Robert T Wyatt wrote: > Thanks for denyhosts! Sorry for the long post below; please snip the > data if you reply. > > I'm trying to figure out how to stop an attack like the following (from > /var/log/secure.log): [snip]
This log is useless for DenyHosts. Only the log from sshd should be used. > ** I have the following in my denyhosts-py25 log: [snip] > 2006-11-01 18:27:21,193 - prefs : INFO FAILED_ENTRY_REGEX: > [None] USERDEF_FAILED_ENTRY_REGEX= is empty, but you say below you defined your own regex... [snip] > 2006-11-01 18:27:21,238 - prefs : INFO SECURE_LOG: > [/private/var/log/asl.log] So this is the sshd log. [snip] > 2006-11-01 18:27:21,244 - prefs : INFO SSHD_FORMAT_REGEX: > [.* \[Sender sshd\] \[PID \d*\] \[Message .* (?P<message>.*?)\].*?] > 2006-11-01 18:27:21,245 - prefs : INFO > SUCCESSFUL_ENTRY_REGEX: [None] This is the regex you defined? Where in the configuration was this defined? Looks bad, one of the most important parts is the literal string used to recognize that it was an invalid/failed attempt and you have nothing to that effect, something like "Failed password". The second important part is used to extract what user name was used, and again you have nothing. [snip] > I can see that downloading from the sync server works just fine, but I > see no messages that I've ever uploaded a new host. I haven't figured > out how to extract the ip address from the secure.log messages above for > one thing and so I don't know how to get denyhosts to see the problem. > I'm running sshd at debug level so in /var/log/asl.log I see the > following types of things: > > [Time 2006.11.02 11:41:44 UTC] [Facility auth] [Sender sshd] [PID 800] > [Message refused connect from 59.124.44.34] [Level 4] [UID -2] [GID -2] That one was already on the list (/etc/hosts.deny). The same for all the other samples. [snip] > The regex I'm using in denyhosts.cfg seems to match the entire line > which I guess is what it needs to match. (Should it match only the IP > address?) http://denyhosts.sf.net/faq.html#userdef_regex > Even so, these aren't the IPs of the attack at the top of the > page; I don't know where to find them.... Same log, just look at the date and time corresponding to the messages in secure.log; you didn't show a single break attempt from an unlisted host. Since your log is not in the usual format, you'll need to collect a real example to see what syntax is needed in the regex, you don't need to declare the whole line in the regex just the part that makes it recognizable (and sshd usually writes 2 lines for each login failure), then put the ?P where the IP is and the second ?P where the user name is (this one is optional, but if you want to use different limits for important user accounts, like root/admin/etc, then is needed). -- René Berber ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 _______________________________________________ Denyhosts-user mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/denyhosts-user
