\S+) 2008-05-06 18:15:12,515 - denyhosts : INFO matched: authentication failure.* ruser= rhost=(?Phost\S+) user=(?Puser\S+) 2008-05-06 18:15:12,515 - denyhosts : DEBUGuser: root - host: 43.220.forpsi.net - success: 0 - invalid: 1 2008-05-06 18:15:12,516 - denyhosts : INFO checked: Failed (?Pmethod.*) for (?Pinvalidinvalid user |illegal user )?(?Puser.*?) .*from (:::)?(?Phost\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}) 2008-05-06 18:15:12,516 - denyhosts : INFO checked: (?Pinvalid(Illegal|Invalid)) user (?Puser.*?) .*from (:::)?(?Phost\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}) 2008-05-06 18:15:12,516 - denyhosts : INFO checked: Authentication failure for (?Puser.*) .*from (:::)?(?Phost\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}) 2008-05-06 18:15:12,516 - denyhosts : INFO checked: Authentication failure for (?Puser.*) .*from (?Phost.*) 2008-05-06 18:15:12,516 - denyhosts : INFO matched: Authentication failure for (?Puser.*) .*from (?Phost.*) 2008-05-06 18:15:12,516 - denyhosts : DEBUGuser: illegal user root - host: 43.220.forpsi.net - success: 0 - invalid: 1 2008-05-06 18:15:12,517 - denyhosts : INFO checked: Failed (?Pmethod.*) for (?Pinvalidinvalid user |illegal user )?(?Puser.*?) .*from (:::)?(?Phost\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}) 2008-05-06 18:15:12,517 - denyhosts : INFO matched: Failed (?Pmethod.*) for (?Pinvalidinvalid user |illegal user )?(?Puser.*?) .*from (:::)?(?Phost\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}) 2008-05-06 18:15:12,517 - denyhosts : DEBUGuser: root - host: 81.2.220.43 - success: 0 - invalid: 1 2008-05-06 18:15:12,528 - denyhosts : DEBUGnew hosts:
Re: [Denyhosts-user] What's going on here?
Phil Schwartz wrote: Strange, because the DEBUG entries shows that he was blocked pretty quickly. Maybe you didn't restart DH after you initially changed the config? No, that's not the problem. If you mean restart after I added my REGEX7, then DH has been restarted many times after that, the change is about 2 months old and the server has been rebooted once or twice in between, plus I restart DH automatically when logrotate moves its log, and I restart whenever I change the configuration (which I have done while changing other regexes for vsftpd). In fact, I had to reboot this server last week when I made a mistake reconfiguring the network interface. The problem that I have been reporting is very strange, and it is not as I suspected that my regex wasn't hitting. Yesterday while tracking DH using debug and my info lines I saw that on each attempt by this guy there where 4 regexes hitting. Three of those regexes had not changed for a long time, 2 are built-in. So, why was DH not working with some attempts and working with others as my log showed? I don't know. I would need to do long term tracking and I really don't know what I'm looking for. Thanks for your help. -- René Berber - This SF.net email is sponsored by the 2008 JavaOne(SM) Conference Don't miss this year's exciting event. There's still time to save $100. Use priority code J8TL2D2. http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone ___ Denyhosts-user mailing list Denyhosts-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/denyhosts-user
Re: [Denyhosts-user] What's going on here?
When you restart DH what does it show in the denyhosts.log as your FAILED_ENTRY_REGEX7? eg: tail -100l /var/log/denyhosts | grep FAILED_ENTRY_REGEX7 Regards, Phil On Tue, 6 May 2008, René Berber wrote: Hi, Here's a fragment of log that shows unexpected DH behaviour: May 6 15:34:45 LegoSoft sshd[17878]: User root from pd907d0a7.dip0.t-ipconnect.de not allowed because not listed in AllowUsers May 6 15:34:45 LegoSoft sshd[17880]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=pd907d0a7.dip0.t-ipconnect.de user=root May 6 15:34:48 LegoSoft sshd[17878]: error: PAM: Authentication failure for illegal user root from pd907d0a7.dip0.t-ipconnect.de May 6 15:34:48 LegoSoft sshd[17878]: Failed keyboard-interactive/pam for invalid user root from 217.7.208.167 port 55907 ssh2 May 6 15:37:46 LegoSoft sshd[17891]: User root from www1.haefft.de not allowed because not listed in AllowUsers May 6 15:37:47 LegoSoft sshd[17893]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=www1.haefft.de user=root May 6 15:37:49 LegoSoft sshd[17891]: error: PAM: Authentication failure for illegal user root from www1.haefft.de May 6 15:37:49 LegoSoft sshd[17891]: Failed keyboard-interactive/pam for invalid user root from 194.97.156.23 port 4358 ssh2 May 6 15:39:23 LegoSoft sshd[17899]: reverse mapping checking getaddrinfo for hosted.by.pcextreme.nl [85.92.138.60] failed - POSSIBLE BREAK-IN ATTEMPT! May 6 15:39:23 LegoSoft sshd[17899]: User root from 85.92.138.60 not allowed because not listed in AllowUsers May 6 15:39:23 LegoSoft sshd[17901]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=85.92.138.60 user=root May 6 15:39:25 LegoSoft sshd[17899]: error: PAM: Authentication failure for illegal user root from 85.92.138.60 May 6 15:39:25 LegoSoft sshd[17899]: Failed keyboard-interactive/pam for invalid user root from 85.92.138.60 port 53598 ssh2 May 6 15:39:28 LegoSoft denyhosts: Added the following hosts to /etc/hosts.deny - 85.92.138.60 (hosted.by.pcextreme.nl) May 6 15:40:01 LegoSoft cron[17905]: (root) CMD (test -x /usr/sbin/run-crons /usr/sbin/run-crons ) May 6 15:42:07 LegoSoft sshd[17923]: User root from 195.47.114.129.adsl.nextra.cz not allowed because not listed in AllowUsers May 6 15:42:07 LegoSoft sshd[17925]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=195.47.114.129.adsl.nextra.cz user=root May 6 15:42:09 LegoSoft sshd[17923]: error: PAM: Authentication failure for illegal user root from 195.47.114.129.adsl.nextra.cz May 6 15:42:09 LegoSoft sshd[17923]: Failed keyboard-interactive/pam for invalid user root from 195.47.114.129 port 19259 ssh2 May 6 15:45:12 LegoSoft sshd[17935]: User root from mail.pragmaticus.ru not allowed because not listed in AllowUsers May 6 15:45:12 LegoSoft sshd[17937]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=mail.pragmaticus.ru user=root May 6 15:45:15 LegoSoft sshd[17935]: error: PAM: Authentication failure for illegal user root from mail.pragmaticus.ru May 6 15:45:15 LegoSoft sshd[17935]: Failed keyboard-interactive/pam for invalid user root from 62.118.68.66 port 32810 ssh2 May 6 15:46:34 LegoSoft sshd[17943]: User root from 213-239-204-42.clients.your-server.de not allowed because not listed in AllowUsers May 6 15:46:34 LegoSoft sshd[17945]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=213-239-204-42.clients.your-server.de user=root May 6 15:46:36 LegoSoft sshd[17943]: error: PAM: Authentication failure for illegal user root from 213-239-204-42.clients.your-server.de May 6 15:46:36 LegoSoft sshd[17943]: Failed keyboard-interactive/pam for invalid user root from 213.239.204.42 port 4421 ssh2 May 6 15:49:20 LegoSoft sshd[17954]: User root from abu66.internetdsl.tpnet.pl not allowed because not listed in AllowUsers May 6 15:49:21 LegoSoft sshd[17957]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=abu66.internetdsl.tpnet.pl user=root May 6 15:49:23 LegoSoft sshd[17954]: error: PAM: Authentication failure for illegal user root from abu66.internetdsl.tpnet.pl May 6 15:49:23 LegoSoft sshd[17954]: Failed keyboard-interactive/pam for invalid user root from 83.16.46.66 port 52169 ssh2 May 6 15:53:51 LegoSoft sshd[17986]: reverse mapping checking getaddrinfo for 217.16.114.87.ktvpillersee.at [217.16.114.87] failed - POSSIBLE BREAK-IN ATTEMPT! May 6 15:53:51 LegoSoft sshd[17986]: User root from 217.16.114.87 not allowed because not listed in AllowUsers May 6 15:53:52 LegoSoft sshd[17988]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=217.16.114.87 user=root May 6 15:53:54 LegoSoft sshd[17986]: error: PAM: Authentication failure for illegal user root from 217.16.114.87 May 6
Re: [Denyhosts-user] What's going on here?
Phil Schwartz wrote: When you restart DH what does it show in the denyhosts.log as your FAILED_ENTRY_REGEX7? eg: tail -100l /var/log/denyhosts | grep FAILED_ENTRY_REGEX7 2008-05-06 16:32:28,666 - prefs : INFOFAILED_ENTRY_REGEX7: [User (?Puser\S+) from (?Phost\S+) not allowed because not listed in .*] Looks fine, and I recall running DH in debug mode when I made that change, if I'm not mistaken the regex was working fine judging from the debug output. -- René Berber - This SF.net email is sponsored by the 2008 JavaOne(SM) Conference Don't miss this year's exciting event. There's still time to save $100. Use priority code J8TL2D2. http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone ___ Denyhosts-user mailing list Denyhosts-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/denyhosts-user