On Jul 8, 2010, at 3:48 PM, René Berber wrote: > Terry Barnum wrote: > >> On Jun 11, 2010, at 3:18 PM, René Berber wrote: >> >>> Try: >>> >>> SSHD_FORMAT_REGEX=.*( sshd.*:| \[sshd\]|AppleVNCServer.*:) (?P<message>.*) >>> >>> All in one line, a space precedes the last parenthesized part. >>> >>>> USERDEF_FAILED_ENTRY_REGEX=Authentication:\ FAILED.* >>>> Viewer\ Address:\ (?P<host>\S+) >>> I would try to get the user name, just in case it is available: >>> >>> USERDEF_FAILED_ENTRY_REGEX=Authentication: FAILED :: User Name: >>> (?P<user>.*) :: Viewer Address: (?P<host>\S+) .* >> >> This still does not appear to be catching failed VNC login attempts. From >> denyhosts.cfg: >> >> SSHD_FORMAT_REGEX=.*(sshd.*:|\[sshd\]|AppleVNCServer.*:) (?P<message>.*) >> USERDEF_FAILED_ENTRY_REGEX=Authentication: FAILED.* :: User Name: >> (?P<user>.*) :: Viewer Address: (?P<host>\S+) >> >> I also tried the " .*" at the tail end of the USERDEF entry but this didn't >> catch them either: >> USERDEF_FAILED_ENTRY_REGEX=Authentication: FAILED.* :: User Name: >> (?P<user>.*) :: Viewer Address: (?P<host>\S+) .* >> >> Here's a sample entry from secure.log: >> Jul 8 10:43:29 machine >> /System/Library/CoreServices/RemoteManagement/AppleVNCServer.bundle/Contents/MacOS/AppleVNCServer[123]: >> Authentication: FAILED :: User Name: N/A :: Viewer Address: 192.168.1.1 :: >> Type: VNC DES >> >> Any ideas what I'm doing wrong? > > Some very obvious mistakes: > > 1. You didn't show before that "/path/to/AppleVNCServer" included > AppleVNCServer.bundle, that derails this train (i.e. the name appears > twice),
Thanks René. I realized this when trying to troubleshoot so thought I should include it this time in case it was causing the failure. > I would change: > > SSHD_FORMAT_REGEX=.*(sshd.*:|\[sshd\]|AppleVNCServer\[\d+\]:) > (?P<message>.*) Okay. > 2. You add .* in a place where it doesn't belong, I figured your suggested regex line which had the .* at the end was a typo, but when things weren't working I tried it also. > plus my using > (?P<user>.*) is also not good, I should have written (?P<user>\S+) Okay. > 3. I should have asked this before: did you also change your > configuration to monitor secure.log? Yes. DH is happily blocking failed ssh attempts and adding them to hosts.deny. > I could send you a screenshot of how testing the regex (with Kodos) and > you log works. Of course that doesn't prove that DH will work since > both regexes have to work. Thank you René, I would appreciate that. I used <http://re-try.appspot.com/> which got me close, but wanted me to escape all the spaces. -Terry ------------------------------------------------------------------------------ This SF.net email is sponsored by Sprint What will you do first with EVO, the first 4G phone? Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first _______________________________________________ Denyhosts-user mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/denyhosts-user
