Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 248047 - app-admin/denyhosts-2.6-r1 keeps missing on PAM auth regexes.
Summary: app-admin/denyhosts-2.6-r1 keeps missing on PAM auth regexes.
Status: RESOLVED TEST-REQUEST
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: x86 Linux
: High normal (vote)
Assignee: No maintainer - Look at https://wiki.gentoo.org/wiki/Project:Proxy_Maintainers if you want to take care of it
URL:
Whiteboard:
Keywords: NeedPatch
Depends on:
Blocks:
 
Reported: 2008-11-21 19:39 UTC by James Homuth
Modified: 2012-09-23 08:25 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description James Homuth 2008-11-21 19:39:14 UTC
I haven't really noticed this until the last 2-3 days, when the number of SSH attacks on both my Gentoo boxes increased a fair bit. But when it trips an auth mechanism managed by PAM, Denyhosts tends to not catch what's being spit out by syslog. I'll paste example logs below, plus the regexes I added to the config that, according to multiple sources, should be catching it. The entries in question:
Nov 20 23:28:15 nova sshd[31721]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=90.190.11.51 user=root     
Nov 20 23:28:17 nova sshd[31719]: error: PAM: Authentication failure for root from 90.190.110.51 

And my regexes:
USERDEF_FAILED_ENTRY_REGEX=error: PAM: Authentication failure for (?P<user>.*?) from (?P<host>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})
USERDEF_FAILED_ENTRY_REGEX=pam_unix\(sshd:auth\): authentication failure\; logname=(.+)? uid=\d+ euid=\d+ tty=ssh ruser=(.+)? rhost=(?P<host>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})


I'd appreciate it if this could be investigated, and if something's broken on my end and not the software's, I'd appreciate knowing that just as much.

Thank you in advance,
James

Reproducible: Always

Steps to Reproduce:
1. Add above regexes to /etc/denyhosts.conf
2. /etc/init.d/denyhosts restart
3. Monitor ssyslog entries, optionally with another utility that will watch for the regexes in question.

Actual Results:  
Authentication failure messages showed as expected, however Denyhosts didn't respond. Was tested by multiple users from multiple IP addresses.

Expected Results:  
After at least one of those authentication failure lines, Denyhosts should be adding the offending IP to /etc/hosts.deny.

Everything else is taken from the default config as set up in the Gentoo portage tree. Information is being pulled from /var/log/auth.log.
Comment 1 Jeremy Olexa (darkside) (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2009-08-01 20:28:00 UTC
assigning to maintainer
Comment 2 Jeremy Olexa (darkside) (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2010-04-27 15:51:39 UTC
Sorry, I'm inclined to think this isn't much of a problem since no one else has reported it. Have you been able to investigate more?
Comment 3 James Homuth 2010-04-29 00:50:27 UTC
(In reply to comment #2)
> Sorry, I'm inclined to think this isn't much of a problem since no one else has
> reported it. Have you been able to investigate more?

I've done a bit more investigating on it, yes. Including testing that same regular expression with other, similar software (fail2ban). Due to lack of activity on this bug I just resorted to running minus PAM for the time being, since it isn't absolutely necessary on my end anyway.
Comment 4 Jeremy Olexa (darkside) (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2010-05-04 02:38:38 UTC
Thanks for the feedback. Low priority, not sure of a fix.
Comment 5 Pacho Ramos gentoo-dev 2012-09-23 08:25:24 UTC
+*denyhosts-2.6-r6 (23 Sep 2012)
+
+  23 Sep 2012; Pacho Ramos <pacho@gentoo.org> +denyhosts-2.6-r6.ebuild,
+  +files/denyhosts-2.6-daemon-control.patch,
+  +files/denyhosts-2.6-defconffile.patch,
+  +files/denyhosts-2.6-foreground_mode.patch,
+  +files/denyhosts-2.6-hostname.patch, +files/denyhosts-2.6-plugin_deny.patch,
+  +files/denyhosts-2.6-single_config_switch.patch:
+  Include multiple Fedora and Debian patches that also provide a fix for plugin
+  deny behavior (#264165 by Christoph Erdle).
+

Try with this new version please