#40 Illegal entries in synced hosts, possible security issue

closed-fixed
nobody
None
5
2009-04-18
2009-04-14
Robert Schipper
No

Through syncing the following entries were added to my hosts.deny:
# DenyHosts: Sun Apr 12 07:00:57 2009 | sshd: 66.154.96.184 (66.154.96.184)
66.154.96.184 (66.154.96.184)
# DenyHosts: Sun Apr 12 07:00:57 2009 | sshd: 201.116.186.243 (201.116.186.243)
201.116.186.243 (201.116.186.243)
and some more of these in subsequent syncs.
They are invalid in the syntax of hosts.deny and give rise to a warning in /var/log/secure when logging into the host through ssh with a valid account and password:
Apr 14 08:12:59 mx1 sshd[22867]: warning: /etc/hosts.deny, line 10555: host name/name mismatch: myhost.example.com != some.otherhost.com
where the hosts.deny line refers to the first occurrence of the above quoted illegal entries.
If this means that the hosts.deny file is not parsed further after this illegal entry (there are no warnings in the logs for subsequent ones), this would be a serious security issue.

Discussion

  • Karl schmidt
    Karl schmidt
    2009-04-16

    I've been seeing the same thing (2.6-1etch1). Also, I've noticed that it seems to let the same IP hammer longer than it is supposed to now - I think the bad guys have thrown a wrench in the works.

    There is also something wrong with the statistics - see http://stats.denyhosts.net/stats.html

    Here is an example from the logs:
    Security Events
    =-=-=-=-=-=-=-=
    Apr 16 04:11:54 kiwi sshd[30880]: warning: /etc/hosts.deny, line 2462: host name/address mismatch: 85.92.139.168 != ns0.transip.net
    < Repeats 8 times >

     
  • Phil Schwartz
    Phil Schwartz
    2009-04-18

    • status: open --> closed-fixed
     
  • Phil Schwartz
    Phil Schwartz
    2009-04-18

    I modified the Sync Server code to strip out the extra "(ip address)" portion and also scrubbed the db of these values.