FYI - I got it working. My /etc/denyhosts now includes this REGEX's:
SSHD_FORMAT_REGEX=.* (sshd.*:|\[sshd\]|proftpd\[\d+\]:|vsftpd:)
(?P<message>.*)
# proftpd
USERDEF_FAILED_ENTRY_REGEX=.*\(.*\[(?P<host>.*)\]\) - USER
(?P<user>.*) \(.*failed\).*
USERDEF_FAILED_ENTRY_REGEX=\(.*\[(?P<host>.*)\]\) - no such user
'(?P<invalid>.*)'
# vsftpd
USERDEF_FAILED_ENTRY_REGEX=.*\[(?P<user>.*)\] FAIL.*Client
"(?P<host>.*)"
I've setup syslog on all my 'public' machines so that they log
'auth.priv' messages to my 'main' server, so now I run DenyHosts on that
one only. I also wrote a plugin that completely blocks the host on the
central firewall.
Thank you very much for a nice, effective and simple IDS...
Best regards, Danilo
On 17. 02. 2010 19:03, Danilo Godec wrote:
> Hi,
>
> are 'USERDEF_FAILED_ENTRY_REGEX' supposed to check every log line or
> only those that already matched 'sshd_format_regex'?
>
> I want to detect failed FTP logins (for various daemons) too, so I added
> these:
>
> # proftpd
> USERDEF_FAILED_ENTRY_REGEX=.* proftpd.*\[(?P<host>.*)\]\) - USER
> (?P<user>.*) \(.*failed\).*
> USERDEF_FAILED_ENTRY_REGEX=.* proftpd.*\[(?P<host>.*)\]\) - USER
> (?P<invalid>.*): no such user.
>
> # vsftpd
> USERDEF_FAILED_ENTRY_REGEX=.* vsftpd: .*\[(?P<user>.*)\] FAIL LOGIN:
> Client "(?P<host>.*)"
>
> I checked those with Kodos and they all work, but they don't work in
> DenyHosts...
>
> My guess is I'd have to change the 'sshd_format_regex' to something like:
>
> .* (sshd.*:|\[sshd\]|proftpd\[\d+\]:|vsftpd:) (?P<message>.*)
>
> to make it work...
>
> Best regards, Danilo
>
>
>
>
> ------------------------------------------------------------------------------
> SOLARIS 10 is the OS for Data Centers - provides features such as DTrace,
> Predictive Self Healing and Award Winning ZFS. Get Solaris 10 NOW
> http://p.sf.net/sfu/solaris-dev2dev
>
>
> _______________________________________________
> Denyhosts-user mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/denyhosts-user
>
--
Danilo Godec, sistemska podpora / system administration
Predlog! Obiscite prenovljeno spletno stran www.agenda.si
ODPRTA KODA IN LINUX
STORITVE : POSLOVNE RESITVE : UPRAVLJANJE IT : INFRASTRUKTURA IT :
IZOBRAZEVANJE : PROGRAMSKA OPREMA
Visit our updated web page at www.agenda.si
OPEN SOURCE AND LINUX
SERVICES : BUSINESS SOLUTIONS : IT MANAGEMENT : IT INFRASTRUCTURE : TRAINING :
SOFTWARE
<<attachment: danilo_godec.vcf>>
------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev
_______________________________________________ Denyhosts-user mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/denyhosts-user
