Maybe saint's Problem is the same as mine a few days ago: /var/log/sshd/* is not the correct path to file.
In Debian it has to be changed to: /var/log/auth.log It has to be the same path as specified in the Log-Section of the denyhosts.conf: ######################################################################## # # SECURE_LOG: the log file that contains sshd logging info # if you are not sure, grep "sshd:" /var/log/* # # The file to process can be overridden with the --file command line # argument # # Redhat or Fedora Core: #SECURE_LOG = /var/log/secure # # Mandrake, FreeBSD or OpenBSD: #SECURE_LOG = /var/log/auth.log # # SuSE: #SECURE_LOG = /var/log/messages # # Mac OS X (v10.4 or greater - # also refer to: http://www.denyhosts.net/faq.html#macos #SECURE_LOG = /private/var/log/asl.log # # Mac OS X (v10.3 or earlier): #SECURE_LOG=/private/var/log/system.log # # Debian: SECURE_LOG = /var/log/auth.log <--- that's my sshd-related logfile ######################################################################## If both paths are identically ... then notify_isp.rb is doing it's work perfectly. Greetz .... Stefan Nazar Aziz schrieb: > HI there. > >> [EMAIL PROTECTED]:/usr/share/denyhosts> ./notify_isp.rb 61.7.255.30 >> /bin/cat: /var/log/sshd/*: No such file or directory >> ./notify_isp.rb:129: No evidence found for IP 61.7.255.30. Aborting >> (RuntimeError) > >> /bin/cat: /var/log/sshd/*: No such file or directory > > > Can you check that your sshd log files are in /var/log/sshd (as set in > the LOG_FILE constant) as it appears that cat is not able to find that > directory. > > Cheers. > > 2008/7/25 S A I N T - 4 2 <[EMAIL PROTECTED]>: >> Looks like it's not working here. >> I intalled Ruby. >> I copied the script in /usr/share/denyhosts/ >> I configured the PLUGIN_DENY= to /usr/share/denyhosts/name_of_script.rb >> and restarted denyhosts. >> >> That's it right ? >> Any way to make tests ? >> >> Jul 22 08:34:37 tyesun sshd[18962]: refused connect from ::ffff:61.7.255.30 >> (::ffff:61.7.255.30) >> >> [EMAIL PROTECTED]:/usr/share/denyhosts> ./notify_isp.rb 61.7.255.30 >> /bin/cat: /var/log/sshd/*: No such file or directory >> ./notify_isp.rb:129: No evidence found for IP 61.7.255.30. Aborting >> (RuntimeError) >> >> >> I changed the LOG_FILE to /var/log/secure, and it is now working (a small >> readme should come with the file in order to explain this). >> >> Now, when I run the command, I got this: >> [EMAIL PROTECTED]:/usr/share/denyhosts> ./notify_isp.rb 61.7.255.30 >> ./notify_isp.rb:134: Host 61.7.255.30 has already been reported. Not >> reporting again. (RuntimeError) >> >> >> >> >> >> >> SWK wrote: >>> Hi Nazar,... >>> >>> nice script,... i plugged it in and now i'm still waiting for the first >>> nerd to trap in ...*g >>> >>> Is it possible to add a "CC"-Variable in the message to have a copy of the >>> sended email? >>> >>> Regards ... >>> >>> Stefan >>> >>> Nazar Aziz schrieb: >>>> Hi List. >>>> >>>> Just wanted to drop a quick email to say that I've developed a >>>> DenyHosts plugin that will notify the attacker's ISP with an excerpt >>>> from your sshd log file. I've been running this script for the last >>>> two days and I've had half a dozen positive replies from system admins >>>> who've subsequently disconnected offending servers. >>>> >>>> Downloaded it here:http://github.com/nazar/report-hack-isp/tree/master >>>> >>>> Instructions: http://github.com/nazar/report-hack-isp/wikis >>>> >>>> Why I did this: >>>> >>>> http://panthersoftware.com/articles/view/5/automatically-report-all-ssh-brute-force-attacks-to-isps >>>> >>>> Cheers. >>>> >>>> Nazar >>>> >>>> ------------------------------------------------------------------------- >>>> This SF.Net email is sponsored by the Moblin Your Move Developer's >>>> challenge >>>> Build the coolest Linux based applications with Moblin SDK & win great >>>> prizes >>>> Grand prize is a trip for two to an Open Source event anywhere in the >>>> world >>>> http://moblin-contest.org/redirect.php?banner_id=100&url=/ >>>> _______________________________________________ >>>> Denyhosts-user mailing list >>>> [email protected] >>>> https://lists.sourceforge.net/lists/listinfo/denyhosts-user >>>> >>> >>> ------------------------------------------------------------------------- >>> This SF.Net email is sponsored by the Moblin Your Move Developer's >>> challenge >>> Build the coolest Linux based applications with Moblin SDK & win great >>> prizes >>> Grand prize is a trip for two to an Open Source event anywhere in the >>> world >>> http://moblin-contest.org/redirect.php?banner_id=100&url=/ >>> _______________________________________________ >>> Denyhosts-user mailing list >>> [email protected] >>> https://lists.sourceforge.net/lists/listinfo/denyhosts-user >>> > ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ _______________________________________________ Denyhosts-user mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/denyhosts-user
