DenyHosts is a utility to thwart ssh attackers. It runs on Linux and *BSD systems. It works by scanning the auth.log system log containing a list of attempted logins. If it detects suspicious activity, it will blacklist the originating IP of the attacking machine. I use the blacklist to control who can access my server. Unfortunately it seems that the developer has stopped maintaining the program.
Recently though, DenyHosts has been producing a lot of error messages like this one:
denyhosts : ERROR regex pattern ( User (?P<user>.*) not allowed because not listed in AllowUsers ) is missing 'host' group
After a while I realised that this coincides with entries in auth.log that look like this:
sshd[47449]: User root from 124.248.35.165 not allowed because not listed in AllowUsers
Alarmingly, whenever the error message appeared, the attacking machine's IP was not getting blacklisted! There were days when the same IP would attempt to log in hundreds of times, and DenyHosts would just dump out its error message and ignore the login attempt. Not good.
DenyHosts is written in Python, a scripted programming language. The program source was all there to be looked at in the installation directory. I grepped around for some of the text from the error messages and found this line of code:
FAILED_ENTRY_REGEX7 = re.compile(r"""User (?P<user>.*) not allowed because not listed in AllowUsers""")
After examination of the code in its vicinity, I saw that it was preparing a regular expression in order to efficiently scan through auth.log. This was the seventh in a series of regular expressions designed to match login access attempts worded in different ways from the different subsystems in the server (sshd, inetd, etc). But this particular regex was missing a 'host tag' that DenyHosts uses internally to flag portions of a line. By following the pattern from the preceding regex's, I added that tag by changing the line to this:
FAILED_ENTRY_REGEX7 = re.compile(r"""User (?P<user>.*) .*from (?P<host>.*) not allowed because not listed in AllowUsers""")
Afterwards, the error message went away. So far it seems to be working properly. Will wait for more unauthorized login attempts and see how things go.