Menu
▾
▴
#30 Cannot handle reversed IP address embedded in hostname
A host failed to login and the following was logged:
error: PAM: Authentication failure for USER from WWW.XXX.YYY.ZZZ.exetel.com.au
However, sneakily, this particular ISP has reversed the IP address in the host name, the actual IP address is ZZZ.YYY.XXX.WWW but denyhosts is blocking WWW.XXX.YYY.ZZZ
I suspect the issue is this regexp:
FAILED_ENTRY_REGEX3 = re.compile(r"""Authentication failure for (?P<user>.*) .*from (::ffff:)?(?P<host>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})""")
Possibly this should match to the end of the line, or at least require a following space, as many ISPs embed IPs *inside* hostnames and furthermore, as we have seen, sometimes they do not embed them in left-to-right order.
Debug mode enabled.
DenyHosts configuration settings:
ADMIN_EMAIL: [root@localhost]
AGE_RESET_INVALID: [864000]
AGE_RESET_RESTRICTED: [2160000]
AGE_RESET_ROOT: [2160000]
AGE_RESET_VALID: [432000]
ALLOWED_HOSTS_HOSTNAME_LOOKUP: [no]
BLOCK_SERVICE: [sshd]
DAEMON_LOG: [/var/log/denyhosts]
DAEMON_LOG_MESSAGE_FORMAT: [%(asctime)s - %(name)-12s: %(levelname)-8s %(message)s]
DAEMON_LOG_TIME_FORMAT: [None]
DAEMON_PURGE: [3600]
DAEMON_SLEEP: [30]
DENY_THRESHOLD_INVALID: [5]
DENY_THRESHOLD_RESTRICTED: [1]
DENY_THRESHOLD_ROOT: [1]
DENY_THRESHOLD_VALID: [10]
FAILED_ENTRY_REGEX: [None]
FAILED_ENTRY_REGEX2: [None]
FAILED_ENTRY_REGEX3: [None]
FAILED_ENTRY_REGEX4: [None]
FAILED_ENTRY_REGEX5: [None]
FAILED_ENTRY_REGEX6: [None]
FAILED_ENTRY_REGEX7: [None]
HOSTNAME_LOOKUP: [YES]
HOSTS_DENY: [/etc/hosts.deny]
LOCK_FILE: [/var/run/denyhosts.pid]
PLUGIN_DENY: [None]
PLUGIN_PURGE: [None]
PURGE_DENY: [6048000]
PURGE_THRESHOLD: [0]
RESET_ON_SUCCESS: [no]
SECURE_LOG: [/var/log/auth.log]
SMTP_DATE_FORMAT: [%a, %d %b %Y %H:%M:%S %z]
SMTP_FROM: [DenyHosts <nobody@localhost>]
SMTP_HOST: [localhost]
SMTP_PASSWORD: [None]
SMTP_PORT: [25]
SMTP_SUBJECT: [DenyHosts Report]
SMTP_USERNAME: [None]
SSHD_FORMAT_REGEX: [None]
SUCCESSFUL_ENTRY_REGEX: [None]
SUSPICIOUS_LOGIN_REPORT_ALLOWED_HOSTS: [YES]
SYNC_DOWNLOAD: [yes]
SYNC_DOWNLOAD_RESILIENCY: [18000]
SYNC_DOWNLOAD_THRESHOLD: [3]
SYNC_INTERVAL: [3600]
SYNC_SERVER: [None]
SYNC_UPLOAD: [yes]
SYSLOG_REPORT: [no]
WORK_DIR: [/var/lib/denyhosts]
restricted: set([])
__get_current_offset():
first_line: Jun 11 09:21:24 flay sudo: mary : TTY=pts/9 ; PWD=/home/mary ; USER=root ; COMMAND=/usr/bin/less /var/log/ulog-acctd/account.log
offset: 191492
initializing AllowedHosts
Could not open /var/lib/denyhosts/allowed-hosts - [Errno 2] No such file or directory: '/var/lib/denyhosts/allowed-hosts'
done initializing AllowedHosts
__get_last_offset():
first_line: Jun 11 09:21:24 flay sudo: mary : TTY=pts/9 ; PWD=/home/mary ; USER=root ; COMMAND=/usr/bin/less /var/log/ulog-acctd/account.log
offset: 191202
get_offset():
offset: 191202
Processing log file (/var/log/auth.log) from offset (191202)
new hosts: []
no new denied hosts
no new suspicious logins
UseDNS no in sshd configuration seem to fix this problem without many troubles
UseDNS no in sshd configuration seem to fix this problem without many troubles