René Berber wrote: > First priority is the IP, that's the only data that goes into hosts.deny, > forget > about user names for now. > > Try to find a log line from an unknown host, it will have the "[Sender sshd]" > part, and only sshd messages are what you want.
[if you're looking closely at this thread you will notice that i'm using two computers, one is an emac and one is a dual g5; as far as this discussion goes, they are configured identically] The *only* messages sshd is sending to asl.log (with sshd_config using loglevel=verbose) are of this form: [Time 2006.11.03 00:06:37 UTC] [Facility auth] [Sender sshd] [PID 542] [Message refused connect from 210.75.99.251] [Level 4] [UID -2] [GID -2] [Host rgrtw-05s-power-mac-g5] You can see that these do include the IP address, but in all of these cases, the IP address is already found in deny.hosts due to sync downloading from denyhosts, so these are good, but not good enough. Meanwhile, the log messages regarding the attacks do not come from [Sender sshd], they come from [Sender com.apple.SecurityServer]: [Time 2006.11.02 06:00:28 UTC] [Facility authpriv] [Sender com.apple.SecurityServer] [PID -1] [Message authinternal failed to authenticate user eduardo.] [Level 3] [UID -2] [GID -2] [Host robert-wyatts-emac] As you can see, these log messages do not contain the IP address of the offending host. The way I see it, I can either work on getting sshd to send log messages regarding the attacks or can try to get the SecurityServer to send the IP address. René had indicated that I want the former, that sshd ought to be reporting this activity. Great, but how do I convince it to do this? Thanks for any pointers and thanks to René for helping. --Robert ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 _______________________________________________ Denyhosts-user mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/denyhosts-user
