I'm wanting to add a regex line for catching log entries for proftpd. I
saw several requests for this functionality, but I didn't see any
solutions so I have tried editing the DenyHosts/regex.py file with the
following changes:
# I added proftpd to SSHD_FORMAT_REGEX
SSHD_FORMAT_REGEX = re.compile(r""".* (sshd.*:|\[sshd\]|proftpd.*:)
(?P<message>.*)""")
# then I commented-out the existing regex statement FAILED_ENTRY_REGEX7
and added this in its place
FAILED_ENTRY_REGEX7 =
re.compile(r""".*\[(?P<host>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}).* USER
(?P<user>.*?): (?P<invalid>no such user found).*""")
and then I set the FAILED_ENTRY_REGEX_NUM = 7
After reinstalling DenyHosts (with 'python setup.py install'), it runs
without error, but does not appear to find any of the proftpd error
messages. I am deleting /usr/share/denyhosts/data/offset so that
DenyHosts rescans the log file. Do I have a typo in my regex, or is
there another problem with what I'm trying to do? I have DenyHosts
configured to set the deny to ALL, so if I can get this to pick up on
proftpd log entries and successfully find the IP, I think that this
should work, but I'm currently stumped. Any help would be appreciated.
-Ray
P.S., Here's a snippet of some proftpd messages:
Sep 28 18:22:10 example proftpd[29042]: example.com
(60.12.138.17[60.12.138.17]) - USER Administrator: no such user found
from 60.12.138.17 [60.12.138.17] to xx.xx.xx.xx:21
Sep 28 18:22:11 example proftpd[29044]: example.com
(60.12.138.17[60.12.138.17]) - USER admin: no such user found from
60.12.138.17 [60.12.138.17] to xx.xx.xx.xx:21
Sep 28 18:22:12 example proftpd[29042]: example.com
(60.12.138.17[60.12.138.17]) - USER steve: no such user found from
60.12.138.17 [60.12.138.17] to xx.xx.xx.xx:21
Sep 28 18:22:13 example proftpd[29044]: example.com
(60.12.138.17[60.12.138.17]) - USER Administrator: no such user found
from 60.12.138.17 [60.12.138.17] to xx.xx.xx.xx:21
Sep 28 18:22:14 example proftpd[29042]: example.com
(60.12.138.17[60.12.138.17]) - USER steve: no such user found from
60.12.138.17 [60.12.138.17] to xx.xx.xx.xx:21
P.P.S., the reason I'm currently replacing rule number 7 instead of
using slot 8, is that I get an error when I try to use slot 7. The
regex.py file (in the currently latest version 2.5) had the max rule
number set to 6 even though rule 7 exists. I don't know what's wrong
with rule 7, but here's the rule:
FAILED_ENTRY_REGEX7 = re.compile(r"""User (?P<user>.*) not allowed
because not listed in AllowUsers""")
and here's the error message I get:
# >service denyhosts start
starting DenyHosts: /usr/bin/env python /usr/bin/denyhosts.py
--daemon --config=/usr/share/denyhosts/denyhosts.cfg
Traceback (most recent call last):
File "/usr/bin/denyhosts.py", line 164, in ?
first_time, noemail, daemon)
File "/usr/lib/python2.3/site-packages/DenyHosts/deny_hosts.py", line
60, in __init__
self.init_regex()
File "/usr/lib/python2.3/site-packages/DenyHosts/deny_hosts.py", line
500, in init_regex
FAILED_ENTRY_REGEX_MAP[i])
File "/usr/lib/python2.3/site-packages/DenyHosts/deny_hosts.py", line
482, in get_regex
val = self.__prefs.get(name)
File "/usr/lib/python2.3/site-packages/DenyHosts/prefs.py", line 204,
in get
return self.__data[name]
KeyError: 'FAILED_ENTRY_REGEX7'
DenyHosts exited abnormally
#>
-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
Denyhosts-user mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/denyhosts-user
