From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([69.77.167.62] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1L3Sgc-0007Zp-DJ for garchives@archives.gentoo.org; Fri, 21 Nov 2008 09:52:26 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id DE0ECE043D; Fri, 21 Nov 2008 09:52:26 +0000 (UTC) Received: from alpha.fluxlabs.net (alpha.fluxlabs.net [75.126.60.66]) by pigeon.gentoo.org (Postfix) with ESMTP id C9500E043D for ; Fri, 21 Nov 2008 09:52:26 +0000 (UTC) Received: from c-68-59-92-70.hsd1.fl.comcast.net ([68.59.92.70] helo=[10.0.1.105]) by alpha.fluxlabs.net with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.69) (envelope-from ) id 1L3Sga-0005wb-PA for gentoo-user@lists.gentoo.org; Fri, 21 Nov 2008 03:52:01 -0600 Message-ID: <492684D7.30106@uberpenguin.net> Date: Fri, 21 Nov 2008 03:52:23 -0600 From: deface User-Agent: Thunderbird 2.0.0.17 (X11/20080914) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 To: gentoo-user@lists.gentoo.org Subject: Re: [gentoo-user] Possibly OT - Denyhosts regex question References: <0a4701c94b8e$54845e10$a500a8c0@quan> In-Reply-To: <0a4701c94b8e$54845e10$a500a8c0@quan> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - alpha.fluxlabs.net X-AntiAbuse: Original Domain - lists.gentoo.org X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12] X-AntiAbuse: Sender Address Domain - uberpenguin.net X-Source: X-Source-Args: X-Source-Dir: X-Archives-Salt: 9ded190f-91b8-4f2a-b866-9332dfd73732 X-Archives-Hash: 8d20ae91351b1ce1256248fdb3eaaa55 James Homuth wrote: > Hello folks, > > I'm using the latest stable x86 versions of Denyhosts, Openssh and PAM as > pulled off the portage tree, and am having a little bit of trouble getting > Denyhosts to play nice with the messages PAM is throwing into auth.log. I've > tried google for it, and threw the question to the Denyhosts mailing list, > but neither has turned up any possible assistance. The logs I'm trying to > parse are demonstrated below: > Nov 20 22:21:03 nova sshd[31328]: pam_unix(sshd:auth): authentication > failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.233.br > oadband9.iol.cz user=root > > Nov 20 22:21:06 nova sshd[31326]: error: PAM: Authentication failure for > root from 222.233.broadband9.iol.cz > > It's happening with more than just the root user, so I've set up my > userdef_regex's to read as follows: > USERDEF_FAILED_ENTRY_REGEX=error: PAM: authentication failure for > (?Pinvalid user |illegal user )?(?P.*?) from > ?(?P\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}) > > USERDEF_FAILED_ENTRY_REGEX=pam_unix(sshd:auth): authentication failure; > logname= uid=0 euid=0 tty=ssh ruser= rhost=(?P\S+) user=(?P\S+) > > > If anyone can give me a hand figuring out where it is I broke something, > that would be greatly appreciated. As I said, I'm not sure how on-topic it > is for this particular list, but I'm getting nowhere with the avenues that > would probably be more appropriate. > > Thanks in advance, > James > > > Have you looked into Fail2Ban ?