[Denyhosts-user] Getting DenyHosts to work with MacOS X Sierra (10.12.2)

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

Hi,

I’m trying to get DenyHosts to work with Mac OS X Sierra and  they’ve completely changed the logging system.

I’m extracting a log of sshd errors which comes out in this format:

2017-01-10 20:36:30.011890-0500  localhost sshd[923]: error: maximum authentication attempts exceeded for djohnsto from ::1 port 49378 ssh2 [preauth]
2017-01-10 20:45:57.017895-0500  localhost sshd[1042]: error: maximum authentication attempts exceeded for root from 175.144.192.13 port 57251 ssh2 [preauth]
2017-01-10 20:55:06.612743-0500  localhost sshd[1154]: error: maximum authentication attempts exceeded for root from 186.183.187.157 port 39671 ssh2 [preauth]
2017-01-10 21:06:04.431491-0500  localhost sshd[1285]: error: maximum authentication attempts exceeded for root from 111.200.254.137 port 7560 ssh2 [preauth]
2017-01-10 21:14:36.159897-0500  localhost sshd[1400]: error: maximum authentication attempts exceeded for root from 113.124.163.248 port 36585 ssh2 [preauth]
2017-01-10 21:18:38.006617-0500  localhost sshd[1460]: error: maximum authentication attempts exceeded for root from 122.4.218.185 port 35886 ssh2 [preauth]
2017-01-10 21:26:55.522988-0500  localhost sshd[1573]: error: maximum authentication attempts exceeded for root from 92.246.184.96 port 3639 ssh2 [preauth]
2017-01-10 22:00:05.868704-0500  localhost sshd[1994]: error: maximum authentication attempts exceeded for root from 180.56.215.197 port 45414 ssh2 [preauth]
2017-01-10 22:19:04.996519-0500  localhost sshd[2250]: error: maximum authentication attempts exceeded for root from 88.255.199.46 port 60614 ssh2 [preauth]
2017-01-10 22:39:05.037431-0500  localhost sshd[2520]: error: maximum authentication attempts exceeded for root from 156.213.135.44 port 49282 ssh2 [preauth]
2017-01-10 23:14:58.258112-0500  localhost sshd[2965]: error: maximum authentication attempts exceeded for invalid user admin from 189.11.106.212 port 60485 ssh2 [preauth]
2017-01-10 23:15:58.093303-0500  localhost sshd[2979]: error: maximum authentication attempts exceeded for root from 114.252.87.240 port 20415 ssh2 [preauth]
2017-01-10 23:16:33.889693-0500  localhost sshd[2989]: error: maximum authentication attempts exceeded for root from 186.133.255.212 port 54982 ssh2 [preauth]
2017-01-10 23:22:35.789119-0500  localhost sshd[3068]: error: maximum authentication attempts exceeded for root from 186.130.76.169 port 43829 ssh2 [preauth]
2017-01-11 02:05:54.677038-0500  localhost sshd[4895]: error: maximum authentication attempts exceeded for invalid user support from 131.255.132.174 port 4439 ssh2 [preauth]
2017-01-11 02:14:16.921375-0500  localhost sshd[4984]: error: maximum authentication attempts exceeded for root from 58.19.145.5 port 55806 ssh2 [preauth]
2017-01-11 03:02:20.976151-0500  localhost sshd[5516]: error: PAM: unknown user for illegal user support from 123.31.34.18
2017-01-11 03:02:21.586793-0500  localhost sshd[5516]: error: PAM: authentication error for illegal user support from 123.31.34.18
2017-01-11 03:02:22.201227-0500  localhost sshd[5516]: error: Received disconnect from 123.31.34.18 port 62961:3: com.jcraft.jsch.JSchException: Auth fail [preauth]
2017-01-11 03:15:46.475934-0500  localhost sshd[5664]: error: maximum authentication attempts exceeded for invalid user admin from 123.123.147.102 port 54648 ssh2 [preauth]_________

I came up with the REGEX:

SSHD_FORMAT_REGEX=(?P<timestamp>\S+?\s+?\S+?)\s+?\S+?\s+?(?P<Sender>.*?)\[(?P<PID>\d+?)\]:\s+error: (?P<message>.*) from (?P<host>.+?) port (?P<port>\d+).*

Is there any problem with that? Most of my regex experience is with Perl.

I have also gotten some errors that seem to come from the SYNC facility:

2017-01-11 10:28:03,938 - sync        : ERROR    invalid literal for int() with base 10: ''
2017-01-11 10:28:04,039 - sync        : ERROR    <Fault 105: "Error in get_new_hosts: Request instance has no attribute 'received_headers'">
Traceback (most recent call last):
  File "/Library/Python/2.7/site-packages/denyhosts/DenyHosts/sync.py", line 119, in receive_new_hosts
    self.__prefs.get("SYNC_DOWNLOAD_RESILIENCY"))
  File "/opt/local/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/xmlrpclib.py", line 1243, in __call__
    return self.__send(self.__name, args)
  File "/opt/local/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/xmlrpclib.py", line 1602, in __request
    verbose=self.__verbose
  File "/opt/local/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/xmlrpclib.py", line 1283, in request
    return self.single_request(host, handler, request_body, verbose)
  File "/opt/local/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/xmlrpclib.py", line 1316, in single_request
    return self.parse_response(response)
  File "/opt/local/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/xmlrpclib.py", line 1493, in parse_response
    return u.close()
  File "/opt/local/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/xmlrpclib.py", line 800, in close
    raise Fault(**self._stack[0])
Fault: <Fault 105: "Error in get_new_hosts: Request instance has no attribute 'received_headers'">

Can anyone shed some light on that error?

Thank you very much,

Doug