Comment 2 for bug 162406
Revision history for this message
|
|
#2 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
1b1ed1a
(Get the code!)
Description of problem:
See this:
http://
which details a DOS vulnerability in the current version of Denyhosts (2.6).
In particular this part details the problem and the fix:
" FAILED_ENTRY_REGEX5 = re.compile(r"""User (?P.*) .*from (?P.*) not allowed
because none of user's groups are listed in AllowGroups""")
It is basically looking for "User from .." anywhere in the log, not checking if
it is in the middle of the "bad protocol version" log. How do we fix that? Just
make the regex more robust (an "$" at the end would solve it)!
You may think it is not a big deal but what if instead of one IP address I pass
all? -- all on hosts.deny means block every IP. Would it block the whole
internet out of the box? Yes, it would! "