I haven't really noticed this until the last 2-3 days, when the number of SSH attacks on both my Gentoo boxes increased a fair bit. But when it trips an auth mechanism managed by PAM, Denyhosts tends to not catch what's being spit out by syslog. I'll paste example logs below, plus the regexes I added to the config that, according to multiple sources, should be catching it. The entries in question: Nov 20 23:28:15 nova sshd[31721]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=90.190.11.51 user=root Nov 20 23:28:17 nova sshd[31719]: error: PAM: Authentication failure for root from 90.190.110.51 And my regexes: USERDEF_FAILED_ENTRY_REGEX=error: PAM: Authentication failure for (?P<user>.*?) from (?P<host>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}) USERDEF_FAILED_ENTRY_REGEX=pam_unix\(sshd:auth\): authentication failure\; logname=(.+)? uid=\d+ euid=\d+ tty=ssh ruser=(.+)? rhost=(?P<host>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}) I'd appreciate it if this could be investigated, and if something's broken on my end and not the software's, I'd appreciate knowing that just as much. Thank you in advance, James Reproducible: Always Steps to Reproduce: 1. Add above regexes to /etc/denyhosts.conf 2. /etc/init.d/denyhosts restart 3. Monitor ssyslog entries, optionally with another utility that will watch for the regexes in question. Actual Results: Authentication failure messages showed as expected, however Denyhosts didn't respond. Was tested by multiple users from multiple IP addresses. Expected Results: After at least one of those authentication failure lines, Denyhosts should be adding the offending IP to /etc/hosts.deny. Everything else is taken from the default config as set up in the Gentoo portage tree. Information is being pulled from /var/log/auth.log.
assigning to maintainer
Sorry, I'm inclined to think this isn't much of a problem since no one else has reported it. Have you been able to investigate more?
(In reply to comment #2) > Sorry, I'm inclined to think this isn't much of a problem since no one else has > reported it. Have you been able to investigate more? I've done a bit more investigating on it, yes. Including testing that same regular expression with other, similar software (fail2ban). Due to lack of activity on this bug I just resorted to running minus PAM for the time being, since it isn't absolutely necessary on my end anyway.
Thanks for the feedback. Low priority, not sure of a fix.
+*denyhosts-2.6-r6 (23 Sep 2012) + + 23 Sep 2012; Pacho Ramos <pacho@gentoo.org> +denyhosts-2.6-r6.ebuild, + +files/denyhosts-2.6-daemon-control.patch, + +files/denyhosts-2.6-defconffile.patch, + +files/denyhosts-2.6-foreground_mode.patch, + +files/denyhosts-2.6-hostname.patch, +files/denyhosts-2.6-plugin_deny.patch, + +files/denyhosts-2.6-single_config_switch.patch: + Include multiple Fedora and Debian patches that also provide a fix for plugin + deny behavior (#264165 by Christoph Erdle). + Try with this new version please
