I have denyhosts running on a server and I've been getting hit relentlessly with brute force attacks. I have enlisted some help in figuring out what is up and have noticed that /etc/hosts.deny is getting the attacking IP addresses in it (as well as the in-addr.arpa records but that sshd is still allowing inbound connections from the offending IP addresses/hostnames. What is up here? I'm at my wits end. Am I missing some stupid config setting in /etc/ssh/sshd_config? I'm out of ideas, please help.
this is not a vulnerability, reassigning to maintainers.
Please paste the output from `emerge -pv openssh`. If you have not compiled openssh with the `tcpd' USE-flag then this will be cause of the problem.
emerge -av openssh These are the packages that would be merged, in order: Calculating dependencies... done! [ebuild R ] net-misc/openssh-4.7_p1-r6 USE="pam tcpd -X -X509 -chroot -hpn -kerberos -ldap -libedit (-selinux) -skey -smartcard -static" 0 kB Total: 1 package (1 reinstall), Size of downloads: 0 kB (I re-emerged it anyway) /etc/init.d/sshd stop /etc/init.d/sshd start May 19 19:42:05 my-host sshd[25288]: Server listening on :: port 22. May 19 19:42:05 my-host sshd[25288]: error: Bind to port 22 on 0.0.0.0 failed: Address already in use. (don't know what's up there, I verified nothing was listening before starting it and sshd was listening after starting it with netstat-l and telnet localhost 22) (remotely) ssh aqwert@my-host.com (fail the password 3 times - no actual account by that name anyway) May 19 19:48:45 my-host sshd[26698]: Invalid user aqwert from remote-IP May 19 19:48:47 my-host sshd[26701]: pam_unix(sshd:auth): check pass; user unknown May 19 19:48:47 my-host sshd[26701]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=remote-host May 19 19:48:49 my-host sshd[26698]: error: PAM: Authentication failure for illegal user aqwert from remote-host May 19 19:48:49 my-host sshd[26698]: Failed keyboard-interactive/pam for invalid user aqwert from remote-IP port 52361 ssh2 May 19 19:48:50 my-host sshd[26703]: pam_unix(sshd:auth): check pass; user unknown May 19 19:48:50 my-host sshd[26703]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=remote-host May 19 19:48:52 my-host sshd[26698]: error: PAM: Authentication failure for illegal user aqwert from remote-host May 19 19:48:52 my-host sshd[26698]: Failed keyboard-interactive/pam for invalid user aqwert from remote-IP port 52361 ssh2 May 19 19:48:53 my-host sshd[26705]: pam_unix(sshd:auth): check pass; user unknown May 19 19:48:53 my-host sshd[26705]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=remote-host May 19 19:48:55 my-host sshd[26698]: error: PAM: Authentication failure for illegal user aqwert from remote-host May 19 19:48:55 my-host sshd[26698]: Failed keyboard-interactive/pam for invalid user aqwert from remote-IP port 52361 ssh2 ssh bqwert@my-host.com (fail the password 3 times - no actual account by that name anyway) (All of the above messages repeated plus:) May 19 19:55:25 my-host denyhosts: Added the following hosts to /etc/hosts.deny - remote-IP (remote-host) May 19 19:55:25 my-host denyhosts: Added the following hosts to /etc/hosts.deny - remote-host (confirmed the following entries in /etc/hosts.deny) ALL: remote-IP ALL: remote-host ssh cqwert@my-host.com (get a password prompt instead of a connection refused) (fail the password 3 times - no actual account by that name anyway) (all of the messages from the first failure) ssh valid-user@my-host.com (correct password and successful login) May 19 19:59:07 my-host sshd[28189]: Accepted keyboard-interactive/pam for valid-user from remote-IP port 53339 ssh2 May 19 19:59:07 my-host sshd[28193]: pam_unix(sshd:session): session opened for user valid-user by (uid=0) --------------------------------------------------------------------------- emerge --info: Portage 2.1.4.4 (default-linux/x86/2007.0, gcc-4.1.2, glibc-2.6.1-r0, 2.6.23.17-linode43 i686) ================================================================= System uname: 2.6.23.17-linode43 i686 UML Timestamp of tree: Mon, 19 May 2008 09:16:01 +0000 app-shells/bash: 3.2_p33 dev-java/java-config: 1.3.7, 2.1.6 dev-lang/python: 2.4.4-r9 dev-python/pycrypto: 2.0.1-r6 sys-apps/baselayout: 1.12.11.1 sys-apps/sandbox: 1.2.18.1-r2 sys-devel/autoconf: 2.13, 2.61-r1 sys-devel/automake: 1.5, 1.10.1 sys-devel/binutils: 2.18-r1 sys-devel/gcc-config: 1.4.0-r4 sys-devel/libtool: 1.5.26 virtual/os-headers: 2.6.23-r3 ACCEPT_KEYWORDS="x86" CBUILD="i686-pc-linux-gnu" CFLAGS="-O2 -march=i686 -pipe" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc /var/qmail/alias /var/qmail/control /var/vpopmail/etc" CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/fonts/fonts.conf /etc/gconf /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/terminfo /etc/udev/rules.d" CXXFLAGS="-O2 -march=i686 -pipe" DISTDIR="/usr/portage/distfiles" FEATURES="ccache collision-protect cvs distlocks maketest metadata-transfer nostrip parallel-fetch sandbox sfperms splitdebug strict unmerge-orphans userfetch" GENTOO_MIRRORS="http://distfiles.gentoo.org http://www.ibiblio.org/pub/Linux/distributions/gentoo" LINGUAS="en en_GB" MAKEOPTS="-j 2" PKGDIR="/share/built-packages" PORTAGE_RSYNC_EXTRA_OPTS="--timeout=45" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" SYNC="rsync://rsync.namerica.gentoo.org/gentoo-portage" USE="3dnow apache2 bash-completion bzlib crypt doc imap java libwww maildir mmx mysql nls nptl nptlonly pam php readline sse ssl tcltk tcpd unicode vhosts x86 xml xml2 zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1 emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="authz_host dir mime alias asis auth_basic authn_alias authn_anon authn_default authn_file authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock dbd dir dumpio env expires ext_filter file_cache filter headers ident imagemap include info log_config logio mime mime_magic negotiation proxy proxy_ajp proxy_connect proxy_http rewrite setenvif speling status unique_id userdir usertrack vhost_alias" APACHE2_MPMS="worker" ELIBC="glibc" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="en en_GB" USERLAND="GNU" VIDEO_CARDS="apm ark chips cirrus cyrix dummy fbdev glint i128 i740 i810 imstt mach64 mga neomagic nsc nv r128 radeon rendition s3 s3virge savage siliconmotion sis sisusb tdfx tga trident tseng v4l vesa vga via vmware voodoo" Unset: CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, LDFLAGS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTDIR_OVERLAY
Ok, this is getting brutal. I had to do something so I changed /etc/denyhosts.conf to have the following line: PLUGIN_DENY=/root/denyhosts.sh And in that file I put: iptables --append INPUT --protocol tcp --source ${1} --destination-port 22 --jump DROP Which is working but not ideal as now my tables are getting huge. I may have to create a new table just for NEW connections to port 22 and list them all in there. It still isn't good in terms of kernel memory though. PS. I would consider this as a security issue although not an exploit. But those 'tards are trying like hell to exploit it.
This seems to be a problem (unresolved) in the forums too. http://forums.gentoo.org/viewtopic-p-5099314.html
The solution is here: http://forums.gentoo.org/viewtopic-p-4146699.html#4146699 That brings up an interesting issue but I'm guessing that the problem is in the sshd daemon but can't be positive without digging into the code to see if it uses a library (tcp-wrappers) to read /etc/hosts.deny or parses it internally. The problem will persist for those using a dynamic IP address who cannot uncomment the listen line in /etc/ssh/sshd_config and add a real IP address though. So I'm not going to close the bug until this gets some more experienced developers to chime in. The hosts.deny file is ignored by sshd regardless of the format: sshd: IP-addr ALL: IP-addr and with hostnames too. :/
Sorry for the bug spam guys. This is a linode (www.linode.com) VM and although IPv6 is disabled in the tcp-wrappers it is enabled in the kernel as I have no control over that. [ebuild R ] sys-apps/tcp-wrappers-7.6-r8 USE="-ipv6" 0 kB [ebuild R ] net-misc/openssh-4.7_p1-r6 USE="pam tcpd -X -X509 -chroot -hpn -kerberos -ldap -libedit (-selinux) -skey -smartcard -static" 0 kB Many people smarter than I suggested that the problem is it is coming in as an IPv6 packet and getting translated to an IPv4 packet for the wrapper libs and that is where things are getting confused. This may very well be the problem and a test was proposed to rebuild everything with IPv6 enabled and test it again. I don't really have that option (everything has -ipv6 in package.use) as I've explained but it sounds reasonable. Anyway, the solution of adding a ListenAddress to /etc/ssh/sshd_config has solved the problem for now.
i dont think you need to rebuild everything ... just tcp-wrappers
