[TriLUG] Denyhosts and Custom Regex

Jim Tuttle jjtuttle at trilug.org
Fri Nov 7 09:01:33 EST 2008


I'm running SSH on both port 22 and port 80. Denyhosts works fine
blocking multiple login attempts on port 22. I've written a custom
regular expression to add to hosts.deny addresses that visit port 80
more than once. It doesn't work though.

An example of the target string in /var/log/auth.log:


Nov  5 20:52:06 server sshd[26186]: Bad protocol version identification
'GET / HTTP/1.0' from 999.999.999.999

The custom regex added to /etc/denyhosts.conf:


USERDEF_FAILED_ENTRY_REGEX=sshd.*Bad protocol version identification.*
from (::ffff:)?(?P<host>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})

The target string is matched by SSHD_FORMAT_REGEX, so the user defined
regex should be applied. I've verified the matches in Kodos.

Any idea what I'm doing wrong?  Thanks.

-- 
--
---Jim Tuttle
------------------------------------------------------
http://www.braggtown.com
PGP Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x69B69B08




More information about the TriLUG mailing list