Bug 1184037
| Summary: | denyhosts out of date, does not catch ssh brute force attacks against root | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora EPEL | Reporter: | Ryan <rmartin> | ||||
| Component: | denyhosts | Assignee: | Dennis Gilmore <dennis> | ||||
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||
| Severity: | medium | Docs Contact: | |||||
| Priority: | unspecified | ||||||
| Version: | el6 | CC: | bz-reply, dennis, michal.bruncko, rmartin | ||||
| Target Milestone: | --- | ||||||
| Target Release: | --- | ||||||
| Hardware: | x86_64 | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | denyhosts-2.6-20.el6 | Doc Type: | Bug Fix | ||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2015-03-08 22:39:40 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Attachments: |
|
||||||
|
Description
Ryan
2015-01-20 14:02:14 UTC
Oh, cool, someone forked it. They conveniently neglected to notify the mailing list. I will see about getting an update out for Fedora, but I don't mess with EPEL at all because I just can't test it. Denyhosts may still be going away as openssh has dropped tcp_wrappers support, but maybe if there's a new upstream they'll work around that. denyhosts has been updated in Fedora. Dennis, the current Fedora release _might_ work on EL7; I'm not sure. It certainly won't work on EL6 or 5 (needs the initscript and probably some of the spec cleanups undone). As a workaround, setting below in /etc/denyhosts.conf corrects the problem for the current denyhosts-2.6 packages (tested with fc21 and el6)...
USERDEF_FAILED_ENTRY_REGEX=Failed (?P<method>\S*) for (?P<invalid>invalid user |illegal user )?(?P<user>.*) from (::ffff:)?(?P<host>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})( port \d+)?( ssh2)?$
I also tested 2.9-2.fc21 from updates-testing and it works as expected.
If you'd like to give karma for the F21 update (which is now at 2.9-4) it would be appreciated. Otherwise it will take several more days before I can push it to the stable repository. Created attachment 991984 [details] proposed patch for EL6 package Take a look at attached patch which should fix it. The failure mode reported in this BZ was introduced with the 2.6-19.el6.1 update that was to address CVE-2013-6890. That patch tightened up the regular expressions in regex.py to address the CVE, including adding $ to the end of some of them. Problem is that FAILED_ENTRY_REGEX and SUCCESSFUL_ENTRY_REGEX didn't match the whole message and so the $ broke those. The attached patch (after the existing patches in the package) should fix it for EL6. denyhosts-2.9-4.el7 has been submitted as an update for Fedora EPEL 7. https://admin.fedoraproject.org/updates/denyhosts-2.9-4.el7 Package denyhosts-2.9-4.el7: * should fix your issue, * was pushed to the Fedora EPEL 7 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=epel-testing denyhosts-2.9-4.el7' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-EPEL-2015-0811/denyhosts-2.9-4.el7 then log in and leave karma (feedback). @Bob: thanks very much for your patch for el6! It working great. @Dennis: can we expect this patch to be included into el6 package of denyhosts please? (as this bug report was open mainly toward el6 branch). thank you. I can't speak for Dennis, but even though I don't really mess with EPEL, I will go ahead and push an updated package later today because I know this can be a pretty bug problem. I hope both of you, and anyone else watching this bug, will give karma. I have no idea about EL5, though. I guess the patch would work there as well if that branch isn't terribly out of date. Don't look to me to push denyhosts 2.9 (or now 2.10) to EL6 or EL5, though. There's nothing preventing it from happening if someone wants to do the work. I'll be happy to approve (and if necessary, sponsor) comaintainers. denyhosts-2.6-20.el6 has been submitted as an update for Fedora EPEL 6. https://admin.fedoraproject.org/updates/denyhosts-2.6-20.el6 denyhosts-2.6-6.el5 has been submitted as an update for Fedora EPEL 5. https://admin.fedoraproject.org/updates/denyhosts-2.6-6.el5 denyhosts-2.9-4.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report. denyhosts-2.6-6.el5 has been pushed to the Fedora EPEL 5 stable repository. If problems still persist, please make note of it in this bug report. denyhosts-2.6-20.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report. |