Atreides Modi wrote: > I've installed the most recent Macport build of Denyhosts 2.6 on my OS X > 10.6.2 Snow Leopard. Everything seems installed proper. I used the > sample denyhosts.cfg file as well as the daemon script, loading up under > launchctl. Testing has been successful for <invalid users>, with entry > added to hosts.deny and even got the email to go out proper.
Out of curiosity, have you asked the MacPorts package maintainer about this? I believe that you will need to modify your sshd_config file as follows (you should back it up first): remove the # in front of the lines: PasswordAuthentication no UsePAM yes UseDNS no > Problem is, it just will not recognize a failure to authenticate (due to > bad or no password) a <valid user>. My regex skills are quite dull, so I > have resorted to manually adding various forms of FAILED_ENTRY_REGEX and > USERDEF_FAILED_ENTRY_REGEX in my cfg file to no avail. > > So here are some facts I hope will help someone help me figure this out... > > My secure.log has entries similar to this: > > Feb 24 04:03:51 MachineName sshd[16220]: in pam_sm_authenticate(): Failed to > determine Kerberos principal name. > Feb 24 04:03:52 MachineName sshd[16216]: error: PAM: authentication error for > validuser from 192.168.1.10 via 192.168.1.10\ These lines are as expected. Have you modified denyhosts.cfg with: SECURE_LOG = /var/log/secure.log (?) > Where "validuser" above is a real user enabled for remote login. This is > the record pair created for each incorrect password entered. My > system.log contains (which is not used by denyhosts): > > Feb 24 04:03:52 MachineName sandboxd[16222]: sshd(16217) deny > mach-per-user-lookup Hmm, I've never noticed the sandbox daemon as being related to difficulties with denyhosts. Exactly what do you mean by "a real user enabled for remote login"? Have you restricted SSH to only allow certain users? If so, by what mechanism? Since sandboxd is called by sshd, perhaps your sshd settings need to be tweaked a little (as suggested above). > Per the denyhosts website FAQ at > http://denyhosts.sourceforge.net/pam_auth_err.txt , I have added the > below to my denyhosts.cfg (once I found that macports out of box cfg did > not work) > > FAILED_ENTRY_REGEX=error: PAM: authentication error for (?P<invalid>invalid > user |illegal user )?(?P<user>.*?) from > (::ffff:)?(?P<host>\d){1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}) This FAQ entry (2.16) is titled: "Why isn't DenyHosts recognizing successful ssh logins?" Which, it seems to me, has nothing to do with your problem (you're not looking for valid logins, but rather for invalid login attempts against valid usernames). Also, with 10.6 we no longer need the last line in denyhosts.cfg, and so it should be commented out with a # at the beginning of the line. I'm referring to these lines at the end of the denyhosts.cfg file: #Added for Mac OS X #SSHD_FORMAT_REGEX=.... This was needed for earlier versions of the OS X that used a slightly different SSHD log format, but is no longer needed on 10.6. Let us know how it goes and whether the MacPorts package maintainer has suggestions. --Robert > I have tried numerous variations of the above, specifically removing the > (?P<invalid>invalid user |illegal user ) since, unless I misunderstand > regex expression - which is probably, since I am poor with regex, would > not get a hit on the validuser scenario. As for basics, I do not have > SSHD_FORMAT_REGEX in my cfg file. I point to secure.log, which works > fine for identifying invalid user attempts. Any help would be appreciated! > > Cheers > Atreides ------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev _______________________________________________ Denyhosts-user mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/denyhosts-user
