Description of problem: See this: http://www.ossec.net/en/attacking-loganalysis.html#denyhosts which details a DOS vulnerability in the current version of Denyhosts (2.6). In particular this part details the problem and the fix: " FAILED_ENTRY_REGEX5 = re.compile(r"""User (?P.*) .*from (?P.*) not allowed because none of user's groups are listed in AllowGroups""") It is basically looking for "User from .." anywhere in the log, not checking if it is in the middle of the "bad protocol version" log. How do we fix that? Just make the regex more robust (an "$" at the end would solve it)! You may think it is not a big deal but what if instead of one IP address I pass all? -- all on hosts.deny means block every IP. Would it block the whole internet out of the box? Yes, it would! "
A perhaps clearer description of the fix: We spoke with DenyHosts author, Phil Schwartz, but no official patch is available yet. However, by changing the FAILED_ENTRY_REGEX5 (at regex.py) to the following, fixes the problem: FAILED_ENTRY_REGEX5 = re.compile(r"""User (?P.*) .*from (?P.*) not allowed because none of user's groups are listed in AllowGroups$""")
Created attachment 157433 [details] Fix DOS vulnerability in REGEX5 Trivial patch - thought it might save you a few mins :)
Actually I've already applied a fix and a build is in progress.
Oh, ok, sorry for the noise.
Builds: http://koji.fedoraproject.org/koji/buildinfo?buildID=9311 (f8) http://koji.fedoraproject.org/koji/buildinfo?buildID=9312 (f7) I will push the f7 package to updates-testing as soon as it's finished. Testing would be appreciated. I'll push it to release tomorrow if there are no issues.
OK, I just pulled the F7 build from Koji and installed it. Inspecting regex.py I see the correct fix to REGEX5, as well as the previous fix to REGEX7 and so all looks well to me. # diff -u /home/rpmb/tmp/DenyHosts-2.6/DenyHosts/regex.py.original regex.py --- /home/rpmb/tmp/DenyHosts-2.6/DenyHosts/regex.py.original 2007-06-20 00:50:28.000000000 +0100 +++ regex.py 2007-06-20 01:05:47.000000000 +0100 @@ -17,11 +17,11 @@ FAILED_ENTRY_REGEX4 = re.compile(r"""Authentication failure for (?P<user>.*) .*from (?P<host>.*)""") -FAILED_ENTRY_REGEX5 = re.compile(r"""User (?P<user>.*) .*from (?P<host>.*) not allowed because none of user's groups are listed in AllowGroups""") +FAILED_ENTRY_REGEX5 = re.compile(r"""User (?P<user>.*) .*from (?P<host>.*) not allowed because none of user's groups are listed in AllowGroups$""") FAILED_ENTRY_REGEX6 = re.compile(r"""Did not receive identification string .*from (::ffff:)?(?P<host>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})""") -FAILED_ENTRY_REGEX7 = re.compile(r"""User (?P<user>.*) not allowed because not listed in AllowUsers""") +FAILED_ENTRY_REGEX7 = re.compile(r"""User (?P<user>.*) .*from (::ffff:)?(?P<host>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}) not allowed because not listed in AllowUsers""") # these are reserved for future versions
OK, exploit tested here on fixed package with no effect. Fix committed to eight branches and built for six. Push to F7 release requested.
denyhosts-2.6-5.fc7 has been pushed to the Fedora 7 stable repository. If problems still persist, please make note of it in this bug report.
*** Bug 252291 has been marked as a duplicate of this bug. ***