SSHD_FORMAT_REGEX hardcodes "auth.error" (incorrectly-- the dot needs to
be escaped as such "\.") and most of those messages contain "auth.info" so
they will not match. If you want both:
SSHD_FORMAT_REGEX=.* (sshd\[.*\]: \[ID \d* auth\.(info|error)\])
(?P<message>.*)
Also, add a ".*" (or similar) at the end of USERDEF_FAILED_ENTRY_REGEX to
match the "port" and beyond (that DH doesn't care about).
Finally...
FAILED_ENTRY_REGEX=error: PAM: Authentication failed for
(?P<invalid>invalid user |illegal user )?(?P<user>.*?) from
(::ffff:)?(?P<host>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})
That should get you up and running.
Regards,
Phil
On Tue, 1 Jul 2008, Whose Root wrote:
> Hi,
> Can someone help me with some regex configuration problems?
> I am using DenyHosts2.6 on Solaris 10 and it is not updating my
> /etc/hosts.deny file.
> I am receiving updates though, but with a recent rash of
> attacks/botnet/script kiddies, I would like to get this pattern matching
> corrected.
>
> My USERDEF_FAILED_ENTRY_REGEX is:
>
> SSHD_FORMAT_REGEX=.* (sshd\[.*\]: \[ID \d* auth.error\]) (?P<message>.*)
> FAILED_ENTRY_REGEX=error: PAM: authentication error for (?P<invalid>invalid
> user |illegal user )?(?P<user>.*?) from
> (::ffff:)?(?P<host>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})
> USERDEF_FAILED_ENTRY_REGEX=Failed password for invalid (?P<invalid>invalid
> user |illegal user )?(?P<user>.*?) from
> (::ffff:)?(?P<host>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})
>
>
> Here are some examples from /var/log/syslog-ng/messages that I would like to
> pattern match:
> Jun 1 00:00:00 SERVER1 sshd[6898]: [ID 800047 auth.info] Failed password
> for invalid user *USER_ID *from *IP_ADDRESS* port *XXXXX *ssh2
>
> Jun 11 16:29:07 SERVER1 sshd[27344]: [ID 800047 auth.info] Failed password
> for root from* IP_ADDRESS* port *XXXXX* ssh2
>
> Jun 30 23:49:57 SERVER1 sshd[296]: [ID 800047 auth.info] Failed
> keyboard-interactive/pam for invalid user *USER_ID* from *IP_ADDRESS* port *
> XXXXXX* ssh2
>
> Jun 30 23:50:03 SERVER2 sshd[29517]: [ID 800047 auth.error] error: PAM:
> Authentication failed for *USER_ID* from *IP_ADDRESS
>
>
> *Denyhosts logs are not reporting any errors during startup and I am not
> having any daemon-hang issues.
> What am I doing wrong with my pattern matching?
>
> Thank you,
> Mike Collins
>
--
Regards,
Phil Schwartz
- http://www.phil-schwartz.com
Open Source Projects:
- DenyHosts: http://www.denyhosts.net
- Kodos: http://kodos.sourceforge.net
- ReleaseForge: http://releaseforge.sourceforge.net
- Scratchy: http://scratchy.sourceforge.net
- FAQtor: http://faqtor.sourceforge.net
-------------------------------------------------------------------------
Check out the new SourceForge.net Marketplace.
It's the best place to buy or sell services for
just about anything Open Source.
http://sourceforge.net/services/buy/index.php
_______________________________________________
Denyhosts-user mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/denyhosts-user
