This file is indexed.

/usr/share/doc/denyhosts/README.Debian is in denyhosts 2.10-2.

This file is owned by root:root, with mode 0o644.

The actual contents of the file can be viewed below.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
Bastille compatibility (thanks to Jesse Norell)
===============================================

The default mode of operation for denyhosts (ie. adding lines to
/etc/hosts.deny) is incompatible with the tcpwrappers configuration that
bastille sets up for you. Bastille puts a default deny at the end of
hosts.allow, so hosts.deny is never consulted. 

A simple solution for me was to set:

	HOSTS_DENY = /etc/denyhosts.blocked
	BLOCK_SERVICE =

Then in my hosts.allow where I previously had:

	sshd : <trusted network>/24 : allow

	# Bastille: default deny
	# no safe_finger for in.fingerd (prevent loops)
	in.fingerd : ALL : DENY
	# but everything else is denied & reported with safe_finger
	ALL : ALL : spawn (/usr/sbin/safe_finger -l @%h | /bin/mail -s "Port Denial noted %d-%h" root) & : DENY

I changed to:

	sshd : /etc/denyhosts.blocked : deny
	sshd : 192.168.10.0/24 : allow
	...etc...

Migrate function warning
========================

When --migrate is used for migrate a previus denyhostized hosts.deny
file for work with purging system, it migrate ALL your entries and this
maybe a possible security hole in your system.

The right way to preserve some entries from purging, is to edit your 
HOSTS_DENY file and comment these entries. Now you can execute --migrate 
switch on your file. Re-edit the HOSTS_DENY file and de-comment the entries.