Ray Collett <[EMAIL PROTECTED]> writes:
>
> I'm wanting to add a regex line for catching log entries for proftpd. I
> saw several requests for this functionality, but I didn't see any
> solutions so I have tried editing the DenyHosts/regex.py file with the
> following changes:
>
> # I added proftpd to SSHD_FORMAT_REGEX
> SSHD_FORMAT_REGEX = re.compile(r""".* (sshd.*:|\[sshd\]|proftpd.*:)
> (?P<message>.*)""")
>
> # then I commented-out the existing regex statement FAILED_ENTRY_REGEX7
> and added this in its place
> FAILED_ENTRY_REGEX7 =
> re.compile(r""".*\[(?P<host>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}).* USER
> (?P<user>.*?): (?P<invalid>no such user found).*""")
>
> and then I set the FAILED_ENTRY_REGEX_NUM = 7
>
> After reinstalling DenyHosts (with 'python setup.py install'), it runs
> without error, but does not appear to find any of the proftpd error
> messages. I am deleting /usr/share/denyhosts/data/offset so that
> DenyHosts rescans the log file. Do I have a typo in my regex, or is
> there another problem with what I'm trying to do? I have DenyHosts
> configured to set the deny to ALL, so if I can get this to pick up on
> proftpd log entries and successfully find the IP, I think that this
> should work, but I'm currently stumped. Any help would be appreciated.
>
> -Ray
>
> P.S., Here's a snippet of some proftpd messages:
>
> Sep 28 18:22:10 example proftpd[29042]: example.com
> (60.12.138.17[60.12.138.17]) - USER Administrator: no such user found
> from 60.12.138.17 [60.12.138.17] to xx.xx.xx.xx:21
> Sep 28 18:22:11 example proftpd[29044]: example.com
> (60.12.138.17[60.12.138.17]) - USER admin: no such user found from
> 60.12.138.17 [60.12.138.17] to xx.xx.xx.xx:21
> Sep 28 18:22:12 example proftpd[29042]: example.com
> (60.12.138.17[60.12.138.17]) - USER steve: no such user found from
> 60.12.138.17 [60.12.138.17] to xx.xx.xx.xx:21
> Sep 28 18:22:13 example proftpd[29044]: example.com
> (60.12.138.17[60.12.138.17]) - USER Administrator: no such user found
> from 60.12.138.17 [60.12.138.17] to xx.xx.xx.xx:21
> Sep 28 18:22:14 example proftpd[29042]: example.com
> (60.12.138.17[60.12.138.17]) - USER steve: no such user found from
> 60.12.138.17 [60.12.138.17] to xx.xx.xx.xx:21
>
> P.P.S., the reason I'm currently replacing rule number 7 instead of
> using slot 8, is that I get an error when I try to use slot 7. The
> regex.py file (in the currently latest version 2.5) had the max rule
> number set to 6 even though rule 7 exists. I don't know what's wrong
> with rule 7, but here's the rule:
>
> FAILED_ENTRY_REGEX7 = re.compile(r"""User (?P<user>.*) not allowed
> because not listed in AllowUsers""")
>
> and here's the error message I get:
>
> # >service denyhosts start
> starting DenyHosts: /usr/bin/env python /usr/bin/denyhosts.py
> --daemon --config=/usr/share/denyhosts/denyhosts.cfg
> Traceback (most recent call last):
> File "/usr/bin/denyhosts.py", line 164, in ?
> first_time, noemail, daemon)
> File "/usr/lib/python2.3/site-packages/DenyHosts/deny_hosts.py", line
> 60, in __init__
> self.init_regex()
> File "/usr/lib/python2.3/site-packages/DenyHosts/deny_hosts.py", line
> 500, in init_regex
> FAILED_ENTRY_REGEX_MAP[i])
> File "/usr/lib/python2.3/site-packages/DenyHosts/deny_hosts.py", line
> 482, in get_regex
> val = self.__prefs.get(name)
> File "/usr/lib/python2.3/site-packages/DenyHosts/prefs.py", line 204,
> in get
> return self.__data[name]
> KeyError: 'FAILED_ENTRY_REGEX7'
>
> DenyHosts exited abnormally
> #>
>
> -------------------------------------------------------------------------
> Using Tomcat but need to do more? Need to support web services, security?
> Get stuff done quickly with pre-integrated technology to make your job easier
> Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
> http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
>
Hi Ray,
You were on the right track, but you don't need to go to all that trouble.
Just add the folling line to denyhost.cfg to add a custom pattern for ftp or
anything else you want to flag and refuse after X attempts--if your logs
resemble the example below.
USERDEF_FAILED_ENTRY_REGEX=re.compile(r""".*proftpd.*no such user found from (?
P<host>.*) .*:21""")
Example from log:
#Dec 7 20:39:58 myserver proftpd[9323]: myserver.com (127.0.0.1[127.0.0.1]) -
USER Administrator: no such user found from 127.0.0.1 [127.0.0.1] to
123.456.67.89:21
The pattern I wrote above only cares about finding "proftpd" "no such user
found from" port 21 and the host. The problem with coming up with one solution
is that various servers save their log files differently and there are
hundreds of possibilities. Your log files may look different than mine, but
all you have to do is find the pattern and match it. DenyHost lets you add as
many custom patterns as you want.
I needed to this for the same reason you do--tens of thousands of dictionary
names from hackers over ftp every night.
Good luck!
Mark
-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Denyhosts-user mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/denyhosts-user
