Just want to be sure: now I got a lot of these records in my log: May 11 07:49:32 localhost sshd[20746]: error: PAM: Authentication failure for root from 62.97.204.106 May 11 08:00:01 localhost CRON[20781]: (pam_unix) session opened for user root by (uid=0) May 11 08:00:03 localhost CRON[20781]: (pam_unix) session closed for user root May 11 08:00:18 localhost sshd[20790]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=88.196.5 4.98 user=root May 11 08:00:21 localhost sshd[20790]: error: PAM: Authentication failure for root from 88.196.54.98 May 11 08:09:01 localhost CRON[20819]: (pam_unix) session opened for user root by (uid=0) May 11 08:09:01 localhost CRON[20819]: (pam_unix) session closed for user root
I have found this http://denyhosts.sourceforge.net/faq.html#2_16 and http://denyhosts.sourceforge.net/pam_auth_err.txt - I use USERDEF_FAILED_ENTRY_REGEX instead of actual FAILED_ENTRY_REGEX, so now I got these lines at the end of my conf: SSHD_FORMAT_REGEX=.* (sshd.*:|\[sshd\]|dovecot-auth.*:) (?P<message>.*) USERDEF_FAILED_ENTRY_REGEX=authentication failure.* ruser=(?P<user>\S+) rhost=(?P<host>\S+) USERDEF_FAILED_ENTRY_REGEX=error: PAM: authentication error for (?P<invalid>invalid user |illegal user )?(?P<user>.*?) from (::ffff:)?(?P<host>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}) Should it be OK? Thank you -- geon Pavel Kosina ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ _______________________________________________ Denyhosts-user mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/denyhosts-user
