regex error causes hosts to not be denied

Bug #133569 reported by Marcus Sundman on 2007-08-20
256
Affects Status Importance Assigned to Milestone
denyhosts (Debian)
Fix Released
Unknown
denyhosts (Fedora)
Fix Released
Medium
denyhosts (Ubuntu)
Undecided
Unassigned
Edgy
Undecided
William Grant
Feisty
Medium
William Grant
Gutsy
Undecided
Unassigned

Bug Description

Binary package hint: denyhosts

I'm running feisty and sometimes hosts don't get blocked.
The /var/log/denyhosts file contains a lot of lines like this:
2007-08-19 04:32:09,062 - denyhosts : ERROR regex pattern ( User (?P<user>.*) not allowed because not listed in AllowUsers ) is missing 'host' group

This is the same as the debian bug #425519, which seems to be fixed in the debian package denyhosts_2.6-2. Thus a quick resync to a newer debian package ought to fix this.

Description of problem:

I have "PermitRootLogin no" in sshd_config to prevent logins as username
root. I also only allow specific usernames to log in, so I have AllowUsers set
in sshd_config.

When someone does attempt to login as root, I see this in /var/log/secure:

Apr 23 07:03:53 machinename sshd[29961]: User root from 122.36.2.10
not allowed because not listed in AllowUsers

and the corresponding entry in /var/log/denyhosts

2007-04-23 07:04:07,805 - denyhosts : ERROR regex pattern ( User (?P<user>.
*) not allowed because not listed in AllowUsers ) is missing 'host' group

... and the attacker goes unblocked and undetected by denyhosts.

Version-Release number of selected component (if applicable):
denyhosts-2.6-2.fc6
openssh-clients-4.3p2-19.fc6
openssh-4.3p2-19.fc6
openssh-server-4.3p2-19.fc6
openssh-askpass-4.3p2-19.fc6

Do you have any configuration entries defined which match REGEX? If not, I
believe this is a known upstream bug. My understanding, however, is that it is
harmless; ssh doesn't provide a hostname in that message so there is no way to
extract a hostname to block from it, and the message you see in your logs is
informing you of that. I am not sure that ssh actually provides the messages
necessary to do what you are attempting to do, although please include it if so.
 Otherwise I don't see that the underlying problem is something that can be
solved with denyhosts.

http://<email address hidden>/msg00132.html

Note also that there was no upstream response to this; in fact, upstream seems
to have gone dormant. If you have other suggestions on how we could make minor
modifications to the denyhosts packaging to accommodate this, I'm happy to hear
them. But my feeling now is that in the absense of additional messages from
openssh which aren't being considered, this is not a denyhosts bug.

If you look at the openssh log message provided above, you'll see the IP of the
offending host, and so there is sufficient information - denyhosts blocks by IP
rather than hostname. So, I believe denyhosts should block that host, and this
is a fairly severe bug.

Looking a bit harder into it, I think (as suggested by your mail to the
user-list) that in file /usr/lib/python2.4/site-packages/DenyHosts/regex.py

FAILED_ENTRY_REGEX7 = re.compile(r"""User (?P<user>.*) not allowed because not
listed in AllowUsers""")

should be replaced with

FAILED_ENTRY_REGEX7 = re.compile(r"""User (?P<user>.*) .*from
(::ffff:)?(?P<host>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}) not allowed because not
listed in AllowUsers""")

I'll test this locally, but that seems to be the crux of it - REGEX7 contains no
pattern to match the host.

Have confirmed that fix works by placing the following line in denyhosts.conf

FAILED_ENTRY_REGEX7 = User (?P<user>.*) .*from
(::ffff:)?(?P<host>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}) not allowed because not
listed in AllowUsers

[All one line, not wrapped]

And so my suggestion of the replacement line in Comment #2 for
/usr/lib/python2.4/site-packages/DenyHosts/regex.py is the correct fix.

Will attach a patch.

Any clue as to what this looks like for an IPv6 denial?

Created attachment 153291
Fix REGEX7

(In reply to comment #4)
> Any clue as to what this looks like for an IPv6 denial?

Um, no. Seems irrelevant though, this fix is as IPV6 safe as the rest of
DenyHosts - basically it brings REGEX7 into alignment with the other REGEXs - if
this is broken for IPV6, then all the others are too. I don't have any way to
test this I'm afraid.

OK, let me do a build and see if I can get this past releng for F7.

OK, thanks. An update for FC6 would also be much appreciated.

I did some testing and let the new version stew on my servers overnight. Since
that went OK, I pushed and built for F7, FC6, FC5, EL5 and EL4.

Splendid, thanks.

Michael Bienia (geser) wrote :

Gutsy already contains denyhosts 2.6-2.

Changed in denyhosts:
status: New → Fix Released
Marcus Sundman (sundman) wrote :

Security fixes should be backported. It's quite unacceptable to not have "already fixed" security vulnerabilities only a few weeks after a release and be vulnerable most of the year. To make the beta version secure, but the release version not is just crazy.

Marcus Sundman (sundman) wrote :

> It's quite unacceptable to not have "already fixed" security
> vulnerabilities only a few weeks after a release

Uh... English is such a horrible language. Let me try to disambiguate it by rephrasing:

It's quite unacceptable to have a secure system only until a few weeks after a release, especially if the known security vulnerabilities are already fixed in the upcoming release.

Kees Cook (kees) wrote :

Thanks for taking the time to report this bug and helping to make Ubuntu better. If someone can prepare (and test) the fixes and attach debdiffs that follow the [https://wiki.ubuntu.com/SecurityUpdateProcedures], I'd be more than happy to get them uploaded. I've opened a "Feisty" task for tracking.

Changed in denyhosts:
importance: Undecided → Medium
status: New → Triaged

CVE id CVE-2007-5715 was assigned to this old issue.

William Grant (wgrant) on 2007-11-13
Changed in denyhosts:
status: New → Fix Released
assignee: nobody → fujitsu
status: New → In Progress
assignee: nobody → fujitsu
status: Triaged → In Progress
William Grant (wgrant) wrote :

Here are debdiffs covering both this and bug #162406.

Changed in denyhosts:
status: Unknown → Fix Released
Changed in denyhosts:
status: Unknown → Fix Released
William Grant (wgrant) wrote :

Here's a new Edgy debdiff, covering CVE-2006-6301 (bug #163257) as well.

Kees Cook (kees) wrote :

Thanks for collecting the various patches from the bugs. I've uploaded these to the security queue; they should be published shortly.

Changed in denyhosts:
status: In Progress → Fix Committed
status: In Progress → Fix Committed
William Grant (wgrant) wrote :

denyhosts (2.6-1ubuntu0.1) feisty-security; urgency=low

  * SECURITY UPDATE: hosts not denied (LP: #133569), and possible denial of
    service (LP: #162406).
  * debian/patches/{06_CVE-2007-5715,07_CVE-2007-4323}.dpatch: Add patches
    from Debian.
  * References
    CVE-2007-5715
    CVE-2007-4323

 -- William Grant <email address hidden> Tue, 13 Nov 2007 23:31:18 +1100

Changed in denyhosts:
status: Fix Committed → Fix Released
Kees Cook (kees) on 2007-11-26
Changed in denyhosts:
status: Fix Committed → Fix Released
Changed in denyhosts (Fedora):
importance: Unknown → Medium
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.