Hello Troy, I need to fix the FAQ but it's mentioned there. Here is the corrected entry:
---------------------------------------------------------------------- Can I supply additional regular expressions to DenyHosts? Yes. New in v1.1.5, DenyHosts adds the ability for the user to specify additional regular expressions that can be used to locate possible break-in attempts. The USERDEF_FAILED_ENTRY_REGEX can be specified repeatedly. Each value must contain a single regular expression that includes a host regular expression group and optionally a user group. It is assumed that the end user is familiar with regular expressions in order to take advantage of this feature. Examples: USERDEF_FAILED_ENTRY_REGEX=break in attempt for (?P<user>.*) from (?P<host>.*) USERDEF_FAILED_ENTRY_REGEX=break in attempt from (?P<host>.*) If multiple USERDEF_FAILED_ENTRY_REGEX are supplied they are evaluated in the order that they appear in the configuration file. Additionally, this parameter is evaluated after the built-in regular expressions (ie. FAILED_ENTRY_REGEX, FAILED_ENTRY_REGEX2, ...). ---------------------------------------------------------------------- Basically, you need to group the "host" (ie. ip address) in with the python group name syntax: (?P<host>A.B.C.D) where A.B.C.D is the ip address or more likely the regex that represents the ip address (such as ".*", etc... Regards, Phil On Tue, 2 Sep 2008, Troy Telford wrote: > Aug 24 19:53:02 foo sshd[30344]: warning: /etc/hosts.deny, line 7113: > can't verify hostname: getaddrinfo(89-119-11-58-static.albacom.net, > AF_INET) failed > Aug 24 19:53:04 foo sshd[30344]: reverse mapping checking getaddrinfo > for 89-119-11-58-static.albacom.net [89.119.11.58] failed - POSSIBLE > BREAK-IN ATTEMPT! > Aug 24 19:53:04 pilot sshd[30345]: Received disconnect from > 89.119.11.58: 11: Bye Bye > > I've been getting connections like this for quite a while now - I'll > typically see this during the middle of the night, and can get one of > these per second for up to a half hour. > > Eventually, I'll get user login attempts from the offending IP address, > which will fail - after that, the host will be added to hosts.deny > > I know that denyhosts has the USERDEF_FAILED_ENTRY_REGEX option in the > config file, but the examples in the FAQ aren't telling me what my regex > needs to return in order to be flagged by denyhosts - is the regex > supposed to return the offending IP address, or what? > > ------------------------------------------------------------------------- > This SF.Net email is sponsored by the Moblin Your Move Developer's challenge > Build the coolest Linux based applications with Moblin SDK & win great prizes > Grand prize is a trip for two to an Open Source event anywhere in the world > http://moblin-contest.org/redirect.php?banner_id=100&url=/ > _______________________________________________ > Denyhosts-user mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/denyhosts-user > -- Regards, Phil Schwartz - http://www.phil-schwartz.com Open Source Projects: - DenyHosts: http://www.denyhosts.net - Kodos: http://kodos.sourceforge.net - ReleaseForge: http://releaseforge.sourceforge.net - Scratchy: http://scratchy.sourceforge.net - FAQtor: http://faqtor.sourceforge.net ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ _______________________________________________ Denyhosts-user mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/denyhosts-user
