Hide Forgot
Description of problem: The current version of Denyhosts maintained in the repository is 2.6 and it suffers from a bug that does not recognize ssh attacks against the "root" user account. It looks like denyhosts moved their project from sourceforge to github (github.com/denyhosts vs the old one at http://sourceforge.net/projects/denyhosts). A fix was issued for this bug in version 2.7, but they appear to be on version 2.8 or 2.9 now. Version-Release number of selected component (if applicable): 2.6 is the version in the repositories. 2.8/2.9 is the current release. How reproducible: very reproducible. Steps to Reproduce: 1. Install denyhosts from EPEL repository for EL6. 2. Start denyhosts 3. Try to log in as the root user with an incorrect password to simulate a brute-force attack. (Note your IP address). 4. Repeat the login procedure in step 3 enough times to trigger denyhosts to identify you as a brute-force attacker and ban you. 5. Check /etc/hosts.deny for the IP address you were logging in from. It is not there. Actual results: Your IP address was not appended to /etc/hosts.deny if you tried to brute force the root user account with passwords enough times to triger denyhosts to ban your IP address. Expected results: denyhosts should append your IP address to /etc/hosts.deny. Additional info: This is fixed in the newer versions of denyhosts. Was just curious when it would be available in the repos. We did an update recently on several servers we have and they are all exhibiting this behavior. We have switched to "fail2ban" in the mean time until this issue is resolved.
Oh, cool, someone forked it. They conveniently neglected to notify the mailing list. I will see about getting an update out for Fedora, but I don't mess with EPEL at all because I just can't test it. Denyhosts may still be going away as openssh has dropped tcp_wrappers support, but maybe if there's a new upstream they'll work around that.
denyhosts has been updated in Fedora. Dennis, the current Fedora release _might_ work on EL7; I'm not sure. It certainly won't work on EL6 or 5 (needs the initscript and probably some of the spec cleanups undone).
As a workaround, setting below in /etc/denyhosts.conf corrects the problem for the current denyhosts-2.6 packages (tested with fc21 and el6)... USERDEF_FAILED_ENTRY_REGEX=Failed (?P<method>\S*) for (?P<invalid>invalid user |illegal user )?(?P<user>.*) from (::ffff:)?(?P<host>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})( port \d+)?( ssh2)?$ I also tested 2.9-2.fc21 from updates-testing and it works as expected.
If you'd like to give karma for the F21 update (which is now at 2.9-4) it would be appreciated. Otherwise it will take several more days before I can push it to the stable repository.
Created attachment 991984 [details] proposed patch for EL6 package Take a look at attached patch which should fix it. The failure mode reported in this BZ was introduced with the 2.6-19.el6.1 update that was to address CVE-2013-6890. That patch tightened up the regular expressions in regex.py to address the CVE, including adding $ to the end of some of them. Problem is that FAILED_ENTRY_REGEX and SUCCESSFUL_ENTRY_REGEX didn't match the whole message and so the $ broke those. The attached patch (after the existing patches in the package) should fix it for EL6.
denyhosts-2.9-4.el7 has been submitted as an update for Fedora EPEL 7. https://admin.fedoraproject.org/updates/denyhosts-2.9-4.el7
Package denyhosts-2.9-4.el7: * should fix your issue, * was pushed to the Fedora EPEL 7 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=epel-testing denyhosts-2.9-4.el7' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-EPEL-2015-0811/denyhosts-2.9-4.el7 then log in and leave karma (feedback).
@Bob: thanks very much for your patch for el6! It working great. @Dennis: can we expect this patch to be included into el6 package of denyhosts please? (as this bug report was open mainly toward el6 branch). thank you.
I can't speak for Dennis, but even though I don't really mess with EPEL, I will go ahead and push an updated package later today because I know this can be a pretty bug problem. I hope both of you, and anyone else watching this bug, will give karma. I have no idea about EL5, though. I guess the patch would work there as well if that branch isn't terribly out of date. Don't look to me to push denyhosts 2.9 (or now 2.10) to EL6 or EL5, though. There's nothing preventing it from happening if someone wants to do the work. I'll be happy to approve (and if necessary, sponsor) comaintainers.
denyhosts-2.6-20.el6 has been submitted as an update for Fedora EPEL 6. https://admin.fedoraproject.org/updates/denyhosts-2.6-20.el6
denyhosts-2.6-6.el5 has been submitted as an update for Fedora EPEL 5. https://admin.fedoraproject.org/updates/denyhosts-2.6-6.el5
denyhosts-2.9-4.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report.
denyhosts-2.6-6.el5 has been pushed to the Fedora EPEL 5 stable repository. If problems still persist, please make note of it in this bug report.
denyhosts-2.6-20.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.