On Friday 18 Apr 2008, René Berber wrote:
> Robin Atwood wrote:
> > DenyHosts is working really well with SSH now, blocking attacks almost
> > immediately. But I still have a problem with attacks via proftpd, they
> > don't seem to trigger the rule. Using information I got from this list, I
> > have the following rules:
> >
> > SSHD_FORMAT_REGEX=.* (sshd.*:|\[sshd\]|proftpd) (?P<message>.*)
> >
> > USERDEF_FAILED_ENTRY_REGEX=.*proftpd.* USER (?P<user>.*): no such user
> > found from .* \[(::ffff:)?(?P<host>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\]
> > to .*:21
> >
> > USERDEF_FAILED_ENTRY_REGEX=Invalid user (?P<user>.*) .*from (::ffff:)?
> > (?P<host>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})
> >
> > The third rule works fine but the second seems to be ignored. The proftpd
> > logs have records like:
>
> Your second rule is wrong, it shouldn't have the proftpd part.
>
> > Apr 12 05:40:55 opal proftpd[7543]: opal.binro.org (60.28.246.175
> > [60.28.246.175]) - USER Administrator: no such user found from
> > 60.28.246.175 [60.28.246.175] to 192.168.1.2:21
> >
> > When I insert the rule and the record into kodos, i get a match and
> > <user> and <host> are correctly set. So what am I doing wrong?
>
> The match is a 2 step operation, first the SSHD_FORMAT_REGEX has to
> match and stores the rest of the message, second the rest of the message
> (after the space) matches one of the built in rules or your user rules.
>
Ok, I understand, by the time the second rule is applied, the proftpd header
has been stripped off. After some experimentation, I ended up with:
SSHD_FORMAT_REGEX=.* (sshd.*:|\[sshd\]|proftpd.* \- )(?P<message>.*)
USERDEF_FAILED_ENTRY_REGEX=USER (?P<user>.*):.*\[(::ffff:)?(?P<host>\S+)\]
which seems to work fine. :)
Thanks very much for the pointers.
-Robin
--
----------------------------------------------------------------------
Robin Atwood.
"Ship me somewheres east of Suez, where the best is like the worst,
Where there ain't no Ten Commandments an' a man can raise a thirst"
from "Mandalay" by Rudyard Kipling
----------------------------------------------------------------------
-------------------------------------------------------------------------
This SF.net email is sponsored by the 2008 JavaOne(SM) Conference
Don't miss this year's exciting event. There's still time to save $100.
Use priority code J8TL2D2.
http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
_______________________________________________
Denyhosts-user mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/denyhosts-user
