[PLUG] denyhosts not blocking some IPs with failed ssh root logins

Paul Heinlein heinlein at madboa.com
Thu Jan 15 13:32:29 PST 2015


On Wed, 14 Jan 2015, Galen Seitz wrote:

> Hi,
>
> Is anyone else seeing problems with denyhosts not blocking some failed
> logins?  This popped up in last night's logwatch:

Galen,

I've largely ditched DenyHosts for Fail2ban, but I saw similar things 
a few weeks ago. The problem was that somewhere along the line the 
entries in syslog no longer matched the regex that indicated a failed 
login.

I ended up writing a new set of regexes for Fail2ban. They sometimes 
overlap with the existing ones (which I didn't alter), but I'd rather 
have a bad log entry match twice than not at all.

Bottom line: I'd suggest comparing the log entries that weren't 
matched with the regex code in DenyHosts.

-- 
Paul Heinlein
heinlein at madboa.com
45°38' N, 122°6' W


More information about the PLUG mailing list