My denyhosts is not updating the hosts.deny file for dictionary attacks. It's been running for a while now, and nothing ever gets added. My ssh is at a non-standard port, so I never see any dictionary attacks there. The only reason I want to run denyhosts is to protect my vsftpd.
I have to following userdef set in my denyhosts.conf file
Code:
USERDEF_FAILED_ENTRY_REGEX=.* vsftpd.* authentication failure.* rhost=(?P<host>\S+) user=(?P<user>\S+).*
USERDEF_FAILED_ENTRY_REGEX=.* vsftpd.* authentication failure.* rhost=(?P<host>\S+)
I also have thousands of these entries in my auth.log
Code:
Nov 30 09:10:49 mediacenter vsftpd: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=Administrator rhost=82.213.5.228
Nov 30 09:10:53 mediacenter vsftpd: pam_unix(vsftpd:auth): check pass; user unknown
Nov 30 09:10:53 mediacenter vsftpd: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=Administrator rhost=82.213.5.228
Nov 30 09:10:56 mediacenter vsftpd: pam_unix(vsftpd:auth): check pass; user unknown
Nov 30 09:10:57 mediacenter vsftpd: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=Administrator rhost=82.213.5.228
Nov 30 09:11:00 mediacenter vsftpd: pam_unix(vsftpd:auth): check pass; user unknown
Nov 30 09:11:00 mediacenter vsftpd: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=Administrator rhost=82.213.5.228
But it's simply not updating the host.deny file. It's not got any entries at all.
However, in the /var/lib/denyhosts/hosts-restriced file, I have
Code:
117.102.83.99:0:Sat Nov 29 15:28:40 2008
192.168.1.121:0:Sat Nov 29 15:28:40 2008
192.88.168.35:0:Mon Dec 1 18:02:56 2008
61.142.17.124:0:Tue Dec 2 07:44:56 2008
63.82.82.17:0:Tue Dec 2 19:50:56 2008
71.97.107.175:0:Sat Nov 29 15:28:40 2008
Any idea what's wrong?