Raspbian

denyhosts regex regression

Bug #1426959 reported by Michele Renda
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Raspbian
New
Undecided
Unassigned

Bug Description

In current denyhosts version of raspbian denyhosts has a regression that makes it inefective.

The current version of denyhosts is 2.6-10.1 and the file:
/usr/share/denyhosts/DenyHosts/regex.py

contains this regex expression:
FAILED_ENTRY_REGEX2 = re.compile(r"""(?P<invalid>(Illegal|Invalid)) user (?P<user>.*) from (::ffff:)?(?P<host>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})$""")

Unfortunately this regex is not working anymore because the log in auth.log has this format:
Failed password for root from 103.41.124.29 port 43517 ssh2

The right regex is this:
FAILED_ENTRY_REGEX = re.compile(r"""Failed (?P<method>\S*) for (?P<invalid>invalid user |illegal user )?(?P<user>.*) from (::ffff:)?(?P<host>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})( port \d+)?( ssh2)?$""")

This regex is existing in upstream debian package:
denyhosts_2.6-10+deb7u3_all.deb

Please revert to upstream package or correct the regex in current package.

Thank you
Michele Renda

Michele Renda (mic-renda)
information type: Private Security → Public
Revision history for this message
peter green (plugwash) wrote :

First things first there are no raspbian specific customisations involved here.

This issue was patched by Debian for Wheezy but in Jessie they chose to remove the package instead.

Raspbian does not automatically follow removals from Debian so the last version that was in Debian jessie/sid

I see two options here, neither of them great.

1: I Could forward port the change from the wheezy package to the jessie package, the trouble is that would be giving a false indication of support, theres no way I can support a package like this going forward independently from Debian.
2: I could remove the package from raspbian jessie bringing us back into line with Debian but potentially leaving users who don't pay attention to the "obsolete and locally created packages" category in aptitude could be left with a broken tool.

Any thoughts on which is the least bad option? I'm inclined to go with the latter on the "stay as close to Debian as possible" principle.

Revision history for this message
Michele Renda (mic-renda) wrote :

Indeed you are right. A small research showed me denyhosts was removed from debian jessie:
https://packages.debian.org/search?keywords=denyhosts&searchon=names&suite=all&section=all

The request of removal was due this bug report:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=732712

The project has been moved this this site and seems to be active (I think it is a fork):
https://github.com/denyhosts/denyhosts

I don't know which is the best solution. The changes in wheezy regez seems backward compatible because the port and ssh2 tokens are optionals in the match, but as you say, the backage is unsupported.

My concern is that as now, it does not gives any protection but you can realize it is not working only watching on the logs.

Questions: 2.6-10+deb7u3 in more recente than 2.6-10.1?

Revision history for this message
Rolf Leggewie (r0lf) wrote :

Peter, you need to drop the package. If Debian doesn't think they can support it, how could you do that, without Debian? There's an alternative available.

Revision history for this message
peter green (plugwash) wrote :

Ok. I went ahead and removed it from raspbian jessie and stretch.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.