Debian Bug report logs - #425519
denyhosts: attack missed because of regex error

Display info messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Andrew Schulman <andrex@alumni.utexas.net>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: denyhosts: attack missed because of regex error

Date: Tue, 22 May 2007 05:34:27 -0400

Package: denyhosts
Version: 2.6-1
Severity: normal


This morning I noticed a lot of disk activity on my server, and found
that an attack was in progress on my ssh server, which denyhosts had
failed to detect and stop.  Here's an excerpt from /var/log/auth.log:

May 22 05:08:27 helium sshd[10002]: Connection from 72.55.148.37 port 54831
May 22 05:08:27 helium sshd[10002]: User root from ip-72-55-148-37.static.privatedns.com not allowed because not listed in AllowUsers
May 22 05:08:28 helium sshd[10006]: Connection from 72.55.148.37 port 55045
May 22 05:08:29 helium sshd[10006]: User root from ip-72-55-148-37.static.privatedns.com not allowed because not listed in AllowUsers
May 22 05:08:29 helium sshd[10011]: Connection from 72.55.148.37 port 55430
May 22 05:08:29 helium sshd[10011]: User root from ip-72-55-148-37.static.privatedns.com not allowed because not listed in AllowUsers
May 22 05:08:29 helium sshd[10015]: Connection from 72.55.148.37 port 55567
May 22 05:08:30 helium sshd[10015]: User root from ip-72-55-148-37.static.privatedns.com not allowed because not listed in AllowUsers

and so on, for several hundred attempts.  When I saw that this was
going on, I stopped it via /etc/hosts.deny, and then looked to see why
denyhosts hadn't already put a stop to it.  Here's an excerpt from
/var/log/denyhosts:

2007-05-22 05:08:37,625 - denyhosts   : ERROR    regex pattern ( User (?P<user>.*) not allowed because not listed in AllowUsers ) is missing 'host' group
2007-05-22 05:08:37,625 - denyhosts   : ERROR    regex pattern ( User (?P<user>.*) not allowed because not listed in AllowUsers ) is missing 'host' group
2007-05-22 05:08:37,625 - denyhosts   : ERROR    regex pattern ( User (?P<user>.*) not allowed because not listed in AllowUsers ) is missing 'host' group

It seems that the regex doesn't account for the "from address" clause
of the auth.log message.  Anyway, one way or another the regex is
wrong, and that caused denyhosts to fail to stop the attack.

FYI here's /etc/denyhosts.conf:

$ egrep -v '^ *(#|$)' /etc/denyhosts.conf
SECURE_LOG = /var/log/auth.log
HOSTS_DENY = /etc/hosts.deny
PURGE_DENY = 4w
BLOCK_SERVICE  = sshd
DENY_THRESHOLD_INVALID = 5
DENY_THRESHOLD_VALID = 10
DENY_THRESHOLD_ROOT = 1
DENY_THRESHOLD_RESTRICTED = 1
WORK_DIR = /var/lib/denyhosts
SUSPICIOUS_LOGIN_REPORT_ALLOWED_HOSTS=YES
HOSTNAME_LOOKUP=YES
LOCK_FILE = /var/run/denyhosts.pid
ADMIN_EMAIL = root@localhost
SMTP_HOST = localhost
SMTP_PORT = 25
SMTP_FROM = DenyHosts <nobody@localhost>
SMTP_SUBJECT = DenyHosts Report
AGE_RESET_VALID=5d
AGE_RESET_ROOT=25d
AGE_RESET_RESTRICTED=25d
AGE_RESET_INVALID=10d
DAEMON_LOG = /var/log/denyhosts
DAEMON_SLEEP = 30s
DAEMON_PURGE = 1h


-- System Information:
Debian Release: lenny/sid
  APT prefers testing
  APT policy: (990, 'testing'), (300, 'unstable'), (200, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.16 (SMP w/2 CPU cores; PREEMPT)
Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1) (ignored: LC_ALL set to en_US)
Shell: /bin/sh linked to /bin/bash

Versions of packages denyhosts depends on:
ii  lsb-base                      3.1-23.1   Linux Standard Base 3.1 init scrip
ii  python                        2.4.4-2    An interactive high-level object-o
ii  python-central                0.5.13-0.1 register and build utility for Pyt

denyhosts recommends no packages.

-- no debconf information

Message #10 received at 425519@bugs.debian.org (full text, mbox, reply):

From: Andrew Schulman <andrex@alumni.utexas.net>

To: 425519@bugs.debian.org

Subject: dup of 406429

Date: Tue, 22 May 2007 06:04:43 -0400

Looking now at bug 406429, I see that this report is a dup of that one.  
The link to https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=237449 
there shows that a patch is available for this problem.

Is upstream unaware of this report, or are they not responding to it?  
Could we get the patch included in Debian?

Thanks,
Andrew.

Message #15 received at 425519@bugs.debian.org (full text, mbox, reply):

From: Marco Nenciarini <mnencia@prato.linux.it>

To: Andrew Schulman <andrex@alumni.utexas.net>, 425519@bugs.debian.org, control@bugs.debian.org

Subject: Re: Bug#425519: dup of 406429

Date: Tue, 22 May 2007 13:23:35 +0200

[Message part 1 (text/plain, inline)]

package denyhosts
forcemerge 406429 425519
tags 406429 + patch pending
thanks

On Tue, May 22, 2007 at 06:04:43AM -0400, Andrew Schulman wrote:
> Looking now at bug 406429, I see that this report is a dup of that one.  
> The link to https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=237449 
> there shows that a patch is available for this problem.
> 
> Is upstream unaware of this report, or are they not responding to it?  
> Could we get the patch included in Debian?

We reported it to upstream, but meantime we will patch it in debian
package.

Ciao

-- 
---------------------------------------------------------------------
|    Marco Nenciarini    | Debian/GNU Linux Developer - Plug Member |
| mnencia@prato.linux.it | http://www.prato.linux.it/~mnencia       |
---------------------------------------------------------------------
Key fingerprint = FED9 69C7 9E67 21F5 7D95  5270 6864 730D F095 E5E4

[signature.asc (application/pgp-signature, inline)]

Message #24 received at 425519@bugs.debian.org (full text, mbox, reply):

From: Andrew Schulman <andrex@alumni.utexas.net>

To: 425519@bugs.debian.org

Subject: Re: Bug#425519: dup of 406429

Date: Tue, 22 May 2007 09:50:52 -0400

> We reported it to upstream, but meantime we will patch it in debian
> package.

Excellent, thank you.  Andrew.

Message #29 received at 425519-close@bugs.debian.org (full text, mbox, reply):

From: Marco Bertorello <marco@bertorello.ns0.it>

To: 425519-close@bugs.debian.org

Subject: Bug#425519: fixed in denyhosts 2.6-2

Date: Tue, 22 May 2007 18:47:02 +0000

Source: denyhosts
Source-Version: 2.6-2

We believe that the bug you reported is fixed in the latest version of
denyhosts, which is due to be installed in the Debian FTP archive:

denyhosts_2.6-2.diff.gz
  to pool/main/d/denyhosts/denyhosts_2.6-2.diff.gz
denyhosts_2.6-2.dsc
  to pool/main/d/denyhosts/denyhosts_2.6-2.dsc
denyhosts_2.6-2_all.deb
  to pool/main/d/denyhosts/denyhosts_2.6-2_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 425519@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Marco Bertorello <marco@bertorello.ns0.it> (supplier of updated denyhosts package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Tue, 22 May 2007 20:15:55 +0200
Source: denyhosts
Binary: denyhosts
Architecture: source all
Version: 2.6-2
Distribution: unstable
Urgency: low
Maintainer: Marco Bertorello <marco@bertorello.ns0.it>
Changed-By: Marco Bertorello <marco@bertorello.ns0.it>
Description: 
 denyhosts  - an utility to help sys admins thwart ssh hackers
Closes: 406429 410486 425519
Changes: 
 denyhosts (2.6-2) unstable; urgency=low
 .
   * Added a patch from RedHat bugzilla that fix a regex error
     (Closes: #425519, #406429)
   * Removed mention of Python in package description (Closes: 410486)
Files: 
 df74e9ccd878355aab7682b368c1f82c 709 net optional denyhosts_2.6-2.dsc
 380344732bad326cb12bb8693df0d842 33543 net optional denyhosts_2.6-2.diff.gz
 374b4d3bd6a27f7f6b8f66ef4b7bf41a 63974 net optional denyhosts_2.6-2_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFGUzkhaGRzDfCV5eQRAgGKAJ9QhX6DRr2auSgop9UcPIu7pqO+3gCePO+l
Kda7XNuMik+NvaxMMTHFry0=
=z4KM
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.