#35 DenyHosts deamon logs password to /var/log/denyhosts

closed-fixed
nobody
None
5
2009-04-22
2008-12-30
rogper
No

Version: DenyHosts 2.6
File:DenyHosts/prefs.py
Function: DenyHosts.prefs.dump_to_logger

Problem: If enabling SMTP authentication for email notification, the deamon will log password phrase in plaintext while launching.

2008-12-30 19:27:21,861 - prefs : INFO DenyHosts configuration settings:
.
.
.
2008-12-30 19:27:21,865 - prefs : INFO SMTP_DATE_FORMAT: [%a, %d %b %Y %H:%M:%S %z]
2008-12-30 19:27:21,865 - prefs : INFO SMTP_FROM: [DenyHosts <nobody@example.com>]
2008-12-30 19:27:21,865 - prefs : INFO SMTP_HOST: [smtp.example.com]
2008-12-30 19:27:21,865 - prefs : INFO SMTP_PASSWORD: [my-secret]
2008-12-30 19:27:21,865 - prefs : INFO SMTP_PORT: [25]
2008-12-30 19:27:21,866 - prefs : INFO SMTP_SUBJECT: [DenyHosts Report]
2008-12-30 19:27:21,866 - prefs : INFO SMTP_USERNAME: [myusername]
.
.
.

Workaround: I don't like passwords being logged so i edited dump_to_logger() in file DenyHosts/prefs.py. This fix checks for settings key SMTP_PASSWORD and prevents password being logged.

def dump_to_logger(self):
keys = self.__data.keys()
keys.sort()
info("DenyHosts configuration settings:")
for key in keys:
if key == 'USERDEF_FAILED_ENTRY_REGEX':
for rx in self.__data[key]:
info(" %s: [%s]" % (key, rx.pattern))
elif key == 'SMTP_PASSWORD':
info(" %s: [%s]", key, '****')
else:
info(" %s: [%s]", key, self.__data[key])

Discussion

  • Phil Schwartz

    Phil Schwartz - 2009-04-07

    Fixed in 2.7 (as soon as it's released, that is)

     
  • Phil Schwartz

    Phil Schwartz - 2009-04-07
    • status: open --> open-fixed
     
  • Phil Schwartz

    Phil Schwartz - 2009-04-07
    • status: open-fixed --> pending-fixed
     
  • SourceForge Robot

    • status: pending-fixed --> closed-fixed
     
  • SourceForge Robot

    This Tracker item was closed automatically by the system. It was
    previously set to a Pending status, and the original submitter
    did not respond within 14 days (the time period specified by
    the administrator of this Tracker).

     

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:





No, thanks