[gentoo-user] Possibly OT - Denyhosts regex question

[gentoo-user] Possibly OT - Denyhosts regex question

[James Homuth]

Hello folks,

I'm using the latest stable x86 versions of Denyhosts, Openssh and PAM as
pulled off the portage tree, and am having a little bit of trouble getting
Denyhosts to play nice with the messages PAM is throwing into auth.log. I've
tried google for it, and threw the question to the Denyhosts mailing list,
but neither has turned up any possible assistance. The logs I'm trying to
parse are demonstrated below:
Nov 20 22:21:03 nova sshd[31328]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.233.br
oadband9.iol.cz  user=root

Nov 20 22:21:06 nova sshd[31326]: error: PAM: Authentication failure for
root from 222.233.broadband9.iol.cz                        

It's happening with more than just the root user, so I've set up my
userdef_regex's to read as follows:
USERDEF_FAILED_ENTRY_REGEX=error: PAM: authentication failure for
(?P<invalid>invalid user |illegal user )?(?P<user>.*?) from
?(?P<host>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})

USERDEF_FAILED_ENTRY_REGEX=pam_unix(sshd:auth): authentication failure;
logname= uid=0 euid=0 tty=ssh ruser= rhost=(?P<host>\S+)  user=(?P<user>\S+)


If anyone can give me a hand figuring out where it is I broke something,
that would be greatly appreciated. As I said, I'm not sure how on-topic it
is for this particular list, but I'm getting nowhere with the avenues that
would probably be more appropriate.

Thanks in advance,
James

Re: [gentoo-user] Possibly OT - Denyhosts regex question

[deface]

James Homuth wrote:
> Hello folks,
>
> I'm using the latest stable x86 versions of Denyhosts, Openssh and PAM as
> pulled off the portage tree, and am having a little bit of trouble getting
> Denyhosts to play nice with the messages PAM is throwing into auth.log. I've
> tried google for it, and threw the question to the Denyhosts mailing list,
> but neither has turned up any possible assistance. The logs I'm trying to
> parse are demonstrated below:
> Nov 20 22:21:03 nova sshd[31328]: pam_unix(sshd:auth): authentication
> failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.233.br
> oadband9.iol.cz  user=root
>
> Nov 20 22:21:06 nova sshd[31326]: error: PAM: Authentication failure for
> root from 222.233.broadband9.iol.cz                        
>
> It's happening with more than just the root user, so I've set up my
> userdef_regex's to read as follows:
> USERDEF_FAILED_ENTRY_REGEX=error: PAM: authentication failure for
> (?P<invalid>invalid user |illegal user )?(?P<user>.*?) from
> ?(?P<host>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})
>
> USERDEF_FAILED_ENTRY_REGEX=pam_unix(sshd:auth): authentication failure;
> logname= uid=0 euid=0 tty=ssh ruser= rhost=(?P<host>\S+)  user=(?P<user>\S+)
>
>
> If anyone can give me a hand figuring out where it is I broke something,
> that would be greatly appreciated. As I said, I'm not sure how on-topic it
> is for this particular list, but I'm getting nowhere with the avenues that
> would probably be more appropriate.
>
> Thanks in advance,
> James
>
>
>   
Have you looked into Fail2Ban ?