DENYHOSTS CHANGELOG 3.1 ====================== Fixed a type check in DenyHosts/report.py which was causing problems when moving between Python2 and Python3. Added checks to see if an IP address is valid. This pulls in the requirement for the ipaddr Python module. Added check to see if there is a break-in attempt against the Dovecot imap service. This is an option which can be enabled/disabled in the configuration file. It is turned off by default. 3.0 ====================== Initial translation of code from Python 2 to Python 3. DenyHosts can now be run as either a Python 2 or a Python 3 program. Added patch from Fedora to fix initial sync issue and insure info logging stream is active. (Provided by Jason Tibbitts.) Added "import logging" to denyhosts.py to avoid errors when setting up logging. (See above change.) Added option PF_TABLE_FILE to the configuration file. When this option is enabled it causes DenyHosts to write blocked IP addresses to a text file. The default location is /etc/blacklist. This text file should correspond to a PF firewall table. At start-up, try to create the file specified by HOSTS_DENY. That way we avoid errors later if the file does not exists. Can be a problem on operating systems where /etc/hosts.deny does not exist in the default configuration. Added regex pattern to detect invalid user accounts. This blocks connections from remote hosts who are attempting to login with accounts not found on the local system. While these connections to non-existent accounts are relatively harmless, they are usually used as part of a brute force attack and filtering them before they reach OpenSSH is a good idea. 2.10 ====================== - Updated example rule for PF in configuration file to make black listing attacking IPs more effective. - Added debugging info in case we cannot create a new PF table entry. - Fixed syntax for comparing suspecious logins. Avoids always testing true/false depending on Python version. - No longer require ETC_DIR in the configuration file. Use a default value "/etc" if ETC_DIR is not manually specified. - Make sure DenyHosts logs when running in foreground mode. When in foreground, warnings are logged to a file rather than outputted to terminal. Keeps things clean. - Add --unlock command line arguement to remove old lock files. - Updated README, version and Makefile with new version/maintainer information. - Added check for PAM failures on FreeBSD. This should block both failed user logins that are reported by PAM and also block repteated attempts at accessing the root account when root logins are disabled by OpenSSH. The latter does not really add more practical protection, but can prevent the connection \ attempts at the firewall level before the OpenSSH service is contacted. - Add systemd unit file, denyhosts.service 2.9 (November 3, 2014) ====================== - DenyHost now supports working with the PF packet filter, a popular firewall for FreeBSD, OpenBSD, TrueOS, PC-BSD and NetBSD. To enable PF support in DenyHost, comment out the IPTABLES option in the denyhosts.conf file and enable the PFCTL_PATH and PF_TABLE options. DenyHost will add misbehaving IP addresses to the PF table specified by "PF_TABLE". This table should be blocked using the pf.conf file. Please see the denyhosts.conf file for more information and example PF rules for blocking incoming traffic. Please note that even if /etc/hosts.deny is not used to block incoming connectins, the file should still exists or DenyHosts may throw an error. (This should be fixed in the next release.) 2.8 (June 12, 2014) =================== - Use standard errno instead of hardcoded errno value. Patch provided by Pino Toscano. - Make sure PLUGIN_DENY is called for each host we receive from the sync server. Patch provided by Sean M. Collins. - Made sure only new hosts in hosts.deny are reported as new, not all hosts. This prevents the PLUGIN_DENY plugin from getting old entries repeatedly. Patch provided by Chris Erdle. - We now check user defined regular expression filters, even if we already found a match with an existing filter. This allows the user to filter more services without using a plugin. Patch provided by Ben. - Added --purge-all command line flag to allow us to remove all old entries from the deny file without waiting. Patch provided by 9MediaCenterGUI on SourceForge. - Updated copyright information and some documentation. - Added manual page from Debian and fixed typo. Added additional command line options to man page. - Added --purgeip option to allow us to remove specific IP addresses from the blocked list at start time. Patch provided by Nelson Howell. Should close Debian bug 529089. - Updated FAILED_ENTRY_REGEX7 to be more flexible. - Added ability to use Linux iptables to block incoming connections. See IPTABLES option in the configuration file. - Made it possible to block specific ports, allowing remote hosts to conenct to some services while being blocked on others by the iptables firewall. See the BLOCKPORT option in the configuration file. 2.7 (May 18, 2014) ================== - Forked code from DenyHosts (denyhosts.sf.net) New project now maintained at denyhost.sf.net - Added private moduls patch from Marco Bertorello. Loads modules from /usr/share/denyhosts - Place config, lock and executable file in more standard locations. Patch provided by Marco Bertorello. - Fixed configuration (denyhosts.cfg-dist) to better support Debian and Ubuntu. Patch supplied by Marco Nenciarini. - Added warning to migrate switch. Patch provided by Marco Bertorello. - Avoid installing unwanted files (extra scripts and changelog). Patch provided by Marco Nenciarini. - Fix bug which would not recognize an attack on the root user account. Patch provided by Kyle Willmon. - Fix pattern matching bug (CVE-2007-4323). Patch provided by Nico Golde. - Added foreground mode for debugging. Patch supplied by Marco Bertorello. - Applied patch to fix plugin execution. Patched provided by Marco Bertorello. - Added patch to prevent DenyHosts from running with a double --config switch. Patch provided by Maro Bertorello. - Convert path of "env" from /bin/env to /usr/bin/env Patch provided by Kyle Willmon. - Added patch to perform missing bounds check in Purge action. Provided by Kyle Willmon. - Added patch to include SYNC_PROXY_SERVER configuration option. Provided by Kyle Willmon. - Change HOSTNAME_LOOKUP to default to "NO". Will save time. Also brings us into closer alignment with FreeBSD patches. - Added /usr/sbin/nologin to restricted_from_passwd script. Requirement from FreeBSD patch set. - Added variable "ETC_DIR" which dictates the location of configuration files. This should usually be set to /etc or /usr/local/etc - The restricted-usernames file is now loaded from the "ETC_DIR" directory, rather than from "WORK_DIR" to avoid this human-made configuration file from being over-writeen. Closes Ubuntu bug #675034 - Confirm setting timestamp over-writes old tiemstamp file. Closes Ubuntu bug #564476 - Applied advanced pattern check for authentication file which takes into account alternative port numbers. Patch provided by Helmut Grohne. - Updated license and readme files. - Updated help output from DenyHost script to include --config tip. 2.6 (Dec 7, 2006) ================== - security fix: malicious users can cause a DoS of ssh. for more info: http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-6301 - fixed bug in regex.py: 2 failed entry regexes weren't included properly in the hash - fixed bug in denyhosts.py: attribute error: self.__sync_download 2.5 (June 21, 2006) ==================== - ADMIN_EMAIL pref can now contain multiple email addresses delimited by a comma (white space is optional). eg. foo@bar.com, bar@foo.com, foobar@foo.com - fixed bug in denyfileutil: 'timestamp' is now initialized properly - daemon-control-dist: modified to work w/ non-default python versions. You must change the PYTHON_BIN and #!/bin/env/python references if appropriate. - added a debug message when loading allowed-hosts fails. - fixed bug when reporting suspicious login activity. 2.4b (April 9, 2006) =================== - fixed missing "self." in loginattempt.py 2.4 (April 9, 2006) =================== - added: PURGE_THRESHOLD setting (defaults to 0, or "none") defines the maximum times a host will be purged. Once this amount has been exceeded then this host will not be purged. - added: SYSLOG_REPORT option which, if enabled, will send the denied hosts report to syslog (in addition to -or- instead of email, depending on your other settings). Based on patch submission by Michael Still. - fix: restricted usernames were being added to wrong file 2.3 (April 4, 2006) =================== - fix: denied hosts weren't being re-added after purge unless daemon was restarted after the purge. Thanks to Steven Finnegan for recognizing the problem. - fix: daemon-control-dist should now behave correctly on FreeBSD systems 2.2 (March 13, 2006) ==================== - added environment variable substitution of preference values. Each value that contains $[SOME_NAME] will have $[SOME_NAME] substituted with the value of the environment variable SOME_NAME. eg. SMTP_SUBJECT = DenyHosts Report - $[HOSTNAME] will result in the following expansion: SMTP_SUBJECT = DenyHosts Report - foo on a host that is named "foo" - added configuaration option SMTP_DATE_FORMAT which allows you to override the DenyHosts "Date:" field when sending reports via email - fixed bug in prefs.py: AGE_RESET_RESTRICTED was not being converted to seconds - fixed bug in util.py: exceptions raised by smtp.quit() are now handled - fixed bug in denyhosts.py: missing import of "sync" line 2.1 (February 9, 2006) ======================= - added command line flag --sync which runs DenyHosts (command line/cron version) in synchronization mode. - added SYNC_DOWNLOAD_RESILIENCY setting to limit download synchronization data to attacks that have lasted longer than this value. That is, if the centralized denyhosts.net server records an attack at 2 PM and then again at 5 PM, specifying a SYNC_DOWNLOAD_RESILIENCY = 4h will not download this ip address. However, if the attacker is recorded again at 6:15 PM then the ip address will be downloaded by your DenyHosts instance. This value is used in conjunction with the SYNC_DOWNLOAD_THRESHOLD and only hosts that satisfy both values will be downloaded. This value has no effect if SYNC_DOWNLOAD_THRESHOLD = 1 and refers to the timespan between the attackers first known attack and their most recent attack. Refer to http://www.denyhosts.net/faq.html#sync_download_resiliency - added RESET_ON_SUCCESS option which, when set to "yes" will automatically reset the counter for the connecting ip address to 0 if the login was successful. The default is "no". This may be helpful in the event that a user occassionally mistypes their password. See also the AGE_RESET_* options. Refer to http://www.denyhosts.net/faq.html#reset_on_success - bug fix: if synchronization mode is disabled (default) then denied hosts will not be added to the SYNC_HOSTS staging file. - modified daemon-control-dist to use the 'ps' command (in the event that the /proc directory does not exist) to determine whether the DenyHosts process is still running. - modified daemon-control-dist to infer 'start' and 'stop' from symbolically linked programs in the event that the script is launched w/o arguments. The linked filenames must begin with either an "S" (start) or a "K" (kill). - added "restricted" user concept and functionality such that usernames defined as restricted (such as "mysql", "lpd", etc...) which are not intended for login purposes will be denied after DENY_THRESHOLD_RESTRICTED failed attempts. This option is based on ideas & suggestions from Ken Key and Dave Ingram. Refer to http://www.denyhosts.net/faq.html#restricted - added DENY_THRESHOLD_RESTRICTED (for users such as apache, mysql, etc...). Defaults to DENY_THRESHOLD_ROOT setting. - added AGE_RESET_RESTRICTED parameter - added scripts/restricted_from_passwd.py which is suitable for generating a list of restricted users based on /etc/passwd's login shells (such as /sbin/nologin). - added scripts/restricted_from_invalid.py which is suitable for generating a list of restricted users based on WORK_DIR/users-invalid contents. - if synchronization fails, a stacktrace will be printed to the log file (or console) which may be useful for isolating the problem. 2.0 (February 5, 2006) ======================= - DenyHosts has a new address: http://www.denyhosts.net - Added synchronization mode capability which allows all DenyHosts daemons the ability to seemlessly share denied host data. See this faq entry for more information: http://www.denyhosts.net/faq.html#sync - Added the configuration option USERDEF_FAILED_ENTRY_REGEX which allows the DenyHost user the ability to add custom regular expressions in order to block potential hackers. See this faq entry for more information: http://www.denyhosts.net/faq.html#userdef_regex - FAILED_ENTRY_REGEX5 now handles more login failures such as AllowGroups and AllowUsers. previously applied only to AllowGroups. - Added FAILED_ENTRY_REGEX6 to handle "Did not receive identification string from ..." messages. - Fixed issue when a purged host was re-added. http://sourceforge.net/tracker/index.php?func=detail&aid=1345437&group_id=131204&atid=720419 - fixed file permissions issue when creating some temp files - Log format message can be customized using the new DAEMON_LOG_MESSAGE_FORMAT in addition to the existing DAEMON_LOG_TIME_FORMAT option. - added 1 second sleep between stop & start in daemon-control-dist for "restart" command. - Added ShoreWall plugins (thanks to Stéphane LeDauphin for the contribution). - Fixed licensing ambiguity (DenyHosts is GPL v2). - Removed test.py~ from plugins. 1.1.4 (January 9, 2006) ======================= - Added AllowedGroups patch from Marlon Paulse. DenyHosts will now: "detect login attempts to user accounts that are not members of groups listed as 'AllowedGroups' in the sshd configuration file." - Updated denyhosts.cfg-sample such that WORK_DIR parameter points to an absolute pathname rather than a relative one. - Fixed email bug: failure to connect to smtp server is now handled properly. - Fixed plugin bug: PLUGIN_DENY is now only invoked when new hosts are denied. 1.1.3 ===== - Bug fix: duplicate entries were being added to allowed-warned-hosts file as well as sending out duplicate email messages. - If the prefs parameter DENY_THRESHOLD_INVALID isn't found but the deprecated DENY_THRESHOLD is found then the user is alerted of this. Additionally, the latter value will be used for the missing DENY_THRESHOLD_INVALID parameter such that DenyHosts will continue to run without intervention. 1.1.2 ===== - Fixed offset issue when running in daemon mode, the first pass of data discovered was processed twice. - All values that are converted to seconds in the prefs.py module when the denyhosts.cfg file is processed. Previously, these values were inefficiently converted each time that they were used. - Migrated some internal prefs.py data structures to sets rather than tuples for performance benefit. - Better handling of illegal values in denyhosts.cfg. - Fixed a bug in non-daemon mode when --purge flag was used. 1.1.1 ===== - Daemon mode now closed standard file descriptors and detaches from tty based on patch from James Abbatiello. - lock file is now created with 0644 permissions based on patch from James Abbatiello. - added optional SMTP_USERNAME and SMTP_PASSWORD parameters and support for authenticating SMTP connections (when these parameters are defined). - fixed bug when checking for required configuration parameters. 1.1.0 ===== - configuration parameter DENY_THRESHOLD has been renamed DENY_THRESHOLD_INVALID - added configuration parameters AGE_RESET_ROOT, AGE_RESET_INVALID and AGE_RESET_VALID - added the ability to automatically reset host login attempts after a given time period (age_reset) has elapsed. See the FAQ entry: http://denyhosts.sourceforge.net/faq.html#age_reset - most WORK_DIR data files will be automatically migrated to the new data format to support the above functionality. A timestamp field has been appended to each line, such that the new format is: key:# of attempts:timestamp - added chkconfig compatibility to the daemon-control-dist script. Thanks to Simon Amor for the contribution. - added optional configuration parameters PLUGIN_DENY and PLUGIN_PURGE - added plugin support. See the FAQ entry: http://denyhosts.sourceforge.net/faq.html#plugin 1.0.3 ===== - hostnames can now be specified in allowed-hosts file based on a contribution from Mathias Wagner. - hostnames specified in allowed-hosts are looked up to determine ip addresses - added optional pref: ALLOWED_HOSTS_HOSTNAME_LOOKUP - if ALLOWED_HOSTS_HOSTNAME_LOOKUP is true, then each ip address in allowed-hosts is looked up to determine it's hostname 1.0.2 ===== - fixed issue where multiple instances of the same host were added to /etc/hosts.deny (due to exceeding multiple DENY_THRESHOLD* settings simultaneously). - bz2 support is disabled if "import bz2" fails - displays more useful error message if Python version is incompatible with DenyHosts. - changed format of timestamp in email messages sent by DenyHosts based on patch submitted by Rick Holbert (now uses %z instead of %Z) 1.0.1 ===== - fixed bug relating to empty hosts-root file - added optional configuration parameter: DAEMON_LOG_TIME_FORMAT for specifying the timestamp in the DAEMON_LOG file - now uses SIGTERM to stop daemon (rather than SIHGUP) based on the suggestion of Xavier Le Vourch - daemon-control-dist has been updated to send SIGTERM on stop() 1.0.0 ===== - added new configuration option, DENY_THRESHOLD_VALID - added new configuration option, DENY_THRESHOLD_ROOT - added "hosts-valid" output file (relative to WORK_DIR) - added "hosts-root" output file (relative to WORK_DIR) - modified loginattempt.py to handle valid/invalid login hosts independently. - added 'condrestart' option to daemon-control-dist as per patch from Jason L Tibbitts III - fixed double usage() method from being displayed by daemon-control-dist 0.9.9 ===== - if upgrading DenyHosts to this version and PURGE_DENY is set then you must invoke with the --upgrade099 flag before using. eg. $ denyhosts.py --upgrade099 For further details, refer to: http://denyhosts.sourceforge.net/faq.html#upgrade099 - fixed bug: missing "import socket" in report.py - fixed bug: invalid comment format in /etc/hosts.deny for timestamping entries - /etc/hosts.deny entries are timestamped immediately before the entry now (rather than inline, in earlier versions). The timestamped lines also contain the entry data for verification. If DenyHosts determines that a purge is necessary than the verification info is compared to the actual entry line (ie. the next line). If the two entries match, the lines are purged. Otherwise a warning is output. The verification algorithm was based on a suggestion from Jim Cheetham. - sshd related regex patterns can now be configured within the DenyHosts configuration file in the event that the default (eg. DenyHosts/regex.py) patterns do not successfully parse the end user's tcp_wrappers, operating system and/or logging implementation. For details refer to: http://denyhosts.sourceforge.net/faq.html#custom_regex 0.9.8 ===== - fixed purge bug in daemon mode (using the wrong purge value to determine which records should be purged.) 0.9.7 ===== - fixed bug wrt handling of rotated files. DenyHosts now compares the inodes to determine if a file was rotated. If detected, the previous file is closed and the new file opened. - restructred daemon code block (added additional methods) 0.9.6 ===== - Command line that invoked --daemon is now recorded in the output log (useful for debugging) - The daemon-control-dist script now optionally accepts command line args to be passed to the start and restart functions. eg. daemon-control start --config=test.cfg --debug 0.9.5 ===== - If no denied hosts or suspicious logins are found, then there is no output in normal mode (only in debug mode). This limits the amount of data added to the log when in --daemon mode. See: http://sourceforge.net/tracker/index.php?func=detail&aid=1243689&group_id=131204&atid=720422 0.9.4 ===== - Fixed duplicate email report bug in --daemon mode. 0.9.3 ===== - Fixed --daemon mode bug which occurred during purging entries - Added more useful exception reporting for daemon mode 0.9.2 ===== - Daemon configuration params DAEMON_SLEEP and DAEMON_PURGE can now be given in the same format accepted by PURGE_DENY (eg. 1d, 5h, 1y, etc...). If no unit qualifier (eg. s, m, d, h, w, y) is given then 's' (seconds) is assumed. 0.9.1 ===== - Running in daemon mode now dumps preferences to log file - Added AbusiveHosts class - Added additional parameter to Purge constructor - Purged entries from HOSTS_DENY are also removed from WORK_DIR/hosts SF bug: http://sourceforge.net/tracker/index.php?func=detail&aid=1243093&group_id=131204&atid=720419 0.9.0 ===== - Added daemon mode - Added several optional parameters to the configuration file for daemon mode use 0.8.2 ===== - Maintenance release - Moved most classes to new modules - Now uses the python logging package for some output 0.8.1 ===== - Revised LockFile class to do perform exclusive locking -- deprecated the --unlock flag since it is no longer necessary 0.8.0 ===== - Added LOCK_FILE configuration parameter and support such that only one instance of DenyHosts can be running at any given time - Added PURGE_DENY configuration parameter and support for purging entries from the HOSTS_DENY file that have exceeded the PURGE_DENY value -- Added the ability to migrate HOSTS_DENY file such that all entries are suitable for purging. -- Added --purge, --migrate and --unlock command line arguments 0.7.3 ===== - Prefs change (reqd fields can be blank) 0.7.2 ===== - Added support for using an alternate deny file with FreeBSD based on feed back from Alesha Oparin 0.7.1 ===== - fixed blank BLOCK_SERVICE bug 0.7.0 ===== - Added support for the metalog logger based on a patch contributed by Mike Kelly. - Added support for FreeBSD based on input from Francesca Smith - Added support for catching hostname entries (in addition to IP addresses) based on a patch from Christian Smyth - Added support for using an alternative hosts deny file where only the offending ip address is listed. This feature is based on a patch contributed by John Meinel Jr. - Added support for processing gzip'ed logfiles based on feature request by Brian McGraw. 0.6.0 ===== - Modified email message date/time format to be RFC-2822 compliant. Incorporated patch contributed by Rick Holbert. - Added reverse dns lookups and the HOSTNAME_LOOKUP for enabling/disabling them. Incorporated feature request of Ron Joffe. - Added additional config option (SUSPICIOUS_LOGIN_REPORT_ALLOWED_HOSTS) for reporting (or not) suspicious login activity. This feature is based on feedback from Ron Joffe. - Updated regex for matching non-existent user break-ins. Previously, "invalid" was matched against. Now, both "invalid" and "illegal" should match. This fix is based on email from Scott Hunziker.