[TriLUG] Denyhosts and Custom Regex
Jim Tuttle
jjtuttle at trilug.org
Fri Nov 7 09:01:33 EST 2008
I'm running SSH on both port 22 and port 80. Denyhosts works fine
blocking multiple login attempts on port 22. I've written a custom
regular expression to add to hosts.deny addresses that visit port 80
more than once. It doesn't work though.
An example of the target string in /var/log/auth.log:
Nov 5 20:52:06 server sshd[26186]: Bad protocol version identification
'GET / HTTP/1.0' from 999.999.999.999
The custom regex added to /etc/denyhosts.conf:
USERDEF_FAILED_ENTRY_REGEX=sshd.*Bad protocol version identification.*
from (::ffff:)?(?P<host>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})
The target string is matched by SSHD_FORMAT_REGEX, so the user defined
regex should be applied. I've verified the matches in Kodos.
Any idea what I'm doing wrong? Thanks.
--
--
---Jim Tuttle
------------------------------------------------------
http://www.braggtown.com
PGP Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x69B69B08
More information about the TriLUG
mailing list