-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi,
Thanks for denyhosts! Sorry for the long post below; please snip the data if you reply. I'm trying to figure out how to stop an attack like the following (from /var/log/secure.log): Nov 1 21:56:52 robert-wyatts-emac com.apple.SecurityServer: authinternal failed to authenticate user lists. Nov 1 21:56:52 robert-wyatts-emac com.apple.SecurityServer: Failed to authorize right system.login.tty by process /usr/sbin/sshd for authorization created by /usr/sbin/sshd. Nov 1 22:56:26 robert-wyatts-emac com.apple.SecurityServer: authinternal failed to authenticate user barb. Nov 1 22:56:26 robert-wyatts-emac com.apple.SecurityServer: Failed to authorize right system.login.tty by process /usr/sbin/sshd for authorization created by /usr/sbin/sshd. . .[continues] . Nov 2 00:00:28 robert-wyatts-emac com.apple.SecurityServer: Failed to authorize right system.login.tty by process /usr/sbin/sshd for authorization created by /usr/sbin/sshd. Nov 2 00:00:29 robert-wyatts-emac com.apple.SecurityServer: authinternal failed to authenticate user eduardo. Nov 2 00:00:29 robert-wyatts-emac com.apple.SecurityServer: Failed to authorize right system.login.tty by process /usr/sbin/sshd for authorization created by /usr/sbin/sshd. ** I have the following in my denyhosts-py25 log: 2006-11-01 18:27:21,129 - denyhosts : INFO DenyHosts launched with the following args: 2006-11-01 18:27:21,177 - denyhosts : INFO /sw/bin/denyhosts-py25.py --daemon -c /sw/etc/denyhosts-py25/denyhosts.cfg 2006-11-01 18:27:21,178 - prefs : INFO DenyHosts configuration settings: 2006-11-01 18:27:21,179 - prefs : INFO ADMIN_EMAIL: [None] 2006-11-01 18:27:21,179 - prefs : INFO AGE_RESET_INVALID: [2160000] 2006-11-01 18:27:21,180 - prefs : INFO AGE_RESET_RESTRICTED: [2160000] 2006-11-01 18:27:21,181 - prefs : INFO AGE_RESET_ROOT: [2160000] 2006-11-01 18:27:21,181 - prefs : INFO AGE_RESET_VALID: [2160000] 2006-11-01 18:27:21,182 - prefs : INFO ALLOWED_HOSTS_HOSTNAME_LOOKUP: [no] 2006-11-01 18:27:21,182 - prefs : INFO BLOCK_SERVICE: [ALL] 2006-11-01 18:27:21,183 - prefs : INFO DAEMON_LOG: [/sw/var/log/denyhosts-py25] 2006-11-01 18:27:21,183 - prefs : INFO DAEMON_LOG_MESSAGE_FORMAT: [%(asctime)s - %(name)-12s: %(levelname)-8s %(message)s] 2006-11-01 18:27:21,184 - prefs : INFO DAEMON_LOG_TIME_FORMAT: [None] 2006-11-01 18:27:21,184 - prefs : INFO DAEMON_PURGE: [7200] 2006-11-01 18:27:21,185 - prefs : INFO DAEMON_SLEEP: [30] 2006-11-01 18:27:21,186 - prefs : INFO DENY_THRESHOLD_INVALID: [2] 2006-11-01 18:27:21,187 - prefs : INFO DENY_THRESHOLD_RESTRICTED: [1] 2006-11-01 18:27:21,192 - prefs : INFO DENY_THRESHOLD_ROOT: [1] 2006-11-01 18:27:21,193 - prefs : INFO DENY_THRESHOLD_VALID: [4] 2006-11-01 18:27:21,193 - prefs : INFO FAILED_ENTRY_REGEX: [None] 2006-11-01 18:27:21,194 - prefs : INFO FAILED_ENTRY_REGEX2: [None] 2006-11-01 18:27:21,194 - prefs : INFO FAILED_ENTRY_REGEX3: [None] 2006-11-01 18:27:21,195 - prefs : INFO FAILED_ENTRY_REGEX4: [None] 2006-11-01 18:27:21,195 - prefs : INFO FAILED_ENTRY_REGEX5: [None] 2006-11-01 18:27:21,196 - prefs : INFO FAILED_ENTRY_REGEX6: [None] 2006-11-01 18:27:21,233 - prefs : INFO HOSTNAME_LOOKUP: [YES] 2006-11-01 18:27:21,234 - prefs : INFO HOSTS_DENY: [/etc/hosts.deny] 2006-11-01 18:27:21,235 - prefs : INFO LOCK_FILE: [/sw/var/run/denyhosts-py25.pid] 2006-11-01 18:27:21,235 - prefs : INFO PLUGIN_DENY: [None] 2006-11-01 18:27:21,236 - prefs : INFO PLUGIN_PURGE: [None] 2006-11-01 18:27:21,236 - prefs : INFO PURGE_DENY: [1814400] 2006-11-01 18:27:21,237 - prefs : INFO PURGE_THRESHOLD: [2] 2006-11-01 18:27:21,238 - prefs : INFO RESET_ON_SUCCESS: [yes] 2006-11-01 18:27:21,238 - prefs : INFO SECURE_LOG: [/private/var/log/asl.log] 2006-11-01 18:27:21,239 - prefs : INFO SMTP_DATE_FORMAT: [%a, %d %b %Y %H:%M:%S %z] 2006-11-01 18:27:21,239 - prefs : INFO SMTP_FROM: [DenyHosts <[EMAIL PROTECTED]>] 2006-11-01 18:27:21,240 - prefs : INFO SMTP_HOST: [localhost] 2006-11-01 18:27:21,240 - prefs : INFO SMTP_PASSWORD: [None] 2006-11-01 18:27:21,241 - prefs : INFO SMTP_PORT: [25] 2006-11-01 18:27:21,241 - prefs : INFO SMTP_SUBJECT: [DenyHosts Report] 2006-11-01 18:27:21,242 - prefs : INFO SMTP_USERNAME: [None] 2006-11-01 18:27:21,244 - prefs : INFO SSHD_FORMAT_REGEX: [.* \[Sender sshd\] \[PID \d*\] \[Message .* (?P<message>.*?)\].*?] 2006-11-01 18:27:21,245 - prefs : INFO SUCCESSFUL_ENTRY_REGEX: [None] 2006-11-01 18:27:21,245 - prefs : INFO SUSPICIOUS_LOGIN_REPORT_ALLOWED_HOSTS: [YES] 2006-11-01 18:27:21,246 - prefs : INFO SYNC_DOWNLOAD: [yes] 2006-11-01 18:27:21,247 - prefs : INFO SYNC_DOWNLOAD_RESILIENCY: [3600] 2006-11-01 18:27:21,247 - prefs : INFO SYNC_DOWNLOAD_THRESHOLD: [3] 2006-11-01 18:27:21,248 - prefs : INFO SYNC_INTERVAL: [3600] 2006-11-01 18:27:21,249 - prefs : INFO SYNC_SERVER: [http://xmlrpc.denyhosts.net:9911] 2006-11-01 18:27:21,249 - prefs : INFO SYNC_UPLOAD: [yes] 2006-11-01 18:27:21,250 - prefs : INFO SYSLOG_REPORT: [YES] 2006-11-01 18:27:21,250 - prefs : INFO WORK_DIR: [/sw/share/denyhosts-py25/data] 2006-11-01 18:27:21,345 - denyhosts : INFO restricted: set([]) 2006-11-01 18:27:21,848 - denyhosts : INFO Processing log file (/private/var/log/asl.log) from offset (371813) 2006-11-01 18:27:21,897 - denyhosts : INFO launching DenyHosts daemon (version 2.5)... 2006-11-01 18:27:21,928 - denyhosts : INFO DenyHosts daemon is now running, pid: 344 2006-11-01 18:27:21,931 - denyhosts : INFO send daemon process a TERM signal to terminate cleanly 2006-11-01 18:27:21,931 - denyhosts : INFO eg. kill -TERM 344 2006-11-01 18:27:22,074 - denyhosts : INFO monitoring log: /private/var/log/asl.log 2006-11-01 18:27:22,076 - denyhosts : INFO sync_time: 3600 2006-11-01 18:27:22,077 - denyhosts : INFO daemon_purge: 7200 2006-11-01 18:27:22,077 - denyhosts : INFO daemon_sleep: 30 2006-11-01 18:27:22,078 - denyhosts : INFO purge_sleep_ratio: 240 2006-11-01 18:27:22,079 - denyhosts : INFO sync_time: : 3600 2006-11-01 18:27:22,079 - denyhosts : INFO sync_sleep_ratio: 120 2006-11-01 18:32:22,088 - denyhosts : INFO /private/var/log/asl.log has been rotated 2006-11-01 19:27:28,098 - sync : INFO received 23 new hosts 2006-11-01 19:27:28,135 - denyhosts : INFO received new hosts: ['219.235.236.102', '222.126.126.213', '210.205.6.105', '67.90.29.22', '202.79.26.75', '60.191.20.228', '85.186.159.65', '219.146.59.225', '20.137.216.64', '210.222.241.117', '59.124.44.34', '70.140.199.177', '221.5.251.142', '211.182.58.2', '61.50.138.237', '61.50.138.232', '61.50.138.236', '61.50.138.238', '61.50.138.233', '61.50.138.235', '61.50.138.234', '61.152.202.91', '66.111.195.125'] I can see that downloading from the sync server works just fine, but I see no messages that I've ever uploaded a new host. I haven't figured out how to extract the ip address from the secure.log messages above for one thing and so I don't know how to get denyhosts to see the problem. I'm running sshd at debug level so in /var/log/asl.log I see the following types of things: [Time 2006.11.02 11:41:44 UTC] [Facility auth] [Sender sshd] [PID 800] [Message refused connect from 59.124.44.34] [Level 4] [UID -2] [GID -2] [Host robert-wyatts-emac] [Time 2006.11.02 11:59:14 UTC] [Facility auth] [Sender sshd] [PID 802] [Message refused connect from 209.126.173.249] [Level 4] [UID -2] [GID - -2] [Host robert-wyatts-emac] [Time 2006.11.02 12:09:39 UTC] [Facility auth] [Sender sshd] [PID 805] [Message refused connect from 59.124.44.34] [Level 4] [UID -2] [GID -2] [Host robert-wyatts-emac] [Time 2006.11.02 12:57:13 UTC] [Facility auth] [Sender sshd] [PID 839] [Message refused connect from 209.126.173.249] [Level 4] [UID -2] [GID - -2] [Host robert-wyatts-emac] [Time 2006.11.02 13:27:32 UTC] [Facility auth] [Sender sshd] [PID 852] [Message refused connect from 59.124.44.34] [Level 4] [UID -2] [GID -2] [Host robert-wyatts-emac] [Time 2006.11.02 13:53:45 UTC] [Facility auth] [Sender sshd] [PID 854] [Message refused connect from 209.126.173.249] [Level 4] [UID -2] [GID - -2] [Host robert-wyatts-emac] [Time 2006.11.02 14:02:11 UTC] [Facility auth] [Sender sshd] [PID 856] [Message refused connect from 59.124.44.34] [Level 4] [UID -2] [GID -2] [Host robert-wyatts-emac] [Time 2006.11.02 14:49:31 UTC] [Facility auth] [Sender sshd] [PID 862] [Message refused connect from 209.126.173.249] [Level 4] [UID -2] [GID - -2] [Host robert-wyatts-emac] [Time 2006.11.02 15:46:38 UTC] [Facility auth] [Sender sshd] [PID 868] [Message refused connect from 209.126.173.249] [Level 4] [UID -2] [GID - -2] [Host robert-wyatts-emac] [Time 2006.11.02 16:42:03 UTC] [Facility auth] [Sender sshd] [PID 875] [Message refused connect from 209.126.173.249] [Level 4] [UID -2] [GID - -2] [Host robert-wyatts-emac] [Time 2006.11.02 17:37:33 UTC] [Facility auth] [Sender sshd] [PID 881] [Message refused connect from 209.126.173.249] [Level 4] [UID -2] [GID - -2] [Host robert-wyatts-emac] [Time 2006.11.02 18:32:19 UTC] [Facility auth] [Sender sshd] [PID 925] [Message refused connect from 209.126.173.249] [Level 4] [UID -2] [GID - -2] [Host robert-wyatts-emac] The regex I'm using in denyhosts.cfg seems to match the entire line which I guess is what it needs to match. (Should it match only the IP address?) Even so, these aren't the IPs of the attack at the top of the page; I don't know where to find them.... Thanks for any pointers, Robert -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFSj/NsFMntyigSLMRAg9bAKDHUsO2pPDDWkEkv+7pS4BJRfCHXQCgobi1 Vs8ecGWNAr7la6BEFhnCcCc= =KRql -----END PGP SIGNATURE----- ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 _______________________________________________ Denyhosts-user mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/denyhosts-user
