Package: denyhosts
Version: 2.6-10.1
Severity: important
Hi
I have 2.6-10 running on a few squeeze hosts here and applied the patch that
should fix #692229. I think there is a problem with one aspect of that
change -
- FAILED_ENTRY_REGEX = re.compile(r"""Failed (?P<method>.*) for
(?P<invalid>invalid user |illegal user )?(?P<user>.*?) .*from
(::ffff:)?(?P<host>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})""")
+ FAILED_ENTRY_REGEX = re.compile(r"""Failed (?P<method>\S*) for
(?P<invalid>invalid user |illegal user )?(?P<user>.*) from
(::ffff:)?(?P<host>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})$""")
The issue is the $ after the IP address matching - this fails on my syslog
files which have lines like:
Jan 5 21:01:15 venice sshd[12491]: Failed password for root from
122.252.245.89 port 57845 ssh2
To make the regex match again, just drop the $. (Tested with 'kodos').
What I am unclear about is whether making this change will allow
IP address injections again. Can the wildcard for the <user> match
be made non-greedy?
Otherwise, the following regex may be ok:
Failed (?P<method>\S*) for (?P<invalid>invalid user |illegal user
)?(?P<user>.*) from (::ffff:)?(?P<host>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})(
port \d+)?
This issue is also present in 2.6-7+deb6u2 (I checked regex.py)
and (I infer) 2.6-10+deb7u.
Kind regards
Vince
-- System Information:
Debian Release: 6.0.8
APT prefers oldstable
APT policy: (990, 'oldstable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.2.0-0.bpo.4-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages denyhosts depends on:
ii lsb-base 3.2-23.2squeeze1 Linux Standard Base 3.2 init scrip
ii python 2.6.6-3+squeeze7 interactive high-level object-orie
denyhosts recommends no packages.
denyhosts suggests no packages.
--
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]
