From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([69.77.167.62] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1L3NGd-0008VF-SY for garchives@archives.gentoo.org; Fri, 21 Nov 2008 04:05:17 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 99C2EE05AF; Fri, 21 Nov 2008 04:05:15 +0000 (UTC) Received: from randymail-a5.g.dreamhost.com (sd-green-bigip-81.dreamhost.com [208.97.132.81]) by pigeon.gentoo.org (Postfix) with ESMTP id 7A73FE05AF for ; Fri, 21 Nov 2008 04:05:15 +0000 (UTC) Received: from quan (76-10-130-2.dsl.teksavvy.com [76.10.130.2]) by randymail-a5.g.dreamhost.com (Postfix) with ESMTP id D36A28EFDD for ; Thu, 20 Nov 2008 20:05:12 -0800 (PST) From: "James Homuth" To: Subject: [gentoo-user] Possibly OT - Denyhosts regex question Date: Thu, 20 Nov 2008 23:05:01 -0500 Message-ID: <0a4701c94b8e$54845e10$a500a8c0@quan> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook 11 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3350 Thread-Index: AclLjhqpp4XMKbSSSxqyjmzrFHjLUQ== X-Archives-Salt: 8fc3eb7c-180b-4bbe-8b02-38f52ab60c62 X-Archives-Hash: 7779f65d6e803ddf14e894483dec4f27 Hello folks, I'm using the latest stable x86 versions of Denyhosts, Openssh and PAM as pulled off the portage tree, and am having a little bit of trouble getting Denyhosts to play nice with the messages PAM is throwing into auth.log. I've tried google for it, and threw the question to the Denyhosts mailing list, but neither has turned up any possible assistance. The logs I'm trying to parse are demonstrated below: Nov 20 22:21:03 nova sshd[31328]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.233.br oadband9.iol.cz user=root Nov 20 22:21:06 nova sshd[31326]: error: PAM: Authentication failure for root from 222.233.broadband9.iol.cz It's happening with more than just the root user, so I've set up my userdef_regex's to read as follows: USERDEF_FAILED_ENTRY_REGEX=error: PAM: authentication failure for (?Pinvalid user |illegal user )?(?P.*?) from ?(?P\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}) USERDEF_FAILED_ENTRY_REGEX=pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=(?P\S+) user=(?P\S+) If anyone can give me a hand figuring out where it is I broke something, that would be greatly appreciated. As I said, I'm not sure how on-topic it is for this particular list, but I'm getting nowhere with the avenues that would probably be more appropriate. Thanks in advance, James