Everything works fine .... The problem was generating by the following entries:
----------[notify_isp.rb]------------- #misc TIME_LOCALE = 'GMT+1' EMAIL_LOG_FILE = '/var/log/notify_isp.log' -------------------------------------- The file doesn't exists and wasn't generated by notify_isp.rb. A friendly "touch /var/log/notify_isp.log" fixed the Problem ... *smile ----------[notify_isp.rb]------------- #LOG_FILE = SSHD's log file LOG_FILE = '/var/log/sshd/*' -------------------------------------- This was a wrong path ... i changed it to ... ----------[notify_isp.rb]------------- #LOG_FILE = SSHD's log file LOG_FILE = '/var/log/auth.log' -------------------------------------- ... and everything works fine .... I tested the script from the commandline like you told me ... "./notify_isp.rb 83.13.106.66" and get no error in stdout. Checking the manually created logfile (/var/log/notify_isp.log) shows me the following entry: ----------[/var/log/notify_isp.log]------------- Report generated for 83.13.106.66 and sent to [EMAIL PROTECTED] on Wed Jul 23 12:25:31 +0200 2008 Report generated for 83.13.106.66 and sent to [EMAIL PROTECTED] on Wed Jul 23 12:25:31 +0200 2008 Report generated for 83.13.106.66 and sent to [EMAIL PROTECTED] on Wed Jul 23 12:25:31 +0200 2008 -------------------------------------- Just a few minutes after that, i received the following automatic reply from the abuse-adress: ----------[Email]----------------- ---(English version)--- Thank you for contacting the TP CERT. This is an automatic reply to confirm that your message has been received by TP CERT. Your report has been registered as number (string): [TP CERT #2008072310028365]. Please include this string in the subject line of any future correspondence concerning this case. NOTE: If your incident report doesn't include all the information necessary to handle it, such as: intruder's IP address, date and time of incident, time zone (with respect to GMT or UTC ±), evidence (logs of intrusion, e-mail full headers, etc), then your report can not be processed. Find more information at http://www.tp.pl/cert/. Best Regards, ------------------------------- And so i could be pleased, that everything is in the green ... *evilgrin Thanks a lot and sorry for asking, before checking the circumstances (*shame on me) Greetz ... Stefan Nazar Aziz schrieb: > Hi Stefan. > > Hmm.. this is strange... I was expecting the denyhost log to contain > any error messages generated by the plugin. > > Could you do me a favour please and pass a few of these IP address to > the script manually. If your script is in > /etc/denyhosts/notify_isp.rb: > > /etc/denyhosts/notify_isp.rb reported.ip.address.or.host > > and observer any generated returned error messages. Also check the > /var/log/notify_isp.log for any messages. > > Cheers. > > 2008/7/23 SWK <[EMAIL PROTECTED]>: >> Hi,.... >> >> my /var/log/denyhosts - logfile gives me the following lines: >> >> ... >> 2008-07-23 09:19:49,088 - plugin : INFO plugin returned 256 >> 2008-07-23 09:19:49,860 - plugin : INFO plugin returned 256 >> 2008-07-23 09:19:49,955 - plugin : INFO plugin returned 256 >> 2008-07-23 09:19:50,442 - plugin : INFO plugin returned 256 >> 2008-07-23 09:19:51,161 - plugin : INFO plugin returned 256 >> 2008-07-23 09:19:51,448 - plugin : INFO plugin returned 256 >> 2008-07-23 09:19:52,423 - plugin : INFO plugin returned 256 >> 2008-07-23 09:19:52,904 - plugin : INFO plugin returned 256 >> 2008-07-23 09:19:53,107 - plugin : INFO plugin returned 256 >> 2008-07-23 09:19:53,871 - plugin : INFO plugin returned 256 >> 2008-07-23 09:19:54,655 - plugin : INFO plugin returned 256 >> 2008-07-23 09:19:56,344 - plugin : INFO plugin returned 256 >> 2008-07-23 09:19:56,457 - plugin : INFO plugin returned 256 >> 2008-07-23 09:19:57,211 - plugin : INFO plugin returned 256 >> 2008-07-23 09:19:57,317 - plugin : INFO plugin returned 256 >> 2008-07-23 09:20:03,244 - plugin : INFO plugin returned 256 >> 2008-07-23 09:20:03,904 - plugin : INFO plugin returned 256 >> 2008-07-23 09:20:04,108 - plugin : INFO plugin returned 256 >> ... >> >> What does this mean? >> >> Greetz ... >> >> Stefan >> >> >> Nazar Aziz schrieb: >>> Hi List. >>> >>> Just wanted to drop a quick email to say that I've developed a >>> DenyHosts plugin that will notify the attacker's ISP with an excerpt >>> from your sshd log file. I've been running this script for the last >>> two days and I've had half a dozen positive replies from system admins >>> who've subsequently disconnected offending servers. >>> >>> Downloaded it here:http://github.com/nazar/report-hack-isp/tree/master >>> >>> Instructions: http://github.com/nazar/report-hack-isp/wikis >>> >>> Why I did this: >>> >>> http://panthersoftware.com/articles/view/5/automatically-report-all-ssh-brute-force-attacks-to-isps >>> >>> Cheers. >>> >>> Nazar >>> >>> ------------------------------------------------------------------------- >>> This SF.Net email is sponsored by the Moblin Your Move Developer's >>> challenge >>> Build the coolest Linux based applications with Moblin SDK & win great >>> prizes >>> Grand prize is a trip for two to an Open Source event anywhere in the >>> world >>> http://moblin-contest.org/redirect.php?banner_id=100&url=/ >>> _______________________________________________ >>> Denyhosts-user mailing list >>> [email protected] >>> https://lists.sourceforge.net/lists/listinfo/denyhosts-user >>> >> > ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ _______________________________________________ Denyhosts-user mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/denyhosts-user
