#61 Spurious "suspicious login" warnings from DenyHosts [patch]

[Bjarni Thorisson]

I'm copying this bug report as it has been closed on the debian issue list without solving. This issue is also affecting me on ubuntu server 13.10.
See: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=729322 for original report.

Package: denyhosts
Version: 2.6-10

I am observing spurious "suspicious login" warnings from DenyHosts after
a recent upgrade of one of my servers to Ubuntu 13.10. The logins that
are causing warnings are in fact not what falls under DenyHosts'
definition of "suspicious" [1]. I think this is relevant for the
denyhosts package in Debian, so that's why I am reporting it here
instead of at Launchpad (package is unmodified in Ubuntu). The package
was not changed in the upgrade, but Python was upgraded from v2.7.4 to
v2.7.5.

[1] http://denyhosts.sourceforge.net/faq.html#3_20 (see description for
"suspicious-logins").

I took a look at the code, and it looks like a hidden bug that is now
causing problems when using the newer Python version.

The code in "DenyHosts/loginattempt.py", on line 78, compares a Python
class instance directly to an integer (to check if an attempt count is
above a threshold). Python docs state that such ordering is arbitrary,
but consistent [2]. (The relevant classes are found in
"DenyHosts/counter.py".) So a change in Python version may cause
different results in the comparison I guess.

[2] http://docs.python.org/2/library/stdtypes.html#comparisons

Here's a test between Python 2.7.3 and 2.7.5 which demonstrates how
comparison behaviour can change, and thus why this bug is suddenly
visible in denyhosts without any changes to the package itself:

Python 2.7.5+ (default, Sep 19 2013, 13:48:49)
[GCC 4.8.1] on linux2
Type "help", "copyright", "credits" or "license" for more information.

class Test: pass
...
Test() > 5
True

Python 2.7.3 (default, Sep 26 2013, 20:03:06)
[GCC 4.6.3] on linux2
Type "help", "copyright", "credits" or "license" for more information.

class Test: pass
...
Test() > 5
False

Now the comparsion yields 'True' and causes false warnings. I think the
code in is not making sense and that it's a bug.

I am attaching a patch against denyhosts-2.6.orig.tar.gz which fixes the
problem for me and also corrects the doc string for class Counter in
"DenyHosts/counter.py". Please take a look and consider fixing it in the
package.

[denyhosts-fix-suspicious-comparison.patch (text/x-diff, inline)]

diff -uNr DenyHosts-2.6.orig/DenyHosts/counter.py DenyHosts-2.6/DenyHosts/counter.py
--- DenyHosts-2.6.orig/DenyHosts/counter.py 2006-02-09 02:17:24.000000000 +0100
+++ DenyHosts-2.6/DenyHosts/counter.py 2013-11-11 19:38:22.139460660 +0100
@@ -43,8 +43,8 @@

class Counter(dict):
"""
- Behaves like a dictionary, except that if the key isn't found, 0 is returned
- rather than an exception. This is suitable for situations like:
+ Behaves like a dictionary, except that if the key isn't found, a new instance of CounterRecord
+ is returned rather than an exception being raised. This is suitable for situations like:
c = Counter()
c['x'] += 1
"""
diff -uNr DenyHosts-2.6.orig/DenyHosts/loginattempt.py DenyHosts-2.6/DenyHosts/loginattempt.py
--- DenyHosts-2.6.orig/DenyHosts/loginattempt.py 2006-05-21 02:58:56.000000000 +0200
+++ DenyHosts-2.6/DenyHosts/loginattempt.py 2013-11-11 16:38:23.461590916 +0100
@@ -75,7 +75,7 @@
self.__abusive_hosts_invalid[host].reset_count()

• if success and self.abusive_hosts_invalid.get(host, 0) > self.deny_threshold_invalid:
• if success and self.abusive_hosts_invalid[host].get_count() > self.deny_threshold_invalid:
  num_failures = self.valid_users_and_hosts.get(user_host_key, 0)
  self.suspicious_logins[user_host_key] += 1
  if self.suspicious_always or host not in self.allowed_hosts:

[Message part 3 (text/plain, inline)]

Thank you.

Øyvind S.

< Øyvind Stegard
< http://stegard.net/

[Jared Fernandez]

I know that unfortunately Debian (and subsequently Debian derivatives such as Ubuntu) have removed DenyHosts from their repositories due to lack of development, but I want to thank you for this patch because I still prefer to use DenyHosts and it was annoying to constantly receive emails reporting false suspicious logins.

I have tested this patch on several machines and it fixes the issue--thanks!!

[Maciej Puzio]

This bug tracker appears no longer monitored. Please see https://github.com/denyhosts/denyhosts/issues/16