From: Douglas J. <do...@do...> - 2017-01-11 16:00:29
|
Hi, I’m trying to get DenyHosts to work with Mac OS X Sierra and they’ve completely changed the logging system. I’m extracting a log of sshd errors which comes out in this format: 2017-01-10 20:36:30.011890-0500 localhost sshd[923]: error: maximum authentication attempts exceeded for djohnsto from ::1 port 49378 ssh2 [preauth] 2017-01-10 20:45:57.017895-0500 localhost sshd[1042]: error: maximum authentication attempts exceeded for root from 175.144.192.13 port 57251 ssh2 [preauth] 2017-01-10 20:55:06.612743-0500 localhost sshd[1154]: error: maximum authentication attempts exceeded for root from 186.183.187.157 port 39671 ssh2 [preauth] 2017-01-10 21:06:04.431491-0500 localhost sshd[1285]: error: maximum authentication attempts exceeded for root from 111.200.254.137 port 7560 ssh2 [preauth] 2017-01-10 21:14:36.159897-0500 localhost sshd[1400]: error: maximum authentication attempts exceeded for root from 113.124.163.248 port 36585 ssh2 [preauth] 2017-01-10 21:18:38.006617-0500 localhost sshd[1460]: error: maximum authentication attempts exceeded for root from 122.4.218.185 port 35886 ssh2 [preauth] 2017-01-10 21:26:55.522988-0500 localhost sshd[1573]: error: maximum authentication attempts exceeded for root from 92.246.184.96 port 3639 ssh2 [preauth] 2017-01-10 22:00:05.868704-0500 localhost sshd[1994]: error: maximum authentication attempts exceeded for root from 180.56.215.197 port 45414 ssh2 [preauth] 2017-01-10 22:19:04.996519-0500 localhost sshd[2250]: error: maximum authentication attempts exceeded for root from 88.255.199.46 port 60614 ssh2 [preauth] 2017-01-10 22:39:05.037431-0500 localhost sshd[2520]: error: maximum authentication attempts exceeded for root from 156.213.135.44 port 49282 ssh2 [preauth] 2017-01-10 23:14:58.258112-0500 localhost sshd[2965]: error: maximum authentication attempts exceeded for invalid user admin from 189.11.106.212 port 60485 ssh2 [preauth] 2017-01-10 23:15:58.093303-0500 localhost sshd[2979]: error: maximum authentication attempts exceeded for root from 114.252.87.240 port 20415 ssh2 [preauth] 2017-01-10 23:16:33.889693-0500 localhost sshd[2989]: error: maximum authentication attempts exceeded for root from 186.133.255.212 port 54982 ssh2 [preauth] 2017-01-10 23:22:35.789119-0500 localhost sshd[3068]: error: maximum authentication attempts exceeded for root from 186.130.76.169 port 43829 ssh2 [preauth] 2017-01-11 02:05:54.677038-0500 localhost sshd[4895]: error: maximum authentication attempts exceeded for invalid user support from 131.255.132.174 port 4439 ssh2 [preauth] 2017-01-11 02:14:16.921375-0500 localhost sshd[4984]: error: maximum authentication attempts exceeded for root from 58.19.145.5 port 55806 ssh2 [preauth] 2017-01-11 03:02:20.976151-0500 localhost sshd[5516]: error: PAM: unknown user for illegal user support from 123.31.34.18 2017-01-11 03:02:21.586793-0500 localhost sshd[5516]: error: PAM: authentication error for illegal user support from 123.31.34.18 2017-01-11 03:02:22.201227-0500 localhost sshd[5516]: error: Received disconnect from 123.31.34.18 port 62961:3: com.jcraft.jsch.JSchException: Auth fail [preauth] 2017-01-11 03:15:46.475934-0500 localhost sshd[5664]: error: maximum authentication attempts exceeded for invalid user admin from 123.123.147.102 port 54648 ssh2 [preauth]_________ I came up with the REGEX: SSHD_FORMAT_REGEX=(?P<timestamp>\S+?\s+?\S+?)\s+?\S+?\s+?(?P<Sender>.*?)\[(?P<PID>\d+?)\]:\s+error: (?P<message>.*) from (?P<host>.+?) port (?P<port>\d+).* Is there any problem with that? Most of my regex experience is with Perl. I have also gotten some errors that seem to come from the SYNC facility: 2017-01-11 10:28:03,938 - sync : ERROR invalid literal for int() with base 10: '' 2017-01-11 10:28:04,039 - sync : ERROR <Fault 105: "Error in get_new_hosts: Request instance has no attribute 'received_headers'"> Traceback (most recent call last): File "/Library/Python/2.7/site-packages/denyhosts/DenyHosts/sync.py", line 119, in receive_new_hosts self.__prefs.get("SYNC_DOWNLOAD_RESILIENCY")) File "/opt/local/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/xmlrpclib.py", line 1243, in __call__ return self.__send(self.__name, args) File "/opt/local/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/xmlrpclib.py", line 1602, in __request verbose=self.__verbose File "/opt/local/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/xmlrpclib.py", line 1283, in request return self.single_request(host, handler, request_body, verbose) File "/opt/local/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/xmlrpclib.py", line 1316, in single_request return self.parse_response(response) File "/opt/local/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/xmlrpclib.py", line 1493, in parse_response return u.close() File "/opt/local/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/xmlrpclib.py", line 800, in close raise Fault(**self._stack[0]) Fault: <Fault 105: "Error in get_new_hosts: Request instance has no attribute 'received_headers'"> Can anyone shed some light on that error? Thank you very much, Doug |