Your message dated Tue, 22 May 2007 18:47:02 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#406429: fixed in denyhosts 2.6-2
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--- Begin Message ---
Package: denyhosts
Version: 2.6-1
Severity: normal
This morning I noticed a lot of disk activity on my server, and found
that an attack was in progress on my ssh server, which denyhosts had
failed to detect and stop. Here's an excerpt from /var/log/auth.log:
May 22 05:08:27 helium sshd[10002]: Connection from 72.55.148.37 port 54831
May 22 05:08:27 helium sshd[10002]: User root from
ip-72-55-148-37.static.privatedns.com not allowed because not listed in
AllowUsers
May 22 05:08:28 helium sshd[10006]: Connection from 72.55.148.37 port 55045
May 22 05:08:29 helium sshd[10006]: User root from
ip-72-55-148-37.static.privatedns.com not allowed because not listed in
AllowUsers
May 22 05:08:29 helium sshd[10011]: Connection from 72.55.148.37 port 55430
May 22 05:08:29 helium sshd[10011]: User root from
ip-72-55-148-37.static.privatedns.com not allowed because not listed in
AllowUsers
May 22 05:08:29 helium sshd[10015]: Connection from 72.55.148.37 port 55567
May 22 05:08:30 helium sshd[10015]: User root from
ip-72-55-148-37.static.privatedns.com not allowed because not listed in
AllowUsers
and so on, for several hundred attempts. When I saw that this was
going on, I stopped it via /etc/hosts.deny, and then looked to see why
denyhosts hadn't already put a stop to it. Here's an excerpt from
/var/log/denyhosts:
2007-05-22 05:08:37,625 - denyhosts : ERROR regex pattern ( User
(?P<user>.*) not allowed because not listed in AllowUsers ) is missing 'host'
group
2007-05-22 05:08:37,625 - denyhosts : ERROR regex pattern ( User
(?P<user>.*) not allowed because not listed in AllowUsers ) is missing 'host'
group
2007-05-22 05:08:37,625 - denyhosts : ERROR regex pattern ( User
(?P<user>.*) not allowed because not listed in AllowUsers ) is missing 'host'
group
It seems that the regex doesn't account for the "from address" clause
of the auth.log message. Anyway, one way or another the regex is
wrong, and that caused denyhosts to fail to stop the attack.
FYI here's /etc/denyhosts.conf:
$ egrep -v '^ *(#|$)' /etc/denyhosts.conf
SECURE_LOG = /var/log/auth.log
HOSTS_DENY = /etc/hosts.deny
PURGE_DENY = 4w
BLOCK_SERVICE = sshd
DENY_THRESHOLD_INVALID = 5
DENY_THRESHOLD_VALID = 10
DENY_THRESHOLD_ROOT = 1
DENY_THRESHOLD_RESTRICTED = 1
WORK_DIR = /var/lib/denyhosts
SUSPICIOUS_LOGIN_REPORT_ALLOWED_HOSTS=YES
HOSTNAME_LOOKUP=YES
LOCK_FILE = /var/run/denyhosts.pid
ADMIN_EMAIL = [EMAIL PROTECTED]
SMTP_HOST = localhost
SMTP_PORT = 25
SMTP_FROM = DenyHosts <[EMAIL PROTECTED]>
SMTP_SUBJECT = DenyHosts Report
AGE_RESET_VALID=5d
AGE_RESET_ROOT=25d
AGE_RESET_RESTRICTED=25d
AGE_RESET_INVALID=10d
DAEMON_LOG = /var/log/denyhosts
DAEMON_SLEEP = 30s
DAEMON_PURGE = 1h
-- System Information:
Debian Release: lenny/sid
APT prefers testing
APT policy: (990, 'testing'), (300, 'unstable'), (200, 'stable'), (1,
'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.16 (SMP w/2 CPU cores; PREEMPT)
Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1) (ignored: LC_ALL set to
en_US)
Shell: /bin/sh linked to /bin/bash
Versions of packages denyhosts depends on:
ii lsb-base 3.1-23.1 Linux Standard Base 3.1 init scrip
ii python 2.4.4-2 An interactive high-level object-o
ii python-central 0.5.13-0.1 register and build utility for Pyt
denyhosts recommends no packages.
-- no debconf information
--- End Message ---
--- Begin Message ---
Source: denyhosts
Source-Version: 2.6-2
We believe that the bug you reported is fixed in the latest version of
denyhosts, which is due to be installed in the Debian FTP archive:
denyhosts_2.6-2.diff.gz
to pool/main/d/denyhosts/denyhosts_2.6-2.diff.gz
denyhosts_2.6-2.dsc
to pool/main/d/denyhosts/denyhosts_2.6-2.dsc
denyhosts_2.6-2_all.deb
to pool/main/d/denyhosts/denyhosts_2.6-2_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Marco Bertorello <[EMAIL PROTECTED]> (supplier of updated denyhosts package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Tue, 22 May 2007 20:15:55 +0200
Source: denyhosts
Binary: denyhosts
Architecture: source all
Version: 2.6-2
Distribution: unstable
Urgency: low
Maintainer: Marco Bertorello <[EMAIL PROTECTED]>
Changed-By: Marco Bertorello <[EMAIL PROTECTED]>
Description:
denyhosts - an utility to help sys admins thwart ssh hackers
Closes: 406429 410486 425519
Changes:
denyhosts (2.6-2) unstable; urgency=low
.
* Added a patch from RedHat bugzilla that fix a regex error
(Closes: #425519, #406429)
* Removed mention of Python in package description (Closes: 410486)
Files:
df74e9ccd878355aab7682b368c1f82c 709 net optional denyhosts_2.6-2.dsc
380344732bad326cb12bb8693df0d842 33543 net optional denyhosts_2.6-2.diff.gz
374b4d3bd6a27f7f6b8f66ef4b7bf41a 63974 net optional denyhosts_2.6-2_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFGUzkhaGRzDfCV5eQRAgGKAJ9QhX6DRr2auSgop9UcPIu7pqO+3gCePO+l
Kda7XNuMik+NvaxMMTHFry0=
=z4KM
-----END PGP SIGNATURE-----
--- End Message ---
