I noticed that when using plugins, every time a new host is denied, the plugin is run for hosts, that are already blocked and also for allowed hosts that had 'failed' entires in the log.
I made a simple plugin, that only logs the IP's into a file. My local
network is 172.16.0.0/24 and all of these hosts are 'allowed'.
First I ssh'ed to my server from 172.16.0.221 and intentionally entered
a wrong password. That was cool and DenyHosts didn't do anything.
Then I connected to the server from an external non-allowed IP and again
entered a wrong password. DenyHosts blocked that host - as expected:
> Mar 16 10:55:55 - denyhosts : INFO new denied hosts:
> ['xxx.xxx.xxx.xxx']
But the plugin was called twice - once for the blocked host and once for
the 'allowed' host:
> Tue Mar 16 10:55:55 CET 2010 Blocking xxx.xxx.xxx.xxx
> *Tue Mar 16 10:55:55 CET 2010 Blocking 172.16.0.221*
Then I connected to my server from another local allowed host
(172.16.0.214) - again, DenyHosts was cool about it and didn't do anything.
Then I connected from a new external host - now DenyHosts blocked that one:
> Mar 16 11:06:45 - denyhosts : INFO new denied hosts:
> ['yyy.yyy.yyy.yyy']
But the plugin was called 4 times - blocking the previously blocked
hosts again and adding two new:
> /*Tue Mar 16 11:06:45 CET 2010 Blocking 172.16.0.214*/
> Tue Mar 16 11:06:45 CET 2010 Blocking xxx.xxx.xxx.xxx
> *Tue Mar 16 11:06:45 CET 2010 Blocking 172.16.0.221*
> /Tue Mar 16 11:06:45 CET 2010 Blocking yyy.yyy.yyy.yyy/
The solution seems to be this patch:
--- deny_hosts.py.orig 2010-03-15 16:00:07.000000000 +0100
+++ deny_hosts.py 2010-03-15 20:56:39.000000000 +0100
@@ -443,7 +443,7 @@
self.__report.add_section(msg, new_denied_hosts)
if self.__sync_server: self.sync_add_hosts(new_denied_hosts)
plugin_deny = self.__prefs.get('PLUGIN_DENY')
- if plugin_deny: plugin.execute(plugin_deny, deny_hosts)
+ if plugin_deny: plugin.execute(plugin_deny, new_denied_hosts)
new_suspicious_logins = login_attempt.get_new_suspicious_logins()
if new_suspicious_logins:
Now the plugin is called only for newly denied hosts...
Regards, Danilo
--
Danilo Godec, sistemska podpora / system administration
Predlog! Obiscite prenovljeno spletno stran www.agenda.si
ODPRTA KODA IN LINUX
STORITVE : POSLOVNE RESITVE : UPRAVLJANJE IT : INFRASTRUKTURA IT :
IZOBRAZEVANJE : PROGRAMSKA OPREMA
Visit our updated web page at www.agenda.si
OPEN SOURCE AND LINUX
SERVICES : BUSINESS SOLUTIONS : IT MANAGEMENT : IT INFRASTRUCTURE : TRAINING :
SOFTWARE
<<attachment: danilo_godec.vcf>>
------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev
_______________________________________________ Denyhosts-user mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/denyhosts-user
