[Denyhosts-user] Quoting failed login usernames in DenyHosts mail message?

Tue, 25 Sep 2007 09:56:57 -0700 

        Consider the following example of an email message I received from 
DenyHosts:

-
Added the following hosts to /etc/hosts.deny:

203.193.37.189 (unknown)
-

        Is there currently a mechanism to have the specific failed login data 
from
/var/log/secure quoted in the mail message?

        For instance:

Sep 25 11:06:40 _sanitized_ sshd[9631]: Illegal user aiji from 203.193.37.189
Sep 25 11:06:42 _sanitized_ sshd[9631]: Failed password for illegal user aiji
from 203.193.37.189 port 58840 ssh2
Sep 25 11:06:42 _sanitized_ sshd[9631]: Received disconnect from 203.193.37.189:
11: Bye Bye
Sep 25 11:06:44 _sanitized_ sshd[9636]: Illegal user aito from 203.193.37.189
Sep 25 11:06:46 _sanitized_ sshd[9636]: Failed password for illegal user aito
from 203.193.37.189 port 59327 ssh2
Sep 25 11:06:47 _sanitized_ sshd[9636]: Received disconnect from 203.193.37.189:
11: Bye Bye

        When you have hundreds of systems with DenyHosts going on them, it 
would be
nice to remove the follow-up operation of "sudo grep <IP> /var/log/secure" on
each affected system.

        I try to be an appropriately-paranoid analyst, but I can't think of any
*security* reasons to not quote the above sort of text in the message that
DenyHosts sends out for a given IP address. Am I missing something?

        And yes, I *could* hack this into the script myself, but I really don't 
like
modifying stock distributions of things, especially not across hundreds of
systems. It makes for really ugly change-management.

        I hope this hasn't come up in the past and I'm asking about it like an 
idiot,
but I did search for this sort of thing in the mail archive and peeked at the
code and couldn't see anything apropos.

        Lastly - thanks very much indeed to Phil and others for this tool - it 
has
saved our necks on several occasions!

Cheers,
Dave
-- 
Dave Ingram
Systems Security Analyst
Wolfram Research
217-398-0700 x3316

-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2005.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Denyhosts-user mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/denyhosts-user

Reply via email to