ports/contrib
3
3
Fork 2
Code Issues Pull Requests Activity

denyhosts: 2.6 -> 2.9

Browse Source
This commit is contained in:
Danny Rawlins 2014-11-21 22:32:14 +11:00
parent 760a214d5e
commit 6db33dc1eb
9 changed files with 29 additions and 226 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
denyhosts/.footprint
View File

@ -2,14 +2,12 @@ drwxr-xr-x root/root etc/
drwxr-xr-x root/root etc/denyhosts/
-rw-r--r-- root/root etc/denyhosts/denyhosts.conf
drwxr-xr-x root/root etc/rc.d/
lrwxrwxrwx root/root etc/rc.d/denyhosts -> /usr/share/denyhosts/daemon-control
-rwxr-xr-x root/root etc/rc.d/denyhosts
drwxr-xr-x root/root usr/
drwxr-xr-x root/root usr/bin/
-rwxr-xr-x root/root usr/bin/denyhosts
drwxr-xr-x root/root usr/lib/
drwxr-xr-x root/root usr/lib/python2.7/
drwxr-xr-x root/root usr/lib/python2.7/site-packages/
-rw-r--r-- root/root usr/lib/python2.7/site-packages/DenyHosts-2.6-py2.7.egg-info
-rw-r--r-- root/root usr/lib/python2.7/site-packages/DenyHost-2.9-py2.7.egg-info
drwxr-xr-x root/root usr/lib/python2.7/site-packages/DenyHosts/
-rw-r--r-- root/root usr/lib/python2.7/site-packages/DenyHosts/__init__.py
-rw-r--r-- root/root usr/lib/python2.7/site-packages/DenyHosts/__init__.pyc
@ -53,16 +51,8 @@ drwxr-xr-x root/root usr/lib/python2.7/site-packages/DenyHosts/
-rw-r--r-- root/root usr/lib/python2.7/site-packages/DenyHosts/util.pyc
-rw-r--r-- root/root usr/lib/python2.7/site-packages/DenyHosts/version.py
-rw-r--r-- root/root usr/lib/python2.7/site-packages/DenyHosts/version.pyc
drwxr-xr-x root/root usr/share/
drwxr-xr-x root/root usr/share/denyhosts/
-rwx------ root/root usr/share/denyhosts/daemon-control
drwxr-xr-x root/root usr/share/denyhosts/plugins/
-rw-r--r-- root/root usr/share/denyhosts/plugins/shorewall_allow.sh
-rw-r--r-- root/root usr/share/denyhosts/plugins/shorewall_deny.sh
-rwxr-xr-x root/root usr/share/denyhosts/plugins/test_deny.py
drwxr-xr-x root/root usr/share/denyhosts/scripts/
-rwxr-xr-x root/root usr/share/denyhosts/scripts/restricted_from_invalid.py
-rwxr-xr-x root/root usr/share/denyhosts/scripts/restricted_from_passwd.py
-rw-r--r-- root/root usr/share/denyhosts/setup.py
drwxr-xr-x root/root var/
drwxr-xr-x root/root var/log/
drwxr-xr-x root/root usr/man/
drwxr-xr-x root/root usr/man/man8/
-rw-r--r-- root/root usr/man/man8/denyhosts.8.gz
drwxr-xr-x root/root usr/sbin/
-rwxr-xr-x root/root usr/sbin/denyhosts

7
denyhosts/.md5sum
View File

@ -1,6 +1 @@
fc2365305a9402886a2b0173d1beb7df DenyHosts-2.6.tar.gz
a0abe102add4420e766cc90d0709f425 denyhosts-2.6-config.patch
67e0d788356f9f7183c217a2eae71bf1 denyhosts-2.6-cve-2013-6890.patch
79abdfcd7ce0859f2f3f134598a89209 denyhosts-2.6-log-injection-regex.patch
6ed4e279640b8a5c0c04dd4193ac15e2 denyhosts-2.6-plugin_deny.patch
dfd91828e48d97af2e77e009c67c4754 denyhosts-2.6-single_config_switch.patch
2c1d82799e43676db667c447959d9d97 denyhosts-2.9.tar.gz

46
denyhosts/Pkgfile
View File

@ -1,46 +1,34 @@
# Description: DenyHosts is a script intended to be run by Linux system administrators to help thwart ssh server attacks.
# URL: http://denyhosts.sourceforge.net/
# URL: http://denyhost.sourceforge.net/
# Maintainer: Danny Rawlins, crux at romster dot me
# Packager: Danny Rawlins, crux at romster dot me
# Depends on: python
name=denyhosts
version=2.6
release=2
source=(http://downloads.sourceforge.net/project/$name/$name/$version/DenyHosts-$version.tar.gz
denyhosts-$version-config.patch
denyhosts-2.6-cve-2013-6890.patch
denyhosts-2.6-log-injection-regex.patch
denyhosts-2.6-single_config_switch.patch
denyhosts-2.6-plugin_deny.patch)
version=2.9
release=1
source=(http://downloads.sourceforge.net/project/denyhost/denyhost-$version/$name-$version.tar.gz)
build() {
cd DenyHosts-$version
patch -p0 -i $SRC/$name-$version-config.patch
patch -p1 -i $SRC/denyhosts-2.6-log-injection-regex.patch
patch -p1 -i $SRC/denyhosts-2.6-single_config_switch.patch
patch -p1 -i $SRC/denyhosts-2.6-plugin_deny.patch
patch -p1 -i $SRC/denyhosts-2.6-cve-2013-6890.patch
/usr/bin/python setup.py install --root=$PKG
rm $PKG/usr/share/denyhosts/*.txt
install -d $PKG/etc/{denyhosts,rc.d} $PKG/usr/sbin
install -d \
$PKG/etc/ \
$PKG/etc/{denyhosts,rc.d} \
$PKG/var/log
mv $PKG/usr/share/denyhosts/denyhosts.cfg-dist \
mv $PKG/etc/denyhosts.conf \
$PKG/etc/denyhosts/denyhosts.conf
mv $PKG/usr/share/denyhosts/daemon-control-dist \
$PKG/usr/share/denyhosts/daemon-control
mv $PKG/usr/bin/daemon-control-dist \
$PKG/etc/rc.d/denyhosts
chmod 700 $PKG/usr/share/denyhosts/daemon-control
ln -s /usr/share/denyhosts/daemon-control $PKG/etc/rc.d/denyhosts
rm $PKG/usr/share/denyhosts/plugins/README.contrib
mv $PKG/usr/bin/denyhosts.py $PKG/usr/bin/denyhosts
mv $PKG/usr/bin/denyhosts.py $PKG/usr/sbin/denyhosts
mv $PKG/usr/share/man $PKG/usr/man
rmdir $PKG/usr/share $PKG/usr/bin
sed -i \
-e 's|^DENYHOSTS_LOCK = .*|DENYHOSTS_LOCK = "/var/run/denyhosts.pid"|' \
-e 's|^DENYHOSTS_CFG = .*|DENYHOSTS_CFG = "/etc/denyhosts/denyhosts.conf"|' \
$PKG/etc/rc.d/denyhosts
}

7
denyhosts/README
View File

@ -23,11 +23,12 @@ NOTES:
To protect sshd.
Edit /etc/hosts.allow and comment out everyting, everything will have access by default.
Edit /etc/hosts.allow and comment out everything, everything will have access by default.
Edit /etc/hosts.deny and comment out the "ALL: ALL: DENY" part, also the "#End of file" bit will be useless as denyhosts appends to the file.
(note the config in inetd.conf dosn't seem to be right or needed? see messages apon boot up, any corections email me :) )
(note the config in inetd.conf doesn't seem to be right or needed? see
messages upon boot up, any corrections email me :) )
Danny Rawlins, <romster at shortcircuit dot net dot au
Danny Rawlins, <contact at romster dot me

43
denyhosts/denyhosts-2.6-config.patch
View File

@ -1,43 +0,0 @@
--- daemon-control-dist~ 2006-04-22 09:04:43.000000000 +1000
+++ daemon-control-dist 2007-01-03 01:47:12.000000000 +1100
@@ -11,9 +11,9 @@
#### Edit these to suit your configuration ####
###############################################
-DENYHOSTS_BIN = "/usr/bin/denyhosts.py"
-DENYHOSTS_LOCK = "/var/lock/subsys/denyhosts"
-DENYHOSTS_CFG = "/usr/share/denyhosts/denyhosts.cfg"
+DENYHOSTS_BIN = "/usr/bin/denyhosts"
+DENYHOSTS_LOCK = "/var/run/denyhosts.pid"
+DENYHOSTS_CFG = "/etc/denyhosts/denyhosts.conf"
PYTHON_BIN = "/usr/bin/env python"
--- denyhosts.cfg-dist~ 2006-08-21 00:09:57.000000000 +1000
+++ denyhosts.cfg-dist 2007-01-03 01:44:25.000000000 +1100
@@ -8,8 +8,11 @@
# The file to process can be overridden with the --file command line
# argument
#
+# CRUX
+SECURE_LOG = /var/log/auth
+#
# Redhat or Fedora Core:
-SECURE_LOG = /var/log/secure
+#SECURE_LOG = /var/log/secure
#
# Mandrake, FreeBSD or OpenBSD:
#SECURE_LOG = /var/log/auth.log
@@ -191,8 +194,11 @@
# and deleted upon exit. This ensures that only one instance is
# running at a time.
#
+# CRUX
+LOCK_FILE = /var/run/denyhosts.pid
+#
# Redhat/Fedora:
-LOCK_FILE = /var/lock/subsys/denyhosts
+#LOCK_FILE = /var/lock/subsys/denyhosts
#
# Debian
#LOCK_FILE = /var/run/denyhosts.pid

60
denyhosts/denyhosts-2.6-cve-2013-6890.patch
View File

@ -1,60 +0,0 @@
Subject: address remote denial of service CVE-2013-6890
From: Helmut Grohne <helmut () subdivi de>
ssh -l 'Invalid user root from 123.123.123.123' 21.21.21.21
results in a log lines
sshd[123]: Invalid user Invalid user root from 123.123.123.123 from 21.21.21.21
sshd[123]: input_userauth_request: invalid user Invalid user root from 123.123.123.123 [preauth]
sshd[123]: Connection closed by 21.21.21.21 [preauth]
and causes denyhosts to block both ips 21.21.21.21 and 123.123.123.123.
This patch tightens the regular expressions used to avoid these and similar
injections.
Index: denyhosts-2.6/DenyHosts/regex.py
===================================================================
--- denyhosts-2.6.orig/DenyHosts/regex.py 2013-12-22 11:54:42.000000000 +0100
+++ denyhosts-2.6/DenyHosts/regex.py 2013-12-22 11:55:05.000000000 +0100
@@ -6,22 +6,22 @@
#DATE_FORMAT_REGEX = re.compile(r"""(?P<month>[A-z]{3,3})\s*(?P<day>\d+)""")
-SSHD_FORMAT_REGEX = re.compile(r""".* (sshd.*:|\[sshd\]) (?P<message>.*)""")
+SSHD_FORMAT_REGEX = re.compile(r""".*? (sshd.*?:|\[sshd\]) (?P<message>.*)""")
#SSHD_FORMAT_REGEX = re.compile(r""".* sshd.*: (?P<message>.*)""")
-FAILED_ENTRY_REGEX = re.compile(r"""Failed (?P<method>.*) for (?P<invalid>invalid user |illegal user )?(?P<user>.*?) .*from (::ffff:)?(?P<host>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})""")
+FAILED_ENTRY_REGEX = re.compile(r"""Failed (?P<method>\S*) for (?P<invalid>invalid user |illegal user )?(?P<user>.*) from (::ffff:)?(?P<host>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})$""")
-FAILED_ENTRY_REGEX2 = re.compile(r"""(?P<invalid>(Illegal|Invalid)) user (?P<user>.*?) .*from (::ffff:)?(?P<host>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})""")
+FAILED_ENTRY_REGEX2 = re.compile(r"""(?P<invalid>(Illegal|Invalid)) user (?P<user>.*) from (::ffff:)?(?P<host>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})$""")
-FAILED_ENTRY_REGEX3 = re.compile(r"""Authentication failure for (?P<user>.*) .*from (::ffff:)?(?P<host>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})""")
+FAILED_ENTRY_REGEX3 = None
-FAILED_ENTRY_REGEX4 = re.compile(r"""Authentication failure for (?P<user>.*) .*from (?P<host>.*)""")
+FAILED_ENTRY_REGEX4 = re.compile(r"""Authentication failure for (?P<user>.*) from (::ffff:)?(?P<host>\S+)$""")
-FAILED_ENTRY_REGEX5 = re.compile(r"""User (?P<user>.*) .*from (?P<host>.*) not allowed because none of user's groups are listed in AllowGroups$""")
+FAILED_ENTRY_REGEX5 = re.compile(r"""User (?P<user>.*) from (::ffff:)?(?P<host>\S+) not allowed because none of user's groups are listed in AllowGroups$""")
-FAILED_ENTRY_REGEX6 = re.compile(r"""Did not receive identification string .*from (::ffff:)?(?P<host>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})""")
+FAILED_ENTRY_REGEX6 = re.compile(r"""Did not receive identification string .*from (::ffff:)?(?P<host>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})$""")
-FAILED_ENTRY_REGEX7 = re.compile(r"""User (?P<user>.*) .*from (::ffff:)?(?P<host>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}) not allowed because not listed in AllowUsers""")
+FAILED_ENTRY_REGEX7 = re.compile(r"""User (?P<user>.*) from (::ffff:)?(?P<host>\S+) not allowed because not listed in AllowUsers$""")
# these are reserved for future versions
@@ -42,7 +42,7 @@
FAILED_ENTRY_REGEX_MAP[i] = rx
-SUCCESSFUL_ENTRY_REGEX = re.compile(r"""Accepted (?P<method>.*) for (?P<user>.*?) from (::ffff:)?(?P<host>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})""")
+SUCCESSFUL_ENTRY_REGEX = re.compile(r"""Accepted (?P<method>\S+) for (?P<user>.*?) from (::ffff:)?(?P<host>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})$""")
TIME_SPEC_REGEX = re.compile(r"""(?P<units>\d*)\s*(?P<period>[smhdwy])?""")

21
denyhosts/denyhosts-2.6-log-injection-regex.patch
View File

@ -1,21 +0,0 @@
Address Log injection reported at
http://bugs.gentoo.org/show_bug.cgi?id=181213
diff -ur a/DenyHosts/regex.py b/DenyHosts/regex.py
--- a/DenyHosts/regex.py 2006-12-07 13:47:04.000000000 -0600
+++ b/DenyHosts/regex.py 2007-06-19 18:51:54.000000000 -0500
@@ -17,11 +17,11 @@
FAILED_ENTRY_REGEX4 = re.compile(r"""Authentication failure for (?P<user>.*) .*from (?P<host>.*)""")
-FAILED_ENTRY_REGEX5 = re.compile(r"""User (?P<user>.*) .*from (?P<host>.*) not allowed because none of user's groups are listed in AllowGroups""")
+FAILED_ENTRY_REGEX5 = re.compile(r"""User (?P<user>.*) .*from (?P<host>.*) not allowed because none of user's groups are listed in AllowGroups$""")
FAILED_ENTRY_REGEX6 = re.compile(r"""Did not receive identification string .*from (::ffff:)?(?P<host>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})""")
-FAILED_ENTRY_REGEX7 = re.compile(r"""User (?P<user>.*) not allowed because not listed in AllowUsers""")
+FAILED_ENTRY_REGEX7 = re.compile(r"""User (?P<user>.*) .*from (::ffff:)?(?P<host>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}) not allowed because not listed in AllowUsers""")
# these are reserved for future versions

23
denyhosts/denyhosts-2.6-plugin_deny.patch
View File

@ -1,23 +0,0 @@
From: Marco Bertorello <marco@bertorello.ns0.it>
Date: Thu, 14 Apr 2011 00:11:35 +0200
Subject: 09_plugin_deny
Correct the upstream bug http://sourceforge.net/tracker/index.php?func=detail&aid=1734736&group_id=131204&atid=720419
---
DenyHosts/deny_hosts.py | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/DenyHosts/deny_hosts.py b/DenyHosts/deny_hosts.py
index f308264..0f5f48d 100644
--- a/DenyHosts/deny_hosts.py
+++ b/DenyHosts/deny_hosts.py
@@ -443,7 +443,7 @@ allowed based on your %s file""" % (self.__prefs.get("HOSTS_DENY"),
self.__report.add_section(msg, new_denied_hosts)
if self.__sync_server: self.sync_add_hosts(new_denied_hosts)
plugin_deny = self.__prefs.get('PLUGIN_DENY')
- if plugin_deny: plugin.execute(plugin_deny, deny_hosts)
+ if plugin_deny: plugin.execute(plugin_deny, new_denied_hosts)
new_suspicious_logins = login_attempt.get_new_suspicious_logins()
if new_suspicious_logins:
--

24
denyhosts/denyhosts-2.6-single_config_switch.patch
View File

@ -1,24 +0,0 @@
From: Marco Bertorello <marco@bertorello.ns0.it>
Date: Thu, 14 Apr 2011 00:11:35 +0200
Subject: 11_single_config_switch
A patch to prevent denyhosts running with a double --config switch
---
daemon-control-dist | 3 ++-
1 files changed, 2 insertions(+), 1 deletions(-)
diff --git a/daemon-control-dist b/daemon-control-dist
index 9f42b60..14d0f70 100755
--- a/daemon-control-dist
+++ b/daemon-control-dist
@@ -144,7 +144,8 @@ if __name__ == '__main__':
try:
if option in ('start', 'restart', 'condrestart'):
- if '--config' not in args and '-c' not in args:
+ anystartswith = lambda prefix, xs: any(map(lambda x: x.startswith(prefix), xs))
+ if not anystartswith('--config', args) and '-c' not in args:
args.append("--config=%s" % DENYHOSTS_CFG)
cmd = cases[option]
--