Launchpad has imported 12 comments from the remote bug at https://bugzilla.redhat.com/show_bug.cgi?id=237449.
If you reply to an imported comment from within Launchpad, your comment will be sent to the remote bug automatically. Read more about Launchpad's inter-bugtracker facilities at https://help.launchpad.net/InterBugTracking. ------------------------------------------------------------------------ On 2007-04-23T10:07:41+00:00 Jonathan wrote: Description of problem: I have "PermitRootLogin no" in sshd_config to prevent logins as username root. I also only allow specific usernames to log in, so I have AllowUsers set in sshd_config. When someone does attempt to login as root, I see this in /var/log/secure: Apr 23 07:03:53 machinename sshd[29961]: User root from 122.36.2.10 not allowed because not listed in AllowUsers and the corresponding entry in /var/log/denyhosts 2007-04-23 07:04:07,805 - denyhosts : ERROR regex pattern ( User (?P<user>. *) not allowed because not listed in AllowUsers ) is missing 'host' group ... and the attacker goes unblocked and undetected by denyhosts. Version-Release number of selected component (if applicable): denyhosts-2.6-2.fc6 openssh-clients-4.3p2-19.fc6 openssh-4.3p2-19.fc6 openssh-server-4.3p2-19.fc6 openssh-askpass-4.3p2-19.fc6 Reply at: https://bugs.launchpad.net/ubuntu/+source/denyhosts/+bug/133569/comments/0 ------------------------------------------------------------------------ On 2007-04-23T14:39:19+00:00 Jason wrote: Do you have any configuration entries defined which match REGEX? If not, I believe this is a known upstream bug. My understanding, however, is that it is harmless; ssh doesn't provide a hostname in that message so there is no way to extract a hostname to block from it, and the message you see in your logs is informing you of that. I am not sure that ssh actually provides the messages necessary to do what you are attempting to do, although please include it if so. Otherwise I don't see that the underlying problem is something that can be solved with denyhosts. http://www.mail-archive.com/denyhosts- [email protected]/msg00132.html Note also that there was no upstream response to this; in fact, upstream seems to have gone dormant. If you have other suggestions on how we could make minor modifications to the denyhosts packaging to accommodate this, I'm happy to hear them. But my feeling now is that in the absense of additional messages from openssh which aren't being considered, this is not a denyhosts bug. Reply at: https://bugs.launchpad.net/ubuntu/+source/denyhosts/+bug/133569/comments/1 ------------------------------------------------------------------------ On 2007-04-23T15:33:32+00:00 Jonathan wrote: If you look at the openssh log message provided above, you'll see the IP of the offending host, and so there is sufficient information - denyhosts blocks by IP rather than hostname. So, I believe denyhosts should block that host, and this is a fairly severe bug. Looking a bit harder into it, I think (as suggested by your mail to the user-list) that in file /usr/lib/python2.4/site-packages/DenyHosts/regex.py FAILED_ENTRY_REGEX7 = re.compile(r"""User (?P<user>.*) not allowed because not listed in AllowUsers""") should be replaced with FAILED_ENTRY_REGEX7 = re.compile(r"""User (?P<user>.*) .*from (::ffff:)?(?P<host>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}) not allowed because not listed in AllowUsers""") I'll test this locally, but that seems to be the crux of it - REGEX7 contains no pattern to match the host. Reply at: https://bugs.launchpad.net/ubuntu/+source/denyhosts/+bug/133569/comments/2 ------------------------------------------------------------------------ On 2007-04-23T16:20:05+00:00 Jonathan wrote: Have confirmed that fix works by placing the following line in denyhosts.conf FAILED_ENTRY_REGEX7 = User (?P<user>.*) .*from (::ffff:)?(?P<host>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}) not allowed because not listed in AllowUsers [All one line, not wrapped] And so my suggestion of the replacement line in Comment #2 for /usr/lib/python2.4/site-packages/DenyHosts/regex.py is the correct fix. Will attach a patch. Reply at: https://bugs.launchpad.net/ubuntu/+source/denyhosts/+bug/133569/comments/3 ------------------------------------------------------------------------ On 2007-04-23T16:22:43+00:00 Jason wrote: Any clue as to what this looks like for an IPv6 denial? Reply at: https://bugs.launchpad.net/ubuntu/+source/denyhosts/+bug/133569/comments/4 ------------------------------------------------------------------------ On 2007-04-23T16:25:48+00:00 Jonathan wrote: Created attachment 153291 Fix REGEX7 Reply at: https://bugs.launchpad.net/ubuntu/+source/denyhosts/+bug/133569/comments/5 ------------------------------------------------------------------------ On 2007-04-23T16:28:11+00:00 Jonathan wrote: (In reply to comment #4) > Any clue as to what this looks like for an IPv6 denial? Um, no. Seems irrelevant though, this fix is as IPV6 safe as the rest of DenyHosts - basically it brings REGEX7 into alignment with the other REGEXs - if this is broken for IPV6, then all the others are too. I don't have any way to test this I'm afraid. Reply at: https://bugs.launchpad.net/ubuntu/+source/denyhosts/+bug/133569/comments/6 ------------------------------------------------------------------------ On 2007-04-23T16:36:49+00:00 Jason wrote: OK, let me do a build and see if I can get this past releng for F7. Reply at: https://bugs.launchpad.net/ubuntu/+source/denyhosts/+bug/133569/comments/7 ------------------------------------------------------------------------ On 2007-04-23T16:41:55+00:00 Jonathan wrote: OK, thanks. An update for FC6 would also be much appreciated. Reply at: https://bugs.launchpad.net/ubuntu/+source/denyhosts/+bug/133569/comments/8 ------------------------------------------------------------------------ On 2007-04-24T22:21:33+00:00 Jason wrote: I did some testing and let the new version stew on my servers overnight. Since that went OK, I pushed and built for F7, FC6, FC5, EL5 and EL4. Reply at: https://bugs.launchpad.net/ubuntu/+source/denyhosts/+bug/133569/comments/9 ------------------------------------------------------------------------ On 2007-04-25T10:15:39+00:00 Jonathan wrote: Splendid, thanks. Reply at: https://bugs.launchpad.net/ubuntu/+source/denyhosts/+bug/133569/comments/10 ------------------------------------------------------------------------ On 2007-10-31T13:20:30+00:00 Tomas wrote: CVE id CVE-2007-5715 was assigned to this old issue. Reply at: https://bugs.launchpad.net/ubuntu/+source/denyhosts/+bug/133569/comments/16 ** Changed in: denyhosts (Fedora) Importance: Unknown => Medium -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/133569 Title: regex error causes hosts to not be denied To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/denyhosts/+bug/133569/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
