Pavel Kosina wrote: > Just want to be sure: now I got a lot of these records in my log: > > May 11 07:49:32 localhost sshd[20746]: error: PAM: Authentication > failure for root from 62.97.204.106 > May 11 08:00:01 localhost CRON[20781]: (pam_unix) session opened for > user root by (uid=0) > May 11 08:00:03 localhost CRON[20781]: (pam_unix) session closed for > user root > May 11 08:00:18 localhost sshd[20790]: (pam_unix) authentication > failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=88.196.5 > 4.98 user=root > May 11 08:00:21 localhost sshd[20790]: error: PAM: Authentication > failure for root from 88.196.54.98 > May 11 08:09:01 localhost CRON[20819]: (pam_unix) session opened for > user root by (uid=0) > May 11 08:09:01 localhost CRON[20819]: (pam_unix) session closed for > user root > > I have found this http://denyhosts.sourceforge.net/faq.html#2_16 and > http://denyhosts.sourceforge.net/pam_auth_err.txt - I use > USERDEF_FAILED_ENTRY_REGEX instead of actual FAILED_ENTRY_REGEX, so now > I got these lines at the end of my conf: > > SSHD_FORMAT_REGEX=.* (sshd.*:|\[sshd\]|dovecot-auth.*:) (?P<message>.*) > USERDEF_FAILED_ENTRY_REGEX=authentication failure.* ruser=(?P<user>\S+) > rhost=(?P<host>\S+) > USERDEF_FAILED_ENTRY_REGEX=error: PAM: authentication error for > (?P<invalid>invalid user |illegal user )?(?P<user>.*?) from > (::ffff:)?(?P<host>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}) > > > Should it be OK?
No, your first USERDEF_FAILED_ENTRY_REGEX wouldn't match what you show in the log: the ruser is empty and you check for a non empty string. There's at least 2 simple options: 1) Add another regex with the empty ruser, "... ruser= rhost=(?P<host>\S+) 2 Change \S+ to \S* in that place. The second expression has at least one error, the options inside the invalid part should be enclosed between parenthesis: (?P<invalid>(invalid user |illegal user )) as you can see in regex.py: FAILED_ENTRY_REGEX2 which looks like a subset of yours, the result is that both will hit. -- René Berber ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ _______________________________________________ Denyhosts-user mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/denyhosts-user
