Robert T Wyatt wrote:
[snip]
>> - I would use a shorter and simpler regex:
>> Authentication failure for illegal user ?P from ?P
>>
>> but perhaps that one would match bad telnet/rlogin/and local login failures,
>> you
>> may need:
>> .*Sender sshd.*Authentication failure for illegal user ?P from ?P
>
>
> I don't have a problem with matching bad logins from other services. Is
> there a good reason not to match bad logins from telnet, for instance?
With the current DenyHosts it will not work because it adds entries like "sshd:
82.194.71.85" to hosts.deny, it is specific for sshd (unlike fail2ban which adds
"ALL: 82.194.71.85" -- that one stops all access). But that could be easily
changed in DenyHosts.
> I'm thinking:
>
> Authentication failure for illegal user (\w+) from ([0-9\.]+)
>
> This should store the username and IP by my reading. I'm concerned that
> I missed something fundamental because I don't know the purpose of ?P in
> denyhosts. Are these special? Is it something generic that I should
> already know? Perhaps the internal processing done by denyhosts comes
> into play here?
The notation is python's regex, in particular module re:
http://rgruet.free.fr/PQR2.3.html#reModule
--
René Berber
-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
Denyhosts-user mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/denyhosts-user
