Policy for denyhosts
Jeff Carlson
jeff at ultimateevil.org
Wed Nov 29 04:00:51 UTC 2006
Jason L Tibbitts III wrote:
> During its operation it reads /var/log/secure, maintains databases and
> such under /var/lib/denyhosts, and writes to /etc/hosts.deny. It may
> also make some xmlrpc calls out over the 'net if so configured
> (although by default this is not the case).
I just wanted to point out that I don't run DenyHosts to write directly
to hosts.deny. Here is how I have tcpwrappers configured:
---- hosts.allow ----
# Whitelist my LAN
ALL: 192.168.1.0/255.255.255.0
sshd: /etc/hosts.deny.sshd : DENY
sshd: /etc/hosts.allow.us
# hosts.allow.us is a list of IPs in the USA only, since that's
# where I live. No reason to accept SSH from where I don't.
---- hosts.deny ----
ALL: ALL
So, hosts.deny just denies everything, and services need to be
whitelisted in hosts.allow. I have DenyHosts write to
/etc/hosts.deny.sshd, and any IP not in the US is already denied. As
you can see, it would be pointless to append to hosts.deny.
I'm sure there are plenty of other people who do it this way, since it's
a configuration option in DenyHosts. I just wanted to point it out so
you don't go making changes to the SELinux policy and leave out the
possibility of writing to an alternate deny file like I have done.
More information about the fedora-selinux-list
mailing list