Cedric Knight - 2010-07-29

+1 / bump. It appears denyhosts counts a valid login as an invalid login and can therefore annoyingly and unexpectedly lock you out of your own server.

Debian Lenny. With "LogLevel INFO" set in /etc/ssh/sshd_config (default), an ordinary connection using command-line ssh will make an authentication request with method "none", and this is logged as:

/var/log/auth.log:Jul 29 08:50:55 server sshd[7396]: Failed none for username from
123.123.123.123 port 38136 ssh2

A workaround is to uncomment the line:
RESET_ON_SUCCESS = yes
in /etc/denyhosts.conf. The reasoning is that a brute force is unlikely to get access within the parameters (eg 5 invalid or 10 valid usernames) and if it does then denyhosts has already failed to stop at least user-level access.

Unfortunately it doesn't look possible to override the value of FAILED_ENTRY_REGEX in /etc/denyhosts.conf, so a patch might look like:

--- /usr/share/denyhosts/DenyHosts/regex.py 2008-01-25 23:23:31.000000000 +0
000
+++ regex.py 2010-07-29 09:16:08.000000000 +0100
@@ -9,7 +9,7 @@
SSHD_FORMAT_REGEX = re.compile(r""".* (sshd.*:|\[sshd\]) (?P<message>.*)""")
#SSHD_FORMAT_REGEX = re.compile(r""".* sshd.*: (?P<message>.*)""")

-FAILED_ENTRY_REGEX = re.compile(r"""Failed (?P<method>.*) for (?P<invalid>inval
id user |illegal user )?(?P<user>.*?) .*from (::ffff:)?(?P<host>\d{1,3}\.\d{1,3}
\.\d{1,3}\.\d{1,3})""")
+FAILED_ENTRY_REGEX = re.compile(r"""Failed (?!none )(?P<method>.*) for (?P<inva
lid>invalid user |illegal user )?(?P<user>.*?) .*from (::ffff:)?(?P<host>\d{1,3}
\.\d{1,3}\.\d{1,3}\.\d{1,3})""")

FAILED_ENTRY_REGEX2 = re.compile(r"""(?P<invalid>(Illegal|Invalid)) user (?P<us
er>.*?) .*from (::ffff:)?(?P<host>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})""")