#38 failed root/restricted user login attempts miscounted

open
nobody
None
5
2009-04-07
2009-04-07
Stephan Schenk
No

The failed login attempts for root and restricted users are not counted correctly (at least on my Gentoo systems with python 2.5 and denyhosts-2.6-r1). Setting, e.g.
DENY_THRESHOLD_ROOT = 1
will not block hosts after 2 failed logins. Instead, the value for DENY_THRESHOLD_INVALID is used. I narrowed this problem down to the way invalid users are handled. On my system, I have lots of those lines
sshd[<pid>]: error: PAM: Authentication failure for root from <ip address>
with matches FAILED_ENTRY_REGEX3. Because this regexp does not have a 'invalid' field, DenyHosts::is_valid() will return 'invalid'. Subsequently, LoginAttempt::add() will test this 'invalid' flag. If the latter is True, only the 'invalid host list' is updated and neither 'restricted hosts' nor 'root hosts'.

The attached patch solves the problem by modifying DenyHosts::is_valid() to only set the 'invalid' flag if such a field exists in the matched regexp. Otherwise (e.g. FAILED_ENTRY_REGEX3) it does not set the flag. After this modification, DENY_THRESHOLD_ROOT and DENY_THRESHOLD_RESTRICTED work as expected.

Discussion

  • dr8
    dr8
    2010-09-05

    Confirmed on my system too. In fact it's worse than login attempts are miscounted; All logins are treated as invalid logins so you cannot have separate thresholds for root logins, valid logins & restricted logins.

    I'd recommend applying this patch. Now brute force attempts can be blocked much quicker.

    I came to almost exactly the same patch independently and can confirm that it works.

     
  • Jakub Klawiter
    Jakub Klawiter
    2011-01-05

    I'm not sure if it is same issue, but i found today that with configuration:
    # grep -i ^deny_threshold /etc/denyhosts.conf
    DENY_THRESHOLD_INVALID = 3
    DENY_THRESHOLD_VALID = 3
    DENY_THRESHOLD_ROOT = 1
    DENY_THRESHOLD_RESTRICTED = 1

    i found in log today morning: http://www.nopaste.pl/x0n
    which IMO should be blocked much much faster.

    I'm using denyhost-2.6-r4 in gentoo