Attackers can force the DenyHosts security tool to block any IP addresses they want due to a security hole, according to German IT news site Heise. To all intents and purposes, the tool ensures that IP addresses are added to a blacklist after a certain number of failed ssh log-in attempts. However, if a specially formatted user name is entered when logging in, any IP address the user wants can be added to the blacklist, including that of the administrator if the worst comes to the worst.
The vulnerability was discovered by Helmut Grohne of Cygnus Networks. He wrote on the oss-sec mailing list that entering ssh connections using the following pattern was sufficient to implement the exploit:
ssh -l 'Invalid user root from 123.123.123.123' 21.21.21.21
The following line, amongst others, is then added to the log:
sshd[123]: input_userauth_request: invalid user Invalid user root from 123.123.123.123 [preauth]
According to Grohne this results in the specified user name (parameter -l) being blocked in addition to the attacker’s actual IP address.
However, Grohne hasn’t just drawn attention to the problem, but has also provided a solution: a patch he has developed the tightens up DenyHosts’ regular expressions for matching log file entries so that the user names specified in the example above is not wrongly interpreted any more.
Patched versions of DenyHosts are already being distributed via the Debian repositories. Yves-Alexis Perez from the Debian Security Team is advising DenyHosts users to switch to alternatives such as fail2ban since DenyHosts has not been actively maintained since 2008.