Terry Barnum wrote: > On Jun 11, 2010, at 3:18 PM, René Berber wrote: > >> Try: >> >> SSHD_FORMAT_REGEX=.*( sshd.*:| \[sshd\]|AppleVNCServer.*:) (?P<message>.*) >> >> All in one line, a space precedes the last parenthesized part. >> >>> USERDEF_FAILED_ENTRY_REGEX=Authentication:\ FAILED.* >>> Viewer\ Address:\ (?P<host>\S+) >> I would try to get the user name, just in case it is available: >> >> USERDEF_FAILED_ENTRY_REGEX=Authentication: FAILED :: User Name: >> (?P<user>.*) :: Viewer Address: (?P<host>\S+) .* > > This still does not appear to be catching failed VNC login attempts. From > denyhosts.cfg: > > SSHD_FORMAT_REGEX=.*(sshd.*:|\[sshd\]|AppleVNCServer.*:) (?P<message>.*) > USERDEF_FAILED_ENTRY_REGEX=Authentication: FAILED.* :: User Name: > (?P<user>.*) :: Viewer Address: (?P<host>\S+) > > I also tried the " .*" at the tail end of the USERDEF entry but this didn't > catch them either: > USERDEF_FAILED_ENTRY_REGEX=Authentication: FAILED.* :: User Name: > (?P<user>.*) :: Viewer Address: (?P<host>\S+) .* > > Here's a sample entry from secure.log: > Jul 8 10:43:29 machine > /System/Library/CoreServices/RemoteManagement/AppleVNCServer.bundle/Contents/MacOS/AppleVNCServer[123]: > Authentication: FAILED :: User Name: N/A :: Viewer Address: 192.168.1.1 :: > Type: VNC DES > > Any ideas what I'm doing wrong?
Some very obvious mistakes: 1. You didn't show before that "/path/to/AppleVNCServer" included AppleVNCServer.bundle, that derails this train (i.e. the name appears twice), I would change: SSHD_FORMAT_REGEX=.*(sshd.*:|\[sshd\]|AppleVNCServer\[\d+\]:) (?P<message>.*) 2. You add .* in a place where it doesn't belong, plus my using (?P<user>.*) is also not good, I should have written (?P<user>\S+) 3. I should have asked this before: did you also change your configuration to monitor secure.log? I could send you a screenshot of how testing the regex (with Kodos) and you log works. Of course that doesn't prove that DH will work since both regexes have to work. -- René Berber ------------------------------------------------------------------------------ This SF.net email is sponsored by Sprint What will you do first with EVO, the first 4G phone? Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first _______________________________________________ Denyhosts-user mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/denyhosts-user
