Responses below.... On Feb 24, 2010, at 12:20 PM, Robert Wyatt wrote:
> Atreides Modi wrote: >> I've installed the most recent Macport build of Denyhosts 2.6 on my OS X >> 10.6.2 Snow Leopard. Everything seems installed proper. I used the >> sample denyhosts.cfg file as well as the daemon script, loading up under >> launchctl. Testing has been successful for <invalid users>, with entry >> added to hosts.deny and even got the email to go out proper. > > Out of curiosity, have you asked the MacPorts package maintainer about this? > > I believe that you will need to modify your sshd_config file as follows (you > should back it up first): > > remove the # in front of the lines: > > PasswordAuthentication no > UsePAM yes > UseDNS no Atreides Response -> sshd_config was already modified to reflect the above (and rebooted to ensure they are in effect) > >> Problem is, it just will not recognize a failure to authenticate (due to >> bad or no password) a <valid user>. My regex skills are quite dull, so I >> have resorted to manually adding various forms of FAILED_ENTRY_REGEX and >> USERDEF_FAILED_ENTRY_REGEX in my cfg file to no avail. >> >> So here are some facts I hope will help someone help me figure this out... >> >> My secure.log has entries similar to this: >> >> Feb 24 04:03:51 MachineName sshd[16220]: in pam_sm_authenticate(): Failed to >> determine Kerberos principal name. >> Feb 24 04:03:52 MachineName sshd[16216]: error: PAM: authentication error >> for validuser from 192.168.1.10 via 192.168.1.10\ > > These lines are as expected. Have you modified denyhosts.cfg with: > > SECURE_LOG = /var/log/secure.log (?) Atreides Response -> This is already configured as such. It reads file properly, since it will detect invalid user attempts and create entries in hosts.deny accordingly. > >> Where "validuser" above is a real user enabled for remote login. This is >> the record pair created for each incorrect password entered. My >> system.log contains (which is not used by denyhosts): >> >> Feb 24 04:03:52 MachineName sandboxd[16222]: sshd(16217) deny >> mach-per-user-lookup > > Hmm, I've never noticed the sandbox daemon as being related to difficulties > with denyhosts. > > Exactly what do you mean by "a real user enabled for remote login"? Have you > restricted SSH to only allow certain users? If so, by what mechanism? Atreides Response -> invalid user is defined as having no associated account in OS / valid user is defined as having an associated account set up in OS. As for administering who can or cannot use ssh, that is a function of OS X Shared settings / Remote Login configuration. > > Since sandboxd is called by sshd, perhaps your sshd settings need to be > tweaked a little (as suggested above). Atreides Response -> I think the sandbox throw on failed login attempt is impacting denyhosts at all. It only creates a record in system.log and is likely tied to whatever wrapper OS X places on securing the sshd daemon. Of course, this is just my guess since i've never spent much time figuring out sandboxd functionality; except at times having to put exclusions in its configuration file. > >> Per the denyhosts website FAQ at >> http://denyhosts.sourceforge.net/pam_auth_err.txt , I have added the >> below to my denyhosts.cfg (once I found that macports out of box cfg did >> not work) >> >> FAILED_ENTRY_REGEX=error: PAM: authentication error for (?P<invalid>invalid >> user |illegal user )?(?P<user>.*?) from >> (::ffff:)?(?P<host>\d){1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}) > > This FAQ entry (2.16) is titled: "Why isn't DenyHosts recognizing successful > ssh logins?" Atreides Response -> Exactly what I thought. But my read of the REGEX expression he includes in link, it is trying to match on a failed login - not a successful login. My assumption is that he has a typo in the FAQ header. > > Which, it seems to me, has nothing to do with your problem (you're not > looking for valid logins, but rather for invalid login attempts against valid > usernames). Atreides Response -> Exactly. As above, the REGEX like is looking for either invalid user or illegal user. I don't think it would match a string like ... "authentication error for [username] from "... Would it? (one day I have to sit down with the REGEX tutorial...) > > Also, with 10.6 we no longer need the last line in denyhosts.cfg, and so it > should be commented out with a # at the beginning of the line. > > I'm referring to these lines at the end of the denyhosts.cfg file: > > #Added for Mac OS X > #SSHD_FORMAT_REGEX=.... > > This was needed for earlier versions of the OS X that used a slightly > different SSHD log format, but is no longer needed on 10.6. Atreides Response -> Entry does not exist in my denyhosts.cfg. The macports version seems to have catered the config files with all the latest requirements. Of course, for me, it doesn't work for valid user failed password attempts. I am equally happy to uninstall the macports version in lieu of another OS X port known to work with 10.6.x > > Let us know how it goes and whether the MacPorts package maintainer has > suggestions. Atreides Response -> Still trying to figure how to get in touch with maintainer. It's probably blaring obvious how to, I am just not seeing it strolling through the portfile or macports distro site.... Thanks > > --Robert > >> I have tried numerous variations of the above, specifically removing the >> (?P<invalid>invalid user |illegal user ) since, unless I misunderstand >> regex expression - which is probably, since I am poor with regex, would >> not get a hit on the validuser scenario. As for basics, I do not have >> SSHD_FORMAT_REGEX in my cfg file. I point to secure.log, which works >> fine for identifying invalid user attempts. Any help would be appreciated! >> >> Cheers >> Atreides ------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev _______________________________________________ Denyhosts-user mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/denyhosts-user
