Robert T Wyatt wrote: [snip] > > http://denyhosts.sourceforge.net/mac_os_10_4.txt
OK, now I see. >> except that I removed "PAM:" >> >> With my modifications, it will match denials of attacks from already >> known hosts, such as: >> >> [Time 2006.10.30 18:53:09 UTC] [Facility auth] [Sender sshd] [PID 876] >> [Message refused connect from 62.254.183.162] [Level 4] [UID -2] [GID >> -2] [Host robert-wyatts-emac] >> >> As you have noted, these are attacks from already known hosts that are >> caught due to my sync downloads. >> >> >> I believe these are the lines we are looking for: >> >> [Time 2006.11.02 06:00:28 UTC] [Facility authpriv] [Sender >> com.apple.SecurityServer] [PID -1] [Message authinternal failed to >> authenticate user eduardo.] [Level 3] [UID -2] [GID -2] [Host >> robert-wyatts-emac] >> [Time 2006.11.02 06:00:28 UTC] [Facility authpriv] [Sender >> com.apple.SecurityServer] [PID -1] [Message Failed to authorize right >> system.login.tty by process /usr/sbin/sshd for authorization created by >> /usr/sbin/sshd.] [Level 5] [UID -2] [GID -2] [Host robert-wyatts-emac] >> >> >> It is the first of these that contains the false user name. I don't know >> why I don't get the IP address of the attacking script. I'm working on >> the appropriate REGEX to get the user name, but I'm not sure if this can >> help until I also get the IP address into the log.... > > > This regex matches these lines: > SSHD_FORMAT_REGEX=.* \[Sender com\.apple\.SecurityServer\] \[PID -?\d*\] > \[Message .* (?P<message>.*?)\].*? > > But will it help without the IP address? No. First priority is the IP, that's the only data that goes into hosts.deny, forget about user names for now. Try to find a log line from an unknown host, it will have the "[Sender sshd]" part, and only sshd messages are what you want. -- René Berber ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 _______________________________________________ Denyhosts-user mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/denyhosts-user
