From: René B. <rb...@ca...> - 2008-04-02 08:30:38
|
René Berber wrote: > Pavel Kosina wrote: > >> I've got the log full of such a things: >> >> Mar 30 11:24:21 localhost sshd[17762]: Address 201.236.88.219 maps to >> webserver.ingenieriaambiental.cl, but this does not map >> back to the address - POSSIBLE BREAKIN ATTEMPT! > > And after that? The next line in the log should be the real break-in > attempt, with a user name and password. > >> How to add it to denyhosts? > > If, as you say, the log is full of those messages and there is nothing > else from the same IP address... you could add them by using a user > regex (in denyhosts.conf), something like: > > USERDEF_FAILED_ENTRY_REGEX=Address (?P<user>\S+) maps .* does not map .* Oops! sorry, it should say: USERDEF_FAILED_ENTRY_REGEX=Address (?P<host>\S+) maps .* does not map .* -- René Berber |