Re: [Denyhosts-user] DENY_THRESHOLD_ROOT not being respected

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

Okay, so I'm looking at my 10.5 installation right now and I have the 
following lines at the very bottom of my .cfg file:

#Added for Mac OS X
#SSHD_FORMAT_REGEX=.* \[Sender sshd\] \[PID \d*(\} \[Message .* PAM: 
(?P<message>.*?)\].*?
#
#######################################################################################################

The "#" at the beginning of the SSHD line is the one that needs to be 
added. If these lines aren't present in your installation, I wonder 
where your version of DH came from; that is, it's possible that the 
person who put yours together has already removed this line and so you 
don't need to worry about it.

Regarding the addition of private/ at the beginning of your path, I 
think it should be /private/, right? But it should work either way, I 
believe, so long as DH is running with root permissions (that is, either 
being invoked as a daemon, or running under sudo, or simply being run by 
root).

Now about the DAEMON_SLEEP, it is true that DH won't pick up the attack 
until it wakes back up, however, it will read the log from where it left 
off the last time, then it should identify your host, add the IP to 
hosts.deny, and sshd should see it the next time that remote computer 
attempts to ssh to your box (regardless of which user is trying to log 
on from that machine). That is, the IP should be locked out based on 
your DENY_THRESHOLD_ROOT = 1 when DH wakes up and reads the log.

*Things that might be worth checking out are any valuable information in 
your DAEMON_LOG (as set in .cfg), and whether your SSHD settings are as 
they need to be.* Reread the information at the link I sent you very 
closely to check whether you have set up SSHD as recommended for the 
10.5 installation. The issue here is that Phil Schwartz, who wrote 
denyhosts, relies on us Mac users to help him help us and Apple has made 
tiny changes to the SSH functionality from 10.3, to 10.4, 10.5, and 
10.6, all of which have their little tweaks that need to be made for the 
REGEXes to work correctly.

"Fixing" sshd_config is described here (for 10.4, originally, but still 
true for 10.5):
http://permalink.gmane.org/gmane.os.apple.fink.beginners/19292/

I'd be happy to send you my denyhosts.cfg for you to review or modify 
for your needs (changing /sw to /private as appropriate) if you'd like, 
I can verify that my installation is catching and reporting attacks as 
advertised.

The next thing I would ask for is either (or both) your .cfg file or 
your output in your DAEMON_LOG--these could be sent to me privately in 
order to avoid anything sensitive from being displayed to the world. I'm 
leaving the office now but will be available again later this evening.

--Robert

Jonathan S. Abrams wrote:
> I could not find the string SSHD_FORMAT_REGEX= in the .cfg file, and 
> the few REGEX entries I did find were already commented out.
>
> If the .cfg file is already looking at private/var/log/secure.log, how 
> is that different from var/log/secure.log?  Both paths point to the 
> same file.  Is the "private/" throwing off DenyHosts?
>
> DAEMON_SLEEP = 30s  This could be where the problem is, as the time 
> stamp of the first attack and the last attack are 30s apart.  What do 
> you think?  Does the daemon not know that a host has attempted to 
> login as root and failed until it wakes from sleep and checks the 
> secure.log file?  If this is true, does that explain what I reported 
> at the start of this thread?
>
> -- 
> Jonathan S. Abrams, CEA, CBNT
> Apple Certified Technical Coordinator (v10.5), Xsan 2 Admin
> Treasurer, NY Section, AES
>
> On Mon, Jan 3, 2011 at 4:31 PM, Robert Wyatt <chu...@gm... 
> <mailto:chu...@gm...>> wrote:
>
>     I'll bet it's your regex. From some notes specific to 10.5 (a
>     while back) you'll want to make sure that you have
>
>     >>>  2) In /sw/etc/denyhosts-py25  edit the denyhosts.cfg file by changing
>     >>>
>     >>>  SECURE_LOG = /var/log/asl.log   to    SECURE_LOG = /var/log/secure.log
>     >>>
>     >>>  and comment out the statement   SSHD_FORMAT_REGEX=
>          
>
>     [this is from here:]
>     http://www.mail-archive.com/fin...@li.../msg22454.html
>
>     Note that *the path is specific to a fink installation (in /sw)*,
>     but your regex still probably needs to be commented out from the
>     config file (since it was originally added for earlier versions of
>     MacOSX and doesn't apply to 10.5).
>
>     If it's not that, then we'd wish to look at (only) the pertinent
>     parts of denyhosts.cfg to see what's going on; for instance the
>     SECURE_LOG path, sleep settings (that is, how often does DH wake
>     up to check the log?), and whatever regexes you have.
>
>     --Robert
>
>
>
>     Jonathan S. Abrams wrote:
>>     Thanks for responding.
>>
>>     private/var/log/secure.log
>>
>>     These are the corresponding entries in the
>>     orivate/var/log/secure.log file.
>>
>>     Jan  2 14:44:42 clients sshd[22767]: Did not receive
>>     identification string from 92.246.211.245
>>     Jan  2 14:44:56 clients sshd[22772]: Failed none for invalid user
>>     root from 92.246.211.245 port 3206 ssh2
>>
>>     Jan  2 14:44:57 clients sshd[22772]: error: PAM: Authentication
>>     failure for illegal user root from 92.246.211.245
>>     Jan  2 14:44:57 clients sshd[22772]: Failed
>>     keyboard-interactive/pam for invalid user root from
>>     92.246.211.245 port 3206 ssh2
>>
>>     Jan  2 14:44:58 clients sshd[22772]: error: PAM: Authentication
>>     failure for illegal user root from 92.246.211.245
>>     Jan  2 14:44:58 clients sshd[22772]: Failed
>>     keyboard-interactive/pam for invalid user root from
>>     92.246.211.245 port 3206 ssh2
>>
>>     Jan  2 14:44:59 clients sshd[22772]: error: PAM: Authentication
>>     failure for illegal user root from 92.246.211.245
>>     Jan  2 14:44:59 clients sshd[22772]: Failed
>>     keyboard-interactive/pam for invalid user root from
>>     92.246.211.245 port 3206 ssh2
>>
>>     Jan  2 14:45:03 clients sshd[22772]: error: PAM: Authentication
>>     failure for illegal user root from 92.246.211.245
>>     Jan  2 14:45:03 clients sshd[22772]: Failed
>>     keyboard-interactive/pam for invalid user root from
>>     92.246.211.245 port 3206 ssh2
>>
>>     Jan  2 14:45:08 clients sshd[22772]: error: PAM: Authentication
>>     failure for illegal user root from 92.246.211.245
>>     Jan  2 14:45:08 clients sshd[22772]: Failed
>>     keyboard-interactive/pam for invalid user root from
>>     92.246.211.245 port 3206 ssh2
>>
>>     Jan  2 14:45:12 clients sshd[22772]: error: PAM: Authentication
>>     failure for illegal user root from 92.246.211.245
>>     Jan  2 14:45:12 clients sshd[22772]: Failed
>>     keyboard-interactive/pam for invalid user root from
>>     92.246.211.245 port 3206 ssh2
>>
>>     -- 
>>     Jonathan S. Abrams, CEA, CBNT
>>     Apple Certified Technical Coordinator (v10.5), Xsan 2 Admin
>>     Treasurer, NY Section, AES
>>
>>     On Mon, Jan 3, 2011 at 2:46 PM, Robert Wyatt
>>     <chu...@gm... <mailto:chu...@gm...>> wrote:
>>
>>         Which log file is denyhosts set up to look at in your
>>         installation?
>>
>>
>>         Jonathan S. Abrams wrote:
>>
>>             Hello,
>>
>>             I have installed DenyHosts on a Mac OS X v10.5.8 server.
>>              I noticed the following entries in the server's
>>             system.log file.
>>
>>             Jan  2 14:44:56 clients sshd[22772]: Failed none for
>>             invalid user root from 92.246.211.245 port 3206 ssh2
>>             Jan  2 14:44:57 clients com.apple.SecurityServer[35]:
>>             checkpw() returned -2; failed to authenticate user root
>>             (uid 0).
>>             Jan  2 14:44:57 clients com.apple.SecurityServer[35]:
>>             Failed to authorize right system.login.tty by client
>>             /usr/sbin/sshd for authorization created by /usr/sbin/sshd.
>>
>>             Jan  2 14:44:57 clients sshd[22772]: Failed
>>             keyboard-interactive/pam for invalid user root from
>>             92.246.211.245 port 3206 ssh2
>>             Jan  2 14:44:58 clients com.apple.SecurityServer[35]:
>>             checkpw() returned -2; failed to authenticate user root
>>             (uid 0).
>>             Jan  2 14:44:58 clients com.apple.SecurityServer[35]:
>>             Failed to authorize right system.login.tty by client
>>             /usr/sbin/sshd for authorization created by /usr/sbin/sshd.
>>
>>             Jan  2 14:44:58 clients sshd[22772]: Failed
>>             keyboard-interactive/pam for invalid user root from
>>             92.246.211.245 port 3206 ssh2
>>             Jan  2 14:44:59 clients com.apple.SecurityServer[35]:
>>             checkpw() returned -2; failed to authenticate user root
>>             (uid 0).
>>             Jan  2 14:44:59 clients com.apple.SecurityServer[35]:
>>             Failed to authorize right system.login.tty by client
>>             /usr/sbin/sshd for authorization created by /usr/sbin/sshd.
>>
>>             Jan  2 14:44:59 clients sshd[22772]: Failed
>>             keyboard-interactive/pam for invalid user root from
>>             92.246.211.245 port 3206 ssh2
>>             Jan  2 14:45:01 clients com.apple.SecurityServer[35]:
>>             checkpw() returned -2; failed to authenticate user root
>>             (uid 0).
>>             Jan  2 14:45:03 clients com.apple.SecurityServer[35]:
>>             Failed to authorize right system.login.tty by client
>>             /usr/sbin/sshd for authorization created by /usr/sbin/sshd.
>>
>>             Jan  2 14:45:03 clients sshd[22772]: Failed
>>             keyboard-interactive/pam for invalid user root from
>>             92.246.211.245 port 3206 ssh2
>>             Jan  2 14:45:06 clients com.apple.SecurityServer[35]:
>>             checkpw() returned -2; failed to authenticate user root
>>             (uid 0).
>>             Jan  2 14:45:08 clients com.apple.SecurityServer[35]:
>>             Failed to authorize right system.login.tty by client
>>             /usr/sbin/sshd for authorization created by /usr/sbin/sshd.
>>
>>             Jan  2 14:45:08 clients sshd[22772]: Failed
>>             keyboard-interactive/pam for invalid user root from
>>             92.246.211.245 port 3206 ssh2
>>             Jan  2 14:45:10 clients com.apple.SecurityServer[35]:
>>             checkpw() returned -2; failed to authenticate user root
>>             (uid 0).
>>             Jan  2 14:45:12 clients com.apple.SecurityServer[35]:
>>             Failed to authorize right system.login.tty by client
>>             /usr/sbin/sshd for authorization created by /usr/sbin/sshd.
>>
>>             Jan  2 14:45:12 clients sshd[22772]: Failed
>>             keyboard-interactive/pam for invalid user root from
>>             92.246.211.245 port 3206 ssh2
>>
>>             Someone (or something) at 92.246.211.245 attempted to
>>             login as root at least six (6) times.  The denyhosts.cfg
>>             file has DENY_THRESHOLD_ROOT = 1.  The IP associated with
>>             these login attempts did get added to hosts.deny, but it
>>             should it not have been added after the first failed
>>             login attempt?  Should I be looking for some other
>>             setting in the .cfg file?  Is this normal and expected
>>             behavior?
>>
>>             Thanks for reading!
>>
>>             -- 
>>             Jonathan S. Abrams, CEA, CBNT
>>             Apple Certified Technical Coordinator (v10.5), Xsan 2 Admin
>>             Treasurer, NY Section, AES
>>