Bug 1184037 - denyhosts out of date, does not catch ssh brute force attacks against root
Summary: denyhosts out of date, does not catch ssh brute force attacks against root
Alias: None
Product: Fedora EPEL
Classification: Fedora
Component: denyhosts
Version: el6
Hardware: x86_64
OS: Linux
Target Milestone: ---
Assignee: Dennis Gilmore
QA Contact: Fedora Extras Quality Assurance
Depends On:
TreeView+ depends on / blocked
Reported: 2015-01-20 14:02 UTC by Ryan
Modified: 2015-03-08 22:43 UTC (History)
4 users (show)

Fixed In Version: denyhosts-2.6-20.el6
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2015-03-08 22:39:40 UTC
Type: Bug

Attachments (Terms of Use)
proposed patch for EL6 package (1.31 KB, patch)
2015-02-15 21:15 UTC, Bob Mader
no flags Details | Diff

Description Ryan 2015-01-20 14:02:14 UTC
Description of problem:
The current version of Denyhosts maintained in the repository is 2.6 and it suffers from a bug that does not recognize ssh attacks against the "root" user account.

It looks like denyhosts moved their project from sourceforge to github (github.com/denyhosts vs the old one at http://sourceforge.net/projects/denyhosts).

A fix was issued for this bug in version 2.7, but they appear to be on version 2.8 or 2.9 now.

Version-Release number of selected component (if applicable):
2.6 is the version in the repositories.  2.8/2.9 is the current release.

How reproducible:
very reproducible.

Steps to Reproduce:
1. Install denyhosts from EPEL repository for EL6.
2. Start denyhosts
3. Try to log in as the root user with an incorrect password to simulate a brute-force attack. (Note your IP address).
4. Repeat the login procedure in step 3 enough times to trigger denyhosts to identify you as a brute-force attacker and ban you.
5. Check /etc/hosts.deny for the IP address you were logging in from.  It is not there.

Actual results:
Your IP address was not appended to /etc/hosts.deny if you tried to brute force the root user account with passwords enough times to triger denyhosts to ban your IP address.

Expected results:
denyhosts should append your IP address to /etc/hosts.deny.

Additional info:
This is fixed in the newer versions of denyhosts.  Was just curious when it would be available in the repos.  We did an update recently on several servers we have and they are all exhibiting this behavior.  We have switched to "fail2ban" in the mean time until this issue is resolved.

Comment 1 Jason Tibbitts 2015-01-20 17:48:55 UTC
Oh, cool, someone forked it.  They conveniently neglected to notify the mailing list.  I will see about getting an update out for Fedora, but I don't mess with EPEL at all because I just can't test it.

Denyhosts may still be going away as openssh has dropped tcp_wrappers support, but maybe if there's a new upstream they'll work around that.

Comment 2 Jason Tibbitts 2015-02-05 20:58:31 UTC
denyhosts has been updated in Fedora.  

Dennis, the current Fedora release _might_ work on EL7; I'm not sure.  It certainly won't work on EL6 or 5 (needs the initscript and probably some of the spec cleanups undone).

Comment 3 Bob Mader 2015-02-12 22:39:49 UTC
As a workaround, setting below in /etc/denyhosts.conf corrects the problem for the current denyhosts-2.6 packages (tested with fc21 and el6)... 

USERDEF_FAILED_ENTRY_REGEX=Failed (?P<method>\S*) for (?P<invalid>invalid user |illegal user )?(?P<user>.*) from (::ffff:)?(?P<host>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})( port \d+)?( ssh2)?$

I also tested 2.9-2.fc21 from updates-testing and it works as expected.

Comment 4 Jason Tibbitts 2015-02-12 23:31:36 UTC
If you'd like to give karma for the F21 update (which is now at 2.9-4) it would be appreciated.  Otherwise it will take several more days before I can push it to the stable repository.

Comment 5 Bob Mader 2015-02-15 21:15:11 UTC
Created attachment 991984 [details]
proposed patch for EL6 package

Take a look at attached patch which should fix it. The failure mode
reported in this BZ was introduced with the 2.6-19.el6.1 update that
was to address CVE-2013-6890. That patch tightened up the regular
expressions in regex.py to address the CVE, including adding $ to the
end of some of them. Problem is that FAILED_ENTRY_REGEX and
SUCCESSFUL_ENTRY_REGEX didn't match the whole message and so the $
broke those. The attached patch (after the existing patches in the
package) should fix it for EL6.

Comment 6 Fedora Update System 2015-02-16 04:05:10 UTC
denyhosts-2.9-4.el7 has been submitted as an update for Fedora EPEL 7.

Comment 7 Fedora Update System 2015-02-17 19:01:24 UTC
Package denyhosts-2.9-4.el7:
* should fix your issue,
* was pushed to the Fedora EPEL 7 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=epel-testing denyhosts-2.9-4.el7'
as soon as you are able to.
Please go to the following url:
then log in and leave karma (feedback).

Comment 8 Michal Bruncko 2015-02-17 19:31:42 UTC
@Bob: thanks very much for your patch for el6! It working great.

@Dennis: can we expect this patch to be included into el6 package of denyhosts please? (as this bug report was open mainly toward el6 branch).

thank you.

Comment 9 Jason Tibbitts 2015-02-17 19:54:26 UTC
I can't speak for Dennis, but even though I don't really mess with EPEL, I will go ahead and push an updated package later today because I know this can be a pretty bug problem.  I hope both of you, and anyone else watching this bug, will give karma.

I have no idea about EL5, though.  I guess the patch would work there as well if that branch isn't terribly out of date.

Don't look to me to push denyhosts 2.9 (or now 2.10) to EL6 or EL5, though.  There's nothing preventing it from happening if someone wants to do the work.  I'll be happy to approve (and if necessary, sponsor) comaintainers.

Comment 10 Fedora Update System 2015-02-17 22:11:45 UTC
denyhosts-2.6-20.el6 has been submitted as an update for Fedora EPEL 6.

Comment 11 Fedora Update System 2015-02-17 22:13:25 UTC
denyhosts-2.6-6.el5 has been submitted as an update for Fedora EPEL 5.

Comment 12 Fedora Update System 2015-03-08 22:39:40 UTC
denyhosts-2.9-4.el7 has been pushed to the Fedora EPEL 7 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 13 Fedora Update System 2015-03-08 22:41:45 UTC
denyhosts-2.6-6.el5 has been pushed to the Fedora EPEL 5 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 14 Fedora Update System 2015-03-08 22:43:25 UTC
denyhosts-2.6-20.el6 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.