Hi,
I'm using a mac with OS X 10.5.5, and recently installed denyhosts, however
i'm not sure if its working properly. I've received lots of attempts to
login to the ssh server from different ip addresses, in some cases even
hundreds from the same ip address. I'm launching denyhosts via
daemon_control and starts right up with no errors. Below is the a clip from
/var/log/denyhosts So everything seems to be working properly, however there
are times when my logfile turns offer from failed login attempts from the
same ip address and when i grep for that ip address in /etc/hosts.deny its
not found . The Deny_invalid_threshold is set to 3. So i'm not sure if its
working at all. I did add the correct Mac OS X related string to
denyhosts.cfg at the bottom (the one on the FAQ page produced errors )
So my question is. Is there a way to test to see if denyhosts is working
properly or working at all on my system ? Just for the fun of it, since the
threshold is set for failed login attempts at 3 i tried to login from
another server 30-40 times unsuccessfully with non existant usernames to see
if that would block my ip address and it hasn't. Tried root as well and no
luck. I'm thinking its probably not reading secure.log correctly. Any
help would be appreciated.
thanks in advance.
-------------------------------------------------------- THis is how the log
looks just me trying to see if its going to block my
ip--------------------------------
Oct 16 16:50:27 localhost sshd[4003]: Failed keyboard-interactive/pam for
invalid user bula from 69.36.164.127 port 46628 ssh2
Oct 16 16:50:30 localhost sshd[4007]: Invalid user bula from 69.36.164.127
Oct 16 16:50:30 localhost sshd[4007]: Failed none for invalid user bula from
69.36.164.127 port 46647 ssh2
Oct 16 16:50:30 localhost com.apple.SecurityServer[24]: getpwnam() failed
for user bula, creating invalid credential
Oct 16 16:50:30: --- last message repeated 1 time ---
Oct 16 16:50:30 localhost com.apple.SecurityServer[24]: Failed to authorize
right system.login.tty by client /usr/sbin/sshd for authorization created by
/usr/sbin/sshd.
Oct 16 16:50:30 localhost sshd[4007]: error: PAM: Authentication failure for
illegal user bula from aplusteam.com
Oct 16 16:50:30 localhost sshd[4007]: Failed keyboard-interactive/pam for
invalid user bula from 69.36.164.127 port 46647 ssh2
Oct 16 16:50:30 localhost com.apple.SecurityServer[24]: getpwnam() failed
for user bula, creating invalid credential
Oct 16 16:50:30: --- last message repeated 1 time ---
Oct 16 16:50:30 localhost com.apple.SecurityServer[24]: Failed to authorize
right system.login.tty by client /usr/sbin/sshd for authorization created by
/usr/sbin/sshd.
Oct 16 16:50:30 localhost sshd[4007]: error: PAM: Authentication failure for
illegal user bula from aplusteam.com
Oct 16 16:50:30 localhost sshd[4007]: Failed keyboard-interactive/pam for
invalid user bula from 69.36.164.127 port 46647 ssh2
Oct 16 16:50:32 localhost sshd[4011]: Invalid user bula from 69.36.164.127
Oct 16 16:50:32 localhost sshd[4011]: Failed none for invalid user bula from
69.36.164.127 port 46654 ssh2
Oct 16 16:50:32 localhost com.apple.SecurityServer[24]: getpwnam() failed
for user bula, creating invalid credential
Oct 16 16:50:32: --- last message repeated 1 time ---
Oct 16 16:50:32 localhost com.apple.SecurityServer[24]: Failed to authorize
right system.login.tty by client /usr/sbin/sshd for authorization created by
/usr/sbin/sshd.
Oct 16 16:50:32 localhost sshd[4011]: error: PAM: Authentication failure for
illegal user bula from aplusteam.com
Oct 16 16:50:32 localhost sshd[4011]: Failed keyboard-interactive/pam for
invalid user bula from 69.36.164.127 port 46654 ssh2
Oct 16 16:50:32 localhost com.apple.SecurityServer[24]: getpwnam() failed
for user bula, creating invalid credential
Oct 16 16:50:32: --- last message repeated 1 time ---
Oct 16 16:50:32 localhost com.apple.SecurityServer[24]: Failed to authorize
right system.login.tty by client /usr/sbin/sshd for authorization created by
/usr/sbin/sshd.
Oct 16 16:50:32 localhost sshd[4011]: error: PAM: Authentication failure for
illegal user bula from aplusteam.com
Oct 16 16:50:32 localhost sshd[4011]: Failed keyboard-interactive/pam for
invalid user bula from 69.36.164.127 port 46654 ssh2
Oct 16 16:50:47 localhost com.apple.SecurityServer[24]: checkpw() succeeded,
creating credential for user luketrif
Oct 16 16:50:47 localhost com.apple.SecurityServer[24]: checkpw() succeeded,
creating shared credential for user luketrif
Oct 16 16:50:47 localhost com.apple.SecurityServer[24]: Succeeded
authorizing right system.login.tty by client /usr/sbin/sshd for
authorization created by /usr/sbin/sshd.
Oct 16 16:50:47 localhost sshd[4015]: Accepted keyboard-interactive/pam for
luketrif from 69.36.164.127 port 46699 ssh2
------------------------------------------------------------------------------------------------------------------
SSHD_FORMAT_REGEX=.* \[Sender sshd\] \[PID \d*\] \[Message .* PAM:
(?P<message>.*?)\].*?
starting DenyHosts: /usr/bin/env python /usr/local/bin/denyhosts.py
--daemon --config=/usr/share/denyhosts/denyhosts.cfg
2008-10-16 19:24:38,399 - denyhosts : INFO DenyHosts launched with the
following args:
2008-10-16 19:24:38,399 - denyhosts : INFO
/usr/local/bin/denyhosts.py --daemon --debug
--config=/usr/share/denyhosts/denyhosts.cfg
2008-10-16 19:24:38,399 - prefs : INFO DenyHosts configuration
settings:
2008-10-16 19:24:38,399 - prefs : INFO ADMIN_EMAIL: [None]
2008-10-16 19:24:38,399 - prefs : INFO AGE_RESET_INVALID:
[864000]
2008-10-16 19:24:38,399 - prefs : INFO AGE_RESET_RESTRICTED:
[2160000]
2008-10-16 19:24:38,399 - prefs : INFO AGE_RESET_ROOT:
[2160000]
2008-10-16 19:24:38,399 - prefs : INFO AGE_RESET_VALID:
[432000]
2008-10-16 19:24:38,400 - prefs : INFO
ALLOWED_HOSTS_HOSTNAME_LOOKUP: [no]
2008-10-16 19:24:38,400 - prefs : INFO BLOCK_SERVICE: [sshd]
2008-10-16 19:24:38,400 - prefs : INFO DAEMON_LOG:
[/var/log/denyhosts]
2008-10-16 19:24:38,400 - prefs : INFO
DAEMON_LOG_MESSAGE_FORMAT: [%(asctime)s - %(name)-12s: %(levelname)-8s
%(message)s]
2008-10-16 19:24:38,400 - prefs : INFO DAEMON_LOG_TIME_FORMAT:
[None]
2008-10-16 19:24:38,400 - prefs : INFO DAEMON_PURGE: [3600]
2008-10-16 19:24:38,400 - prefs : INFO DAEMON_SLEEP: [30]
2008-10-16 19:24:38,400 - prefs : INFO DENY_THRESHOLD_INVALID:
[3]
2008-10-16 19:24:38,400 - prefs : INFO
DENY_THRESHOLD_RESTRICTED: [1]
2008-10-16 19:24:38,400 - prefs : INFO DENY_THRESHOLD_ROOT: [1]
2008-10-16 19:24:38,400 - prefs : INFO DENY_THRESHOLD_VALID:
[10]
2008-10-16 19:24:38,400 - prefs : INFO FAILED_ENTRY_REGEX:
[None]
2008-10-16 19:24:38,401 - prefs : INFO FAILED_ENTRY_REGEX2:
[None]
2008-10-16 19:24:38,401 - prefs : INFO FAILED_ENTRY_REGEX3:
[None]
2008-10-16 19:24:38,401 - prefs : INFO FAILED_ENTRY_REGEX4:
[None]
2008-10-16 19:24:38,401 - prefs : INFO FAILED_ENTRY_REGEX5:
[None]
2008-10-16 19:24:38,401 - prefs : INFO FAILED_ENTRY_REGEX6:
[None]
2008-10-16 19:24:38,401 - prefs : INFO FAILED_ENTRY_REGEX7:
[None]
2008-10-16 19:24:38,401 - prefs : INFO HOSTNAME_LOOKUP: [NO]
2008-10-16 19:24:38,401 - prefs : INFO HOSTS_DENY:
[/etc/hosts.deny]
2008-10-16 19:24:38,401 - prefs : INFO LOCK_FILE:
[/var/lock/subsys/denyhosts]
2008-10-16 19:24:38,401 - prefs : INFO PLUGIN_DENY: [None]
2008-10-16 19:24:38,401 - prefs : INFO PLUGIN_PURGE: [None]
2008-10-16 19:24:38,401 - prefs : INFO PURGE_DENY: [432000]
2008-10-16 19:24:38,402 - prefs : INFO PURGE_THRESHOLD: [0]
2008-10-16 19:24:38,402 - prefs : INFO RESET_ON_SUCCESS: [no]
2008-10-16 19:24:38,402 - prefs : INFO SECURE_LOG:
[/private/var/log/secure.log]
2008-10-16 19:24:38,402 - prefs : INFO SMTP_DATE_FORMAT: [%a,
%d %b %Y %H:%M:%S %z]
2008-10-16 19:24:38,402 - prefs : INFO SMTP_FROM: [DenyHosts <
[EMAIL PROTECTED]>]
2008-10-16 19:24:38,402 - prefs : INFO SMTP_HOST: [localhost]
2008-10-16 19:24:38,402 - prefs : INFO SMTP_PASSWORD: [None]
2008-10-16 19:24:38,402 - prefs : INFO SMTP_PORT: [25]
2008-10-16 19:24:38,402 - prefs : INFO SMTP_SUBJECT: [DenyHosts
Report]
2008-10-16 19:24:38,402 - prefs : INFO SMTP_USERNAME: [None]
2008-10-16 19:24:38,402 - prefs : INFO SSHD_FORMAT_REGEX: [.*
\[Sender sshd\] \[PID \d*\] \[Message .* PAM:]
2008-10-16 19:24:38,402 - prefs : INFO SUCCESSFUL_ENTRY_REGEX:
[None]
2008-10-16 19:24:38,403 - prefs : INFO
SUSPICIOUS_LOGIN_REPORT_ALLOWED_HOSTS: [YES]
2008-10-16 19:24:38,403 - prefs : INFO SYNC_DOWNLOAD: [yes]
2008-10-16 19:24:38,403 - prefs : INFO
SYNC_DOWNLOAD_RESILIENCY: [18000]
2008-10-16 19:24:38,403 - prefs : INFO SYNC_DOWNLOAD_THRESHOLD:
[3]
2008-10-16 19:24:38,403 - prefs : INFO SYNC_INTERVAL: [3600]
2008-10-16 19:24:38,403 - prefs : INFO SYNC_SERVER: [
http://xmlrpc.denyhosts.net:9911]
2008-10-16 19:24:38,403 - prefs : INFO SYNC_UPLOAD: [no]
2008-10-16 19:24:38,403 - prefs : INFO SYSLOG_REPORT: [no]
2008-10-16 19:24:38,403 - prefs : INFO WORK_DIR:
[/usr/share/denyhosts/data]
2008-10-16 19:24:38,405 - denyhosts : INFO restricted: set([])
2008-10-16 19:24:38,406 - filetracker : DEBUG __get_current_offset():
2008-10-16 19:24:38,406 - filetracker : DEBUG first_line: Oct 16
14:00:00 localhost newsyslog[3686]: logfile turned over due to size>100K
2008-10-16 19:24:38,406 - filetracker : DEBUG offset: 10482
2008-10-16 19:24:38,406 - AllowedHosts: DEBUG initializing AllowedHosts
2008-10-16 19:24:38,406 - AllowedHosts: DEBUG Could not open
/usr/share/denyhosts/data/allowed-hosts - [Errno 2] No such file or
directory: '/usr/share/denyhosts/data/allowed-hosts'
2008-10-16 19:24:38,407 - AllowedHosts: DEBUG done initializing
AllowedHosts
2008-10-16 19:24:38,407 - filetracker : DEBUG __get_last_offset():
2008-10-16 19:24:38,407 - filetracker : DEBUG first_line: Oct 16
14:00:00 localhost newsyslog[3686]: logfile turned over due to size>100K
2008-10-16 19:24:38,407 - filetracker : DEBUG offset: 10482
2008-10-16 19:24:38,407 - filetracker : DEBUG get_offset():
2008-10-16 19:24:38,407 - filetracker : DEBUG offset: None
2008-10-16 19:24:38,407 - denyhosts : INFO launching DenyHosts daemon
(version 2.6)...
2008-10-16 19:24:38,411 - denyhosts : INFO DenyHosts daemon is now
running, pid: 4334
2008-10-16 19:24:38,412 - denyhosts : INFO send daemon process a TERM
signal to terminate cleanly
2008-10-16 19:24:38,412 - denyhosts : INFO eg. kill -TERM 4334
2008-10-16 19:24:38,412 - denyhosts : INFO monitoring log:
/private/var/log/secure.log
2008-10-16 19:24:38,413 - denyhosts : INFO sync_time: 3600
2008-10-16 19:24:38,413 - denyhosts : INFO daemon_purge: 3600
2008-10-16 19:24:38,413 - denyhosts : INFO daemon_sleep: 30
2008-10-16 19:24:38,413 - denyhosts : INFO purge_sleep_ratio: 120
2008-10-16 19:24:38,413 - denyhosts : INFO sync_time: : 3600
2008-10-16 19:24:38,413 - denyhosts : INFO sync_sleep_ratio: 120
-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
Denyhosts-user mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/denyhosts-user
