Patching denyhosts to allow correct plugin reporting

Posted by chris on Mon 21 Jul 2008 at 10:26

Imagine you have denyhosts installed and it is adding new attackers to /etc/hosts.deny. Wouldn't it be great to inform the relevant people so that some action could be taken? With the right plugin that is possible, but there is a problem with the default reporting that we'll explain here.

That's what Automatically Report all SSH Brute Force Attacks to ISPs is all about. It grabs the IP, does some whois/lookup magic and sends off some e-mails.

So I installed it and left it running. This morning I find that one IP has hit and been correctly sent (and a reply received thanking me for the info and informing that the host has been closed down). Great! But - what's this - another 58 IPs were also reported to the plugin - causing a further 127 mails to go out. What's going on?

Finding the bug

First hit - the Debian Bug Tracker. Here we find bug #430449 - over a year old but the correct symptom.

Having filed a follow-up I took a look at the code of denyhosts itself - and found a suspicious looking call to the deny plugin (posted to the bug)

Finally - a trawl through the upstream bug tracker to find the same issue there (also posted to the bug)

Patching the system

OK - so - it's a bug, and its an upstream bug. That's good - it means that we can have a hope of a fix. But - we need to fix our own system in the meantime.

You could just edit the python file directly - but - what if you have several systems running this version of denyhosts?

Let's build a Debian package containing the fix.

Step 1 - grab the source

apt-get source denyhosts

Step 2 - make sure we have the build dependencies

apt-get build-dep denyhosts

Step 3 - Patch the source

Make the code changes you want

Step 4 - Update changelog file for version

You need to update the version so that new versions/security updates etc will still work. The version is stored in debian/changelog as the first line.

I added:

denyhosts (2.6-1etch1chris1) stable; urgency=low

  * Local build for fix to 430449

 -- Chris Searle <chris@example.org>  Thu, 17 Jul 2008 11:06:15 +0200

2.6-1etch1chris1 is a later version than 2.6-1etch1 (the current version) and an earlier version than 2.6-1etch2 or 2.6-2 which are the likely next version numbers.

Step 5 - Build

In the root of the package directory structure that was created by the call to "apt-get source" run the following:

dpkg-buildpackage -uc -us -rfakeroot

The -uc and -us are to prevent signing - we are not the package maintainer.

The -rfakeroot allows us to run as non-root.

Step 6 - Install

There should be a new .deb file one directory up - mine is called denyhosts_2.6-1etch1chris1_all.deb

dpkg -i denyhosts_2.6-1etch1chris1_all.deb

 

 


Posted by Anonymous (80.206.xx.xx) on Mon 21 Jul 2008 at 13:05
I've don't understand... what do you mean "Make the code changes you want". Where is the patch to apply?

[ Parent | Reply to this comment ]

Posted by chris (193.30.xx.xx) on Mon 21 Jul 2008 at 13:12
[ View Weblogs ]

The patch to apply is in the upstream bug report.

Direct link is http://sourceforge.net/tracker/index.php?func=detail&aid=1734 736&group_id=131204&atid=720419 (this link is referenced from the debian bug too).

I didn't go into details on the bug itself - although denyhosts is the cause for the article I was trying more to show how to work with local patched packages - so in the general case - whatever changes are required for the problem you are addressing.

The explicit fix for denyhosts is to change line 441 in deny_hosts.py - change deny_hosts to new_denied_hosts.

[ Parent | Reply to this comment ]

Posted by Anonymous (80.206.xx.xx) on Mon 21 Jul 2008 at 14:23
in Debian sid, denyhosts-2.6-4 is a little bit different.
The line to change is 446. Next release of denyhosts in debian (I hope before the lenny's freeze) maybe has this patch

[ Parent | Reply to this comment ]

Posted by AJxn (91.95.xx.xx) on Thu 24 Jul 2008 at 11:44
[ View Weblogs ]
A great article and goal for the article, but not so great title. The title won't get your sugested audience to find the article easy.

"Makeing patching your own packages easy, with use case bugg in denyhost reporting" would be a better title, I think :)

But a great article, many thanks!

[ Parent | Reply to this comment ]

Posted by Anonymous (130.11.xx.xx) on Mon 21 Jul 2008 at 14:34
Excellent!

I had been just patching/building packages and then dpkg holding them however I think this is a much more elegant solution. aoTuv patched vorbis coming up :).

Thank you.

[ Parent | Reply to this comment ]

Posted by djzort (203.10.xx.xx) on Mon 21 Jul 2008 at 23:20
Denyhosts is a great addition to any system. But its no substitute for locking down your shell accounts, and restricting to key-only login. And restricting root from ssh access.

http://www.fragfest.com.au

[ Parent | Reply to this comment ]

Posted by chris (213.187.xx.xx) on Tue 22 Jul 2008 at 06:46
[ View Weblogs ]

Yes - there are lots more things you can do :)

I have denyhosts in place, key based logins only, protocol 2 only etc.

Take a look at http://www.debian-administration.org/tag/ssh for more

[ Parent | Reply to this comment ]

Posted by yarikoptic (69.125.xx.xx) on Sat 26 Jul 2008 at 04:42
or instead of manual patching of unsupported and no longer developed software why simply not to use an alternative (e.g. fail2ban... and why am I bringing more load onto my shoulders? :-))

[ Parent | Reply to this comment ]

Sign In

Username:

Password:

[Register|Advanced]

 

Flattr

 

Current Poll

What do you use for configuration management?








( 534 votes ~ 7 comments )

 

 

Related Links