Your message dated Wed, 05 Nov 2008 16:32:03 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#430449: fixed in denyhosts 2.6-5
has caused the Debian Bug report #430449,
regarding denyhosts: PLUGIN_DENY is called many times with previously denied IPs
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [EMAIL PROTECTED]
immediately.)
--
430449: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=430449
Debian Bug Tracking System
Contact [EMAIL PROTECTED] with problems
--- Begin Message ---
Package: denyhosts
Version: 2.6-1
Severity: normal
Please consider brand new installation of denyhosts, not run, with following
configuration:
SECURE_LOG = /var/log/auth.log
HOSTS_DENY = /var/local/ssh-denyhosts.txt
PURGE_DENY = 15w
PURGE_THRESHOLD = 2
BLOCK_SERVICE =
DENY_THRESHOLD_INVALID = 5
DENY_THRESHOLD_VALID = 10
DENY_THRESHOLD_ROOT = 3
DENY_THRESHOLD_RESTRICTED = 1
WORK_DIR = /var/lib/denyhosts
SUSPICIOUS_LOGIN_REPORT_ALLOWED_HOSTS=YES
HOSTNAME_LOOKUP=YES
LOCK_FILE = /var/run/denyhosts.pid
ADMIN_EMAIL = [EMAIL PROTECTED]
SMTP_HOST = localhost
SMTP_PORT = 25
SMTP_FROM = DenyHosts from blabluga <[EMAIL PROTECTED]>
SMTP_SUBJECT = DenyHosts Report
SYSLOG_REPORT=YES
AGE_RESET_VALID=5d
AGE_RESET_ROOT=25d
AGE_RESET_RESTRICTED=25d
AGE_RESET_INVALID=10d
PLUGIN_DENY=/usr/local/bin/dropssh
DAEMON_LOG = /var/log/denyhosts
DAEMON_SLEEP = 30s
DAEMON_PURGE = 1h
And /usr/local/bin/dropssh containing:
iptables -t filter -A ssh-deny -s $1 -j DROP
echo `date` $1 >> /tmp/denied-log.txt
All files related to denyhosts are empty:
blabluga:~# ls -l /var/local/ssh-denyhosts.txt /var/lib/denyhosts/*
/tmp/denied-log.txt
-rw-r--r-- 1 root root 0 Jun 24 16:36 /tmp/denied-log.txt
-rw-r--r-- 1 root root 0 Jun 24 16:11 /var/lib/denyhosts/hosts
-rw-r--r-- 1 root root 0 Jun 24 16:11 /var/lib/denyhosts/hosts-restricted
-rw-r--r-- 1 root root 0 Jun 24 16:11 /var/lib/denyhosts/hosts-root
-rw-r--r-- 1 root root 0 Jun 24 16:11 /var/lib/denyhosts/hosts-valid
-rw-r--r-- 1 root root 0 Jun 24 16:11 /var/lib/denyhosts/offset
-rw-r--r-- 1 root root 0 Jun 24 16:09 /var/lib/denyhosts/suspicious-logins
-rw-r--r-- 1 root root 0 Jun 24 16:11 /var/lib/denyhosts/users-hosts
-rw-r--r-- 1 root root 0 Jun 24 16:11 /var/lib/denyhosts/users-invalid
-rw-r--r-- 1 root root 0 Jun 24 16:12 /var/lib/denyhosts/users-valid
-rw-r--r-- 1 root staff 0 Jun 24 16:32 /var/local/ssh-denyhosts.txt
After starting the daemon situation is as follows.
I received an email with report:
Added the following hosts to /var/local/ssh-denyhosts.txt:
222.240.131.82 (unknown)
125.71.31.222 (unknown)
142.59.92.133 (sugar.pinnaclesecurity.ca)
Indeed, those three IPs are in the file.
Plugin has been run and IPs are added into ssh-deny chain:
blabluga:~# iptables -L ssh-deny -n
Chain ssh-deny (1 references)
target prot opt source destination
DROP 0 -- 222.240.131.82 0.0.0.0/0
DROP 0 -- 125.71.31.222 0.0.0.0/0
DROP 0 -- 142.59.92.133 0.0.0.0/0
and debug info has been logged into /tmp/denied-log.txt:
blabluga:~# cat /tmp/denied-log.txt
Sun Jun 24 16:38:40 CEST 2007 222.240.131.82
Sun Jun 24 16:38:40 CEST 2007 125.71.31.222
Sun Jun 24 16:38:40 CEST 2007 142.59.92.133
So, let's wait for another brute force attack...
I've got another mail:
Added the following hosts to /var/local/ssh-denyhosts.txt:
61.95.206.237 (dsl-KK-static-237.206.95.61.airtelbroadband.in)
There are four entries in /var/local/ssh-denyhosts.txt, but let's see,
what's happened.
blabluga:~# iptables -L ssh-deny -n
Chain ssh-deny (1 references)
target prot opt source destination
DROP 0 -- 222.240.131.82 0.0.0.0/0
DROP 0 -- 125.71.31.222 0.0.0.0/0
DROP 0 -- 142.59.92.133 0.0.0.0/0
DROP 0 -- 61.95.206.237 0.0.0.0/0
DROP 0 -- 222.240.131.82 0.0.0.0/0
DROP 0 -- 125.71.31.222 0.0.0.0/0
DROP 0 -- 142.59.92.133 0.0.0.0/0
blabluga:~# cat /tmp/denied-log.txt
Sun Jun 24 16:38:40 CEST 2007 222.240.131.82
Sun Jun 24 16:38:40 CEST 2007 125.71.31.222
Sun Jun 24 16:38:40 CEST 2007 142.59.92.133
Sun Jun 24 18:19:12 CEST 2007 61.95.206.237
Sun Jun 24 18:19:12 CEST 2007 222.240.131.82
Sun Jun 24 18:19:12 CEST 2007 125.71.31.222
Sun Jun 24 18:19:12 CEST 2007 142.59.92.133
It looks like the PLUGIN_DENY has been called with recently blocked IP
and, additionally, with all previously blocked IPs.
-- System Information:
Debian Release: 4.0
APT prefers stable
APT policy: (500, 'stable')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-4-686
Locale: LANG=C, LC_CTYPE=pl_PL (charmap=ISO-8859-2)
Versions of packages denyhosts depends on:
ii lsb-base 3.1-23.1 Linux Standard Base 3.1 init scrip
ii python 2.4.4-2 An interactive high-level object-o
ii python-central 0.5.12 register and build utility for Pyt
denyhosts recommends no packages.
-- no debconf information
--- End Message ---
--- Begin Message ---
Source: denyhosts
Source-Version: 2.6-5
We believe that the bug you reported is fixed in the latest version of
denyhosts, which is due to be installed in the Debian FTP archive:
denyhosts_2.6-5.diff.gz
to pool/main/d/denyhosts/denyhosts_2.6-5.diff.gz
denyhosts_2.6-5.dsc
to pool/main/d/denyhosts/denyhosts_2.6-5.dsc
denyhosts_2.6-5_all.deb
to pool/main/d/denyhosts/denyhosts_2.6-5_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Marco Bertorello <[EMAIL PROTECTED]> (supplier of updated denyhosts package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Fri, 10 Oct 2008 13:34:12 +0000
Source: denyhosts
Binary: denyhosts
Architecture: source all
Version: 2.6-5
Distribution: unstable
Urgency: low
Maintainer: Marco Bertorello <[EMAIL PROTECTED]>
Changed-By: Marco Bertorello <[EMAIL PROTECTED]>
Description:
denyhosts - a utility to help sys admins thwart ssh crackers
Closes: 430449 501541
Changes:
denyhosts (2.6-5) unstable; urgency=low
.
* added useful patch that make PLUGIN_DENY works (Closes: 430449)
* cleaned-up a forgotten and not used patch from package
* added useful patch for dh_reenable from Todd A. Jacobs
<[EMAIL PROTECTED]> that make dh_reenable
able to work with a personalized HOSTS_DENY file (Closes: 501541)
* fixed a little typo in init script
Checksums-Sha1:
3fed047a49817788f293a9ecd5c4453e63e23b51 1091 denyhosts_2.6-5.dsc
98d35cf4d81b832c9436008618cf744b25ea50b1 37212 denyhosts_2.6-5.diff.gz
c785621e8fab5b8842fe02a9c799a0afc41c0265 66298 denyhosts_2.6-5_all.deb
Checksums-Sha256:
28237491769de6933f869eb1d3a96f22772e234a7c89f65edfb60721d59019ed 1091
denyhosts_2.6-5.dsc
7d95cbd21814be550866837b38e0f823424b5972226695514a3ccbf9e38539e5 37212
denyhosts_2.6-5.diff.gz
eeed182e122ef6dcd002776fe404c56b280c9857917844c12c741b01ae2f2242 66298
denyhosts_2.6-5_all.deb
Files:
43a90e91e0355a5fb3fb205164d06589 1091 net optional denyhosts_2.6-5.dsc
7e307431715164842d1c93c33db4a685 37212 net optional denyhosts_2.6-5.diff.gz
c4dbcbc5198160b7003f9e8e591b984a 66298 net optional denyhosts_2.6-5_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkkRx9AACgkQaGRzDfCV5eSVkACcC0HzzUSQFdKq8JMk/tHL9wOD
yW4An0r7DXJRWs8LUlmVcngYbKot955a
=x4rY
-----END PGP SIGNATURE-----
--- End Message ---
