Robin Atwood wrote:
> DenyHosts is working really well with SSH now, blocking attacks almost
> immediately. But I still have a problem with attacks via proftpd, they don't
> seem to trigger the rule. Using information I got from this list, I have the
> following rules:
>
> SSHD_FORMAT_REGEX=.* (sshd.*:|\[sshd\]|proftpd) (?P<message>.*)
>
> USERDEF_FAILED_ENTRY_REGEX=.*proftpd.* USER (?P<user>.*): no such user found
> from .* \[(::ffff:)?(?P<host>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\] to .*:21
>
> USERDEF_FAILED_ENTRY_REGEX=Invalid user (?P<user>.*) .*from (::ffff:)?
> (?P<host>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})
>
> The third rule works fine but the second seems to be ignored. The proftpd
> logs
> have records like:
Your second rule is wrong, it shouldn't have the proftpd part.
>
> Apr 12 05:40:55 opal proftpd[7543]: opal.binro.org (60.28.246.175
> [60.28.246.175]) - USER Administrator: no such user found from 60.28.246.175
> [60.28.246.175] to 192.168.1.2:21
>
> When I insert the rule and the record into kodos, i get a match and <user>
> and
> <host> are correctly set. So what am I doing wrong?
The match is a 2 step operation, first the SSHD_FORMAT_REGEX has to
match and stores the rest of the message, second the rest of the message
(after the space) matches one of the built in rules or your user rules.
I would make the following changes to your rules:
SSHD_FORMAT_REGEX=.* (sshd.*:|\[sshd\]|proftpd.*:) (?P<message>.*)
USERDEF_FAILED_ENTRY_REGEX=USER (?P<user>.*).* from
\[(::ffff:)?(?P<host>\S+)\]
USERDEF_FAILED_ENTRY_REGEX=Invalid user (?P<user>.*).*from
(::ffff:)?(?P<host>\S+)
Also to be complete (and for other people who may be interested on
this), check that BLOCK_SERVICE = ALL is set.
A further improvement, that came up in a question by Sjors Gielen, is
that we may take out the IPv6 optional part and match the whole address
no matter if it is IPv4 or IPv6 (the \S+ matches everything). I haven't
tested this so I can't say if it will work (of course you need IPv6
support on tcp wrappers, which I have).
Another further improvement would be to complement
SUCCESSFUL_ENTRY_REGEX, currently only works for ssh, it does nothing
for our ftp changes. It could be something like this (not tested):
SUCCESSFUL_ENTRY_REGEX=(Accepted (?P<method>.*) for (?P<user>\S+) from
(::ffff:)?(?P<host>\S+)|\[(?P<user>\S+)\] OK LOGIN: Client "(?P<host>\S+)")
Actually the second expression if from vsftpd, which is what I'm
currently using.
--
René Berber
-------------------------------------------------------------------------
This SF.net email is sponsored by the 2008 JavaOne(SM) Conference
Don't miss this year's exciting event. There's still time to save $100.
Use priority code J8TL2D2.
http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
_______________________________________________
Denyhosts-user mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/denyhosts-user
