Package: denyhosts Version: 2.6-1 Severity: normal
This morning I noticed a lot of disk activity on my server, and found that an attack was in progress on my ssh server, which denyhosts had failed to detect and stop. Here's an excerpt from /var/log/auth.log: May 22 05:08:27 helium sshd[10002]: Connection from 72.55.148.37 port 54831 May 22 05:08:27 helium sshd[10002]: User root from ip-72-55-148-37.static.privatedns.com not allowed because not listed in AllowUsers May 22 05:08:28 helium sshd[10006]: Connection from 72.55.148.37 port 55045 May 22 05:08:29 helium sshd[10006]: User root from ip-72-55-148-37.static.privatedns.com not allowed because not listed in AllowUsers May 22 05:08:29 helium sshd[10011]: Connection from 72.55.148.37 port 55430 May 22 05:08:29 helium sshd[10011]: User root from ip-72-55-148-37.static.privatedns.com not allowed because not listed in AllowUsers May 22 05:08:29 helium sshd[10015]: Connection from 72.55.148.37 port 55567 May 22 05:08:30 helium sshd[10015]: User root from ip-72-55-148-37.static.privatedns.com not allowed because not listed in AllowUsers and so on, for several hundred attempts. When I saw that this was going on, I stopped it via /etc/hosts.deny, and then looked to see why denyhosts hadn't already put a stop to it. Here's an excerpt from /var/log/denyhosts: 2007-05-22 05:08:37,625 - denyhosts : ERROR regex pattern ( User (?P<user>.*) not allowed because not listed in AllowUsers ) is missing 'host' group 2007-05-22 05:08:37,625 - denyhosts : ERROR regex pattern ( User (?P<user>.*) not allowed because not listed in AllowUsers ) is missing 'host' group 2007-05-22 05:08:37,625 - denyhosts : ERROR regex pattern ( User (?P<user>.*) not allowed because not listed in AllowUsers ) is missing 'host' group It seems that the regex doesn't account for the "from address" clause of the auth.log message. Anyway, one way or another the regex is wrong, and that caused denyhosts to fail to stop the attack. FYI here's /etc/denyhosts.conf: $ egrep -v '^ *(#|$)' /etc/denyhosts.conf SECURE_LOG = /var/log/auth.log HOSTS_DENY = /etc/hosts.deny PURGE_DENY = 4w BLOCK_SERVICE = sshd DENY_THRESHOLD_INVALID = 5 DENY_THRESHOLD_VALID = 10 DENY_THRESHOLD_ROOT = 1 DENY_THRESHOLD_RESTRICTED = 1 WORK_DIR = /var/lib/denyhosts SUSPICIOUS_LOGIN_REPORT_ALLOWED_HOSTS=YES HOSTNAME_LOOKUP=YES LOCK_FILE = /var/run/denyhosts.pid ADMIN_EMAIL = [EMAIL PROTECTED] SMTP_HOST = localhost SMTP_PORT = 25 SMTP_FROM = DenyHosts <[EMAIL PROTECTED]> SMTP_SUBJECT = DenyHosts Report AGE_RESET_VALID=5d AGE_RESET_ROOT=25d AGE_RESET_RESTRICTED=25d AGE_RESET_INVALID=10d DAEMON_LOG = /var/log/denyhosts DAEMON_SLEEP = 30s DAEMON_PURGE = 1h -- System Information: Debian Release: lenny/sid APT prefers testing APT policy: (990, 'testing'), (300, 'unstable'), (200, 'stable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 2.6.16 (SMP w/2 CPU cores; PREEMPT) Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1) (ignored: LC_ALL set to en_US) Shell: /bin/sh linked to /bin/bash Versions of packages denyhosts depends on: ii lsb-base 3.1-23.1 Linux Standard Base 3.1 init scrip ii python 2.4.4-2 An interactive high-level object-o ii python-central 0.5.13-0.1 register and build utility for Pyt denyhosts recommends no packages. -- no debconf information -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
