FAQ 3.7 says:
# The first 3 parts of the IP address must be provided (eg. 1.2.3.)
# The last part of the IP address can be a wildcard.
# The wildcard can be given with an asterisk -or- as a range.
I would be great if the 3rd part of the IP address could also support a wildcard asterisk or range.
Thanks!
I agree! This would be a great feature since my trusted network is a /16 and people keep managing to get themselves denied!
The general solution is to allow any subnet mask to be specified as a wildcard. To maintain compatibility, entries without a subnet mask should match /32.
For example:
10.0.0.0/24
192.168.1.0/255.255.255.0
1.1.1.2/32
I've started to work on a patch to allow this; I might have it in a day or two.
I have set up an unofficial DenyHosts Git repository on github. To get the code, run
git clone git://github.com/mruffalo/denyhosts.git
The 'master' branch contains all publicly available archives of DenyHosts, from version 0.5 to version 2.6. My changes are on the allow-hosts-mask branch, and have not been fully tested. I changed the AllowedHosts class to be a prefix tree for matching IP addresses. You can specify a long or short subnet mask as follows:
10.0.0.0/16
192.168.1.0/255.255.255.0
1.1.1.2/32
129.6.49.1 (no subnet mask = match all 32 bits)
I developed these changes in a few standalone Python files that I am working on attaching.
The test code for the IP trie (prefix tree) implementation is available at
http://vorlon.case.edu/~mmr15/ip-trie.tar.gz
The code in the archive is identical to the changes I made to allowedhosts.py. Run 'regex.py' from the archive to test everything.
It tests:
* Matching IP addresses and subnet masks with the ALLOWED_REGEX_MASK regex
* Assuming a subnet mask length of 32 bits if no subnet mask is given
* Counting the contiguous bits in the beginning of the subnet mask (255.240.0.1 = 12 bits)
* Inserting IPs into the trie
* Verifying whether the trie contains the specified IP
Oops, forgot to log in before posting that comment.
Great! Thanks! Sorry for my ignorance, but how do patches normally get incorporated into the official repository? I'm using this on production systems so ideally I would just be able to update via my package manager but I that's a long way out I'd expect.
At this point are you looking for people to test it out and find problems before submitting it as a potential patch for the denyhosts project? Let me know how I can help. Thanks!
I have no idea how patches are incorporated into the official repository (wherever that may be). Version 2.7 is apparently done, but has not yet been released. I sent a message to Phil Schwartz about this today, but haven't received a response yet.
I have full confidence in my logic, but I'm unsure of its integration with the rest of DenyHosts. In particular, I'm sure I broke something with hostname matching in allowedhosts.py: previously, it stored IPs addresses and hostnames as text keys into a Python dictionary. I'm using my changes on my server but could use more input on how well my code works.
I also haven't read most of the DenyHosts code and I don't know if my changes follow the same style.