/usr/share/doc/denyhosts/README.Debian is in denyhosts 2.10-2.
This file is owned by root:root, with mode 0o644.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 | Bastille compatibility (thanks to Jesse Norell)
===============================================
The default mode of operation for denyhosts (ie. adding lines to
/etc/hosts.deny) is incompatible with the tcpwrappers configuration that
bastille sets up for you. Bastille puts a default deny at the end of
hosts.allow, so hosts.deny is never consulted.
A simple solution for me was to set:
HOSTS_DENY = /etc/denyhosts.blocked
BLOCK_SERVICE =
Then in my hosts.allow where I previously had:
sshd : <trusted network>/24 : allow
# Bastille: default deny
# no safe_finger for in.fingerd (prevent loops)
in.fingerd : ALL : DENY
# but everything else is denied & reported with safe_finger
ALL : ALL : spawn (/usr/sbin/safe_finger -l @%h | /bin/mail -s "Port Denial noted %d-%h" root) & : DENY
I changed to:
sshd : /etc/denyhosts.blocked : deny
sshd : 192.168.10.0/24 : allow
...etc...
Migrate function warning
========================
When --migrate is used for migrate a previus denyhostized hosts.deny
file for work with purging system, it migrate ALL your entries and this
maybe a possible security hole in your system.
The right way to preserve some entries from purging, is to edit your
HOSTS_DENY file and comment these entries. Now you can execute --migrate
switch on your file. Re-edit the HOSTS_DENY file and de-comment the entries.
|