Package: denyhosts Version: 2.6-10 Severity: important Tags: security The default for SSHD_FORMAT_REGEX is the following regex.
.* (sshd.*:|\[sshd\]) (?P<message>.*) On Debian systems the first alternative will be preferred, because all log lines contain colons. So let us apply this regex to the following line: Nov 3 19:44:08 localhost sshd[1234]: Received disconnect from 3.2.1.0: 11: Bye Bye [preauth] What is message? The answer might come as a surprise. It just matches "Bye Bye [preauth]", because the ".*:" matches as much as possible. Any line that contains a colon therefore is truncated from the beginning. This applies especially to any line containing "::ffff:someipaddress". As a solution I suggest changing the regex to use non-greedy versions: .*? (sshd.*?:|\[sshd\]) (?P<message>.*) This could potentially be used to avoid being blocked by denyhosts. I haven't yet come up with a reliable way to reproduce. Since the fix is trivial maybe this can be solved for wheezy? Helmut -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
