[PATCH 3/8] move denyhosts to a role

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



---
 files/denyhosts/allowed-hosts         |  27 --
 files/denyhosts/denyhosts.conf        | 626 ----------------------------------
 handlers/restart_services.yml         |   3 -
 playbooks/groups/arm-packager.yml     |   2 +-
 playbooks/groups/arm-qa.yml           |   2 +-
 playbooks/groups/backup-server.yml    |   2 +-
 playbooks/groups/badges-backend.yml   |   2 +-
 playbooks/groups/badges-web.yml       |   2 +-
 playbooks/groups/beaker.yml           |   2 +-
 playbooks/groups/gallery.yml          |   2 +-
 playbooks/groups/kernel-qa.yml        |   2 +-
 playbooks/groups/keyserver.yml        |   2 +-
 playbooks/groups/koji-hub.yml         |   2 +-
 playbooks/groups/mailman.yml          |   2 +-
 playbooks/groups/mirrorlist.yml       |   2 +-
 playbooks/groups/postgresl-server.yml |   2 +-
 playbooks/groups/taskbot.yml          |   2 +-
 playbooks/groups/virthost.yml         |   2 +-
 roles/denyhosts/files/allowed-hosts   |  27 ++
 roles/denyhosts/files/denyhosts.conf  | 626 ++++++++++++++++++++++++++++++++++
 roles/denyhosts/handlers/main.yml     |   3 +
 roles/denyhosts/tasks/main.yml        |  26 ++
 tasks/denyhosts.yml                   |  26 --
 23 files changed, 697 insertions(+), 697 deletions(-)
 delete mode 100644 files/denyhosts/allowed-hosts
 delete mode 100644 files/denyhosts/denyhosts.conf
 create mode 100644 roles/denyhosts/files/allowed-hosts
 create mode 100644 roles/denyhosts/files/denyhosts.conf
 create mode 100644 roles/denyhosts/handlers/main.yml
 create mode 100644 roles/denyhosts/tasks/main.yml
 delete mode 100644 tasks/denyhosts.yml

diff --git a/files/denyhosts/allowed-hosts b/files/denyhosts/allowed-hosts
deleted file mode 100644
index f5a88b7..0000000
--- a/files/denyhosts/allowed-hosts
+++ /dev/null
@@ -1,27 +0,0 @@
-# We mustn't block localhost
-127.0.0.1
-
-#bastion
-10.5.126.11
-10.5.126.12
-#lockbox
-10.5.126.23
-# don't block lockbox's remote addr, either
-209.132.181.6
-
-#noc1
-noc1.phx2.fedoraproject.org
-10.5.126.41
-192.168.1.10
-
-# RDU NAT
-66.187.233.202
-66.187.233.206
-# RH NAT 
-66.187.230.200
-# PHX2 NAT
-209.132.181.102
-# tlv RHT NAT
-66.187.237.10
-# brno RHT NAT
-209.132.186.34
diff --git a/files/denyhosts/denyhosts.conf b/files/denyhosts/denyhosts.conf
deleted file mode 100644
index 577b851..0000000
--- a/files/denyhosts/denyhosts.conf
+++ /dev/null
@@ -1,626 +0,0 @@
-       ############ THESE SETTINGS ARE REQUIRED ############
-
-########################################################################
-#
-# SECURE_LOG: the log file that contains sshd logging info
-# if you are not sure, grep "sshd:" /var/log/*
-#
-# The file to process can be overridden with the --file command line
-# argument
-#
-# Redhat or Fedora Core:
-SECURE_LOG = /var/log/secure
-#
-# Mandrake, FreeBSD or OpenBSD: 
-#SECURE_LOG = /var/log/auth.log
-#
-# SuSE:
-#SECURE_LOG = /var/log/messages
-#
-# Mac OS X (v10.4 or greater - 
-#   also refer to:   http://www.denyhosts.net/faq.html#macos
-#SECURE_LOG = /private/var/log/asl.log
-#
-# Mac OS X (v10.3 or earlier):
-#SECURE_LOG=/private/var/log/system.log
-#
-########################################################################
-
-########################################################################
-#
-# HOSTS_DENY: the file which contains restricted host access information
-#
-# Most operating systems:
-HOSTS_DENY = /etc/hosts.deny
-#
-# Some BSD (FreeBSD) Unixes:
-#HOSTS_DENY = /etc/hosts.allow
-#
-# Another possibility (also see the next option):
-#HOSTS_DENY = /etc/hosts.evil
-#######################################################################
-
-
-########################################################################
-#
-# PURGE_DENY: removed HOSTS_DENY entries that are older than this time
-#             when DenyHosts is invoked with the --purge flag
-#
-#      format is: i[dhwmy]
-#      Where 'i' is an integer (eg. 7) 
-#            'm' = minutes
-#            'h' = hours
-#            'd' = days
-#            'w' = weeks
-#            'y' = years
-#
-# never purge:
-#PURGE_DENY = 
-#
-# purge entries older than 1 week
-#PURGE_DENY = 1w
-#
-# purge entries older than 5 days
-#PURGE_DENY = 5d
-#
-# For the default Fedora Extras install, we want timestamping but no
-# expiration (at least by default) so this is deliberately set high.
-# Adjust to taste.
-PURGE_DENY = 4w
-#######################################################################
-
-#######################################################################
-#
-# PURGE_THRESHOLD: defines the maximum times a host will be purged.  
-# Once this value has been exceeded then this host will not be purged. 
-# Setting this parameter to 0 (the default) disables this feature.
-#
-# default: a denied host can be purged/re-added indefinitely
-PURGE_THRESHOLD = 4
-#
-# a denied host will be purged at most 2 times. 
-#PURGE_THRESHOLD = 2 
-#
-#######################################################################
-
-
-#######################################################################
-#
-# BLOCK_SERVICE: the service name that should be blocked in HOSTS_DENY
-# 
-# man 5 hosts_access for details
-#
-# eg.   sshd: 127.0.0.1  # will block sshd logins from 127.0.0.1
-#
-# To block all services for the offending host:
-#BLOCK_SERVICE = ALL
-# To block only sshd:
-BLOCK_SERVICE  = sshd
-# To only record the offending host and nothing else (if using
-# an auxilary file to list the hosts).  Refer to: 
-# http://denyhosts.sourceforge.net/faq.html#aux
-#BLOCK_SERVICE =    
-#
-#######################################################################
-
-
-#######################################################################
-#
-# DENY_THRESHOLD_INVALID: block each host after the number of failed login 
-# attempts has exceeded this value.  This value applies to invalid
-# user login attempts (eg. non-existent user accounts)
-#
-DENY_THRESHOLD_INVALID = 15
-#
-#######################################################################
-
-#######################################################################
-#
-# DENY_THRESHOLD_VALID: block each host after the number of failed 
-# login attempts has exceeded this value.  This value applies to valid
-# user login attempts (eg. user accounts that exist in /etc/passwd) except
-# for the "root" user
-#
-DENY_THRESHOLD_VALID = 15
-#
-#######################################################################
-
-#######################################################################
-#
-# DENY_THRESHOLD_ROOT: block each host after the number of failed 
-# login attempts has exceeded this value.  This value applies to 
-# "root" user login attempts only.
-#
-DENY_THRESHOLD_ROOT = 5
-#
-#######################################################################
-
-
-#######################################################################
-#
-# DENY_THRESHOLD_RESTRICTED: block each host after the number of failed 
-# login attempts has exceeded this value.  This value applies to 
-# usernames that appear in the WORK_DIR/restricted-usernames file only.
-#
-DENY_THRESHOLD_RESTRICTED = 1
-#
-#######################################################################
-
-
-#######################################################################
-#
-# WORK_DIR: the path that DenyHosts will use for writing data to
-# (it will be created if it does not already exist).  
-#
-# Note: it is recommended that you use an absolute pathname
-# for this value (eg. /home/foo/denyhosts/data)
-#
-WORK_DIR = /var/lib/denyhosts
-#
-#######################################################################
-
-#######################################################################
-#
-# SUSPICIOUS_LOGIN_REPORT_ALLOWED_HOSTS
-#
-# SUSPICIOUS_LOGIN_REPORT_ALLOWED_HOSTS=YES|NO
-# If set to YES, if a suspicious login attempt results from an allowed-host
-# then it is considered suspicious.  If this is NO, then suspicious logins 
-# from allowed-hosts will not be reported.  All suspicious logins from 
-# ip addresses that are not in allowed-hosts will always be reported.
-#
-SUSPICIOUS_LOGIN_REPORT_ALLOWED_HOSTS=YES
-######################################################################
-
-######################################################################
-#
-# HOSTNAME_LOOKUP
-#
-# HOSTNAME_LOOKUP=YES|NO
-# If set to YES, for each IP address that is reported by Denyhosts,
-# the corresponding hostname will be looked up and reported as well
-# (if available).
-#
-HOSTNAME_LOOKUP=YES
-#
-######################################################################
-
-
-######################################################################
-#
-# LOCK_FILE
-#
-# LOCK_FILE=/path/denyhosts
-# If this file exists when DenyHosts is run, then DenyHosts will exit
-# immediately.  Otherwise, this file will be created upon invocation
-# and deleted upon exit.  This ensures that only one instance is
-# running at a time.
-#
-# Redhat/Fedora:
-LOCK_FILE = /var/lock/subsys/denyhosts
-#
-# Debian
-#LOCK_FILE = /var/run/denyhosts.pid
-#
-# Misc
-#LOCK_FILE = /tmp/denyhosts.lock
-#
-######################################################################
-
-
-       ############ THESE SETTINGS ARE OPTIONAL ############
-
-
-#######################################################################
-#
-# ADMIN_EMAIL: if you would like to receive emails regarding newly
-# restricted hosts and suspicious logins, set this address to 
-# match your email address.  If you do not want to receive these reports
-# leave this field blank (or run with the --noemail option)
-#
-# Multiple email addresses can be delimited by a comma, eg:
-# ADMIN_EMAIL = foo@xxxxxxx, bar@xxxxxxx, etc@xxxxxxxxxx
-#
-# ADMIN_EMAIL = ausil@xxxxxxxxxxxxxxxxx
-#
-#######################################################################
-
-#######################################################################
-#
-# SMTP_HOST and SMTP_PORT: if DenyHosts is configured to email 
-# reports (see ADMIN_EMAIL) then these settings specify the 
-# email server address (SMTP_HOST) and the server port (SMTP_PORT)
-# 
-#
-# THEMOVE FIXME this needs to work from external non-VPN machines.
-SMTP_HOST = bastion
-SMTP_PORT = 25
-#
-#######################################################################
-
-#######################################################################
-# 
-# SMTP_USERNAME and SMTP_PASSWORD: set these parameters if your 
-# smtp email server requires authentication
-#
-#SMTP_USERNAME=foo
-#SMTP_PASSWORD=bar
-#
-######################################################################
-
-#######################################################################
-#
-# SMTP_FROM: you can specify the "From:" address in messages sent
-# from DenyHosts when it reports thwarted abuse attempts
-#
-SMTP_FROM = DenyHosts <denyhosts@xxxxxxxxxxxxxxxxx>
-#
-#######################################################################
-
-#######################################################################
-#
-# SMTP_SUBJECT: you can specify the "Subject:" of messages sent
-# by DenyHosts when it reports thwarted abuse attempts
-SMTP_SUBJECT = DenyHosts Report from $[HOSTNAME]
-#
-######################################################################
-
-######################################################################
-#
-# SMTP_DATE_FORMAT: specifies the format used for the "Date:" header
-# when sending email messages.
-#
-# for possible values for this parameter refer to: man strftime
-#
-# the default:
-#
-#SMTP_DATE_FORMAT = %a, %d %b %Y %H:%M:%S %z
-#
-######################################################################
-
-######################################################################
-#
-# SYSLOG_REPORT
-#
-# SYSLOG_REPORT=YES|NO
-# If set to yes, when denied hosts are recorded the report data
-# will be sent to syslog (syslog must be present on your system).
-# The default is: NO
-#
-#SYSLOG_REPORT=NO
-#
-#SYSLOG_REPORT=YES
-#
-######################################################################
-
-######################################################################
-#
-# ALLOWED_HOSTS_HOSTNAME_LOOKUP
-#
-# ALLOWED_HOSTS_HOSTNAME_LOOKUP=YES|NO
-# If set to YES, for each entry in the WORK_DIR/allowed-hosts file,
-# the hostname will be looked up.  If your versions of tcp_wrappers
-# and sshd sometimes log hostnames in addition to ip addresses
-# then you may wish to specify this option.
-# 
-#ALLOWED_HOSTS_HOSTNAME_LOOKUP=NO
-#
-######################################################################
-
-###################################################################### 
-# 
-# AGE_RESET_VALID: Specifies the period of time between failed login
-# attempts that, when exceeded will result in the failed count for 
-# this host to be reset to 0.  This value applies to login attempts 
-# to all valid users (those within /etc/passwd) with the 
-# exception of root.  If not defined, this count will never
-# be reset.
-#
-# See the comments in the PURGE_DENY section (above) 
-# for details on specifying this value or for complete details 
-# refer to:  http://denyhosts.sourceforge.net/faq.html#timespec
-#
-AGE_RESET_VALID=5d
-#
-######################################################################
-
-###################################################################### 
-# 
-# AGE_RESET_ROOT: Specifies the period of time between failed login
-# attempts that, when exceeded will result in the failed count for 
-# this host to be reset to 0.  This value applies to all login 
-# attempts to the "root" user account.  If not defined,
-# this count will never be reset.
-#
-# See the comments in the PURGE_DENY section (above) 
-# for details on specifying this value or for complete details 
-# refer to:  http://denyhosts.sourceforge.net/faq.html#timespec
-#
-AGE_RESET_ROOT=25d
-#
-######################################################################
-
-###################################################################### 
-# 
-# AGE_RESET_RESTRICTED: Specifies the period of time between failed login
-# attempts that, when exceeded will result in the failed count for 
-# this host to be reset to 0.  This value applies to all login 
-# attempts to entries found in the WORK_DIR/restricted-usernames file.  
-# If not defined, the count will never be reset.
-#
-# See the comments in the PURGE_DENY section (above) 
-# for details on specifying this value or for complete details 
-# refer to:  http://denyhosts.sourceforge.net/faq.html#timespec
-#
-AGE_RESET_RESTRICTED=25d
-#
-######################################################################
-
-
-###################################################################### 
-# 
-# AGE_RESET_INVALID: Specifies the period of time between failed login
-# attempts that, when exceeded will result in the failed count for 
-# this host to be reset to 0.  This value applies to login attempts 
-# made to any invalid username (those that do not appear 
-# in /etc/passwd).  If not defined, count will never be reset.
-#
-# See the comments in the PURGE_DENY section (above) 
-# for details on specifying this value or for complete details 
-# refer to:  http://denyhosts.sourceforge.net/faq.html#timespec
-#
-AGE_RESET_INVALID=10d
-#
-######################################################################
-
-
-######################################################################
-#
-# RESET_ON_SUCCESS: If this parameter is set to "yes" then the
-# failed count for the respective ip address will be reset to 0
-# if the login is successful.  
-#
-# The default is RESET_ON_SUCCESS = no
-#
-RESET_ON_SUCCESS = yes
-#
-#####################################################################
-
-
-######################################################################
-#
-# PLUGIN_DENY: If set, this value should point to an executable
-# program that will be invoked when a host is added to the
-# HOSTS_DENY file.  This executable will be passed the host
-# that will be added as it's only argument.
-#
-#PLUGIN_DENY=/usr/bin/true
-#
-######################################################################
-
-
-######################################################################
-#
-# PLUGIN_PURGE: If set, this value should point to an executable
-# program that will be invoked when a host is removed from the
-# HOSTS_DENY file.  This executable will be passed the host
-# that is to be purged as it's only argument.
-#
-#PLUGIN_PURGE=/usr/bin/true
-#
-######################################################################
-
-######################################################################
-#
-# USERDEF_FAILED_ENTRY_REGEX: if set, this value should contain
-# a regular expression that can be used to identify additional
-# hackers for your particular ssh configuration.  This functionality
-# extends the built-in regular expressions that DenyHosts uses.
-# This parameter can be specified multiple times.
-# See this faq entry for more details:
-#    http://denyhosts.sf.net/faq.html#userdef_regex
-#
-#USERDEF_FAILED_ENTRY_REGEX=
-#
-#
-######################################################################
-
-
-
-
-   ######### THESE SETTINGS ARE SPECIFIC TO DAEMON MODE  ##########
-
-
-
-#######################################################################
-#
-# DAEMON_LOG: when DenyHosts is run in daemon mode (--daemon flag)
-# this is the logfile that DenyHosts uses to report it's status.
-# To disable logging, leave blank.  (default is: /var/log/denyhosts)
-#
-DAEMON_LOG = /var/log/denyhosts
-#
-# disable logging:
-#DAEMON_LOG = 
-#
-######################################################################
-
-#######################################################################
-# 
-# DAEMON_LOG_TIME_FORMAT: when DenyHosts is run in daemon mode 
-# (--daemon flag) this specifies the timestamp format of 
-# the DAEMON_LOG messages (default is the ISO8061 format:
-# ie. 2005-07-22 10:38:01,745)
-#
-# for possible values for this parameter refer to: man strftime
-#
-# Jan 1 13:05:59   
-#DAEMON_LOG_TIME_FORMAT = %b %d %H:%M:%S
-#
-# Jan 1 01:05:59 
-#DAEMON_LOG_TIME_FORMAT = %b %d %I:%M:%S
-#
-###################################################################### 
-
-#######################################################################
-# 
-# DAEMON_LOG_MESSAGE_FORMAT: when DenyHosts is run in daemon mode 
-# (--daemon flag) this specifies the message format of each logged
-# entry.  By default the following format is used:
-#
-# %(asctime)s - %(name)-12s: %(levelname)-8s %(message)s
-#
-# Where the "%(asctime)s" portion is expanded to the format
-# defined by DAEMON_LOG_TIME_FORMAT
-#
-# This string is passed to python's logging.Formatter contstuctor.
-# For details on the possible format types please refer to:
-# http://docs.python.org/lib/node357.html
-#
-# This is the default:
-#DAEMON_LOG_MESSAGE_FORMAT = %(asctime)s - %(name)-12s: %(levelname)-8s %(message)s
-#
-#
-###################################################################### 
-
- 
-#######################################################################
-#
-# DAEMON_SLEEP: when DenyHosts is run in daemon mode (--daemon flag)
-# this is the amount of time DenyHosts will sleep between polling
-# the SECURE_LOG.  See the comments in the PURGE_DENY section (above)
-# for details on specifying this value or for complete details
-# refer to:    http://denyhosts.sourceforge.net/faq.html#timespec
-# 
-#
-DAEMON_SLEEP = 30s
-#
-#######################################################################
-
-#######################################################################
-#
-# DAEMON_PURGE: How often should DenyHosts, when run in daemon mode,
-# run the purge mechanism to expire old entries in HOSTS_DENY
-# This has no effect if PURGE_DENY is blank.
-#
-DAEMON_PURGE = 1h
-#
-#######################################################################
-
-
-   #########   THESE SETTINGS ARE SPECIFIC TO     ##########
-   #########       DAEMON SYNCHRONIZATION         ##########
-
-
-#######################################################################
-#
-# Synchronization mode allows the DenyHosts daemon the ability
-# to periodically send and receive denied host data such that 
-# DenyHosts daemons worldwide can automatically inform one
-# another regarding banned hosts.   This mode is disabled by
-# default, you must uncomment SYNC_SERVER to enable this mode.
-#
-# for more information, please refer to: 
-#        http:/denyhosts.sourceforge.net/faq.html#sync 
-#
-#######################################################################
-
-
-#######################################################################
-#
-# SYNC_SERVER: The central server that communicates with DenyHost
-# daemons.  Currently, denyhosts.net is the only available server
-# however, in the future, it may be possible for organizations to
-# install their own server for internal network synchronization
-#
-# To disable synchronization (the default), do nothing. 
-#
-# To enable synchronization, you must uncomment the following line:
-#SYNC_SERVER = http://xmlrpc.denyhosts.net:9911
-#
-#######################################################################
-
-#######################################################################
-#
-# SYNC_INTERVAL: the interval of time to perform synchronizations if
-# SYNC_SERVER has been uncommented.  The default is 1 hour.
-# 
-SYNC_INTERVAL = 1h
-#
-#######################################################################
-
-
-#######################################################################
-#
-# SYNC_UPLOAD: allow your DenyHosts daemon to transmit hosts that have
-# been denied?  This option only applies if SYNC_SERVER has
-# been uncommented.
-# The default is SYNC_UPLOAD = yes
-#
-#SYNC_UPLOAD = no
-#SYNC_UPLOAD = yes
-#
-#######################################################################
-
-
-#######################################################################
-#
-# SYNC_DOWNLOAD: allow your DenyHosts daemon to receive hosts that have
-# been denied by others?  This option only applies if SYNC_SERVER has
-# been uncommented.
-# The default is SYNC_DOWNLOAD = yes
-#
-#SYNC_DOWNLOAD = no
-#SYNC_DOWNLOAD = yes
-#
-#
-#
-#######################################################################
-
-#######################################################################
-#
-# SYNC_DOWNLOAD_THRESHOLD: If SYNC_DOWNLOAD is enabled this parameter
-# filters the returned hosts to those that have been blocked this many
-# times by others.  That is, if set to 1, then if a single DenyHosts
-# server has denied an ip address then you will receive the denied host.
-# 
-# See also SYNC_DOWNLOAD_RESILIENCY
-#
-#SYNC_DOWNLOAD_THRESHOLD = 10
-#
-# The default is SYNC_DOWNLOAD_THRESHOLD = 3 
-#
-#SYNC_DOWNLOAD_THRESHOLD = 3
-#
-#######################################################################
-
-#######################################################################
-#
-# SYNC_DOWNLOAD_RESILIENCY:  If SYNC_DOWNLOAD is enabled then the
-# value specified for this option limits the downloaded data
-# to this resiliency period or greater.
-#
-# Resiliency is defined as the timespan between a hackers first known 
-# attack and it's most recent attack.  Example:
-# 
-# If the centralized   denyhosts.net server records an attack at 2 PM 
-# and then again at 5 PM, specifying a SYNC_DOWNLOAD_RESILIENCY = 4h 
-# will not download this ip address.
-#
-# However, if the attacker is recorded again at 6:15 PM then the 
-# ip address will be downloaded by your DenyHosts instance.  
-#
-# This value is used in conjunction with the SYNC_DOWNLOAD_THRESHOLD 
-# and only hosts that satisfy both values will be downloaded.  
-# This value has no effect if SYNC_DOWNLOAD_THRESHOLD = 1 
-#
-# The default is SYNC_DOWNLOAD_RESILIENCY = 5h (5 hours)
-#
-# Only obtain hackers that have been at it for 2 days or more:
-#SYNC_DOWNLOAD_RESILIENCY = 2d
-#
-# Only obtain hackers that have been at it for 5 hours or more:
-#SYNC_DOWNLOAD_RESILIENCY = 5h
-#
-#######################################################################
-
diff --git a/handlers/restart_services.yml b/handlers/restart_services.yml
index 805ee4e..32c11e3 100644
--- a/handlers/restart_services.yml
+++ b/handlers/restart_services.yml
@@ -26,9 +26,6 @@
 - name: restart crond
   action: service name=crond state=restarted
 
-- name: restart denyhosts
-  action: service name=denyhosts state=restarted
-
 - name: restart httpd
   action: service name=httpd state=restarted
 
diff --git a/playbooks/groups/arm-packager.yml b/playbooks/groups/arm-packager.yml
index e8008f9..2f33e92 100644
--- a/playbooks/groups/arm-packager.yml
+++ b/playbooks/groups/arm-packager.yml
@@ -13,6 +13,7 @@
 
   roles:
   - rkhunter
+  - denyhosts
 
   tasks:
   # this is how you include other task lists
@@ -23,7 +24,6 @@
   - include: $tasks/2fa_client.yml
   - include: $tasks/motd.yml
   - include: $tasks/sudo.yml
-  - include: $tasks/denyhosts.yml
 
   handlers:
   - include: $handlers/restart_services.yml
diff --git a/playbooks/groups/arm-qa.yml b/playbooks/groups/arm-qa.yml
index d9a745b..b92184b 100644
--- a/playbooks/groups/arm-qa.yml
+++ b/playbooks/groups/arm-qa.yml
@@ -13,6 +13,7 @@
 
   roles:
   - rkhunter
+  - denyhosts
 
   tasks:
   # this is how you include other task lists
@@ -23,7 +24,6 @@
   - include: $tasks/2fa_client.yml
   - include: $tasks/motd.yml
   - include: $tasks/sudo.yml
-  - include: $tasks/denyhosts.yml
 
   handlers:
   - include: $handlers/restart_services.yml
diff --git a/playbooks/groups/backup-server.yml b/playbooks/groups/backup-server.yml
index 8b95ebb..0820d9f 100644
--- a/playbooks/groups/backup-server.yml
+++ b/playbooks/groups/backup-server.yml
@@ -15,6 +15,7 @@
 
   roles:
   - rkhunter
+  - denyhosts
 
   tasks:
   - include: $tasks/hosts.yml
@@ -24,7 +25,6 @@
   - include: $tasks/2fa_client.yml
   - include: $tasks/motd.yml
   - include: $tasks/sudo.yml
-  - include: $tasks/denyhosts.yml
   - include: $tasks/nagios_client.yml
   - include: $tasks/mysql_server.yml
   - include: $tasks/bacula_server.yml
diff --git a/playbooks/groups/badges-backend.yml b/playbooks/groups/badges-backend.yml
index 73aba95..9d599c1 100644
--- a/playbooks/groups/badges-backend.yml
+++ b/playbooks/groups/badges-backend.yml
@@ -31,6 +31,7 @@
 
   roles:
   - rkhunter
+  - denyhosts
 
   tasks:
   - include: $tasks/hosts.yml
@@ -40,7 +41,6 @@
   - include: $tasks/2fa_client.yml
   - include: $tasks/motd.yml
   - include: $tasks/sudo.yml
-  - include: $tasks/denyhosts.yml
   - include: $tasks/nagios_client.yml
   - include: $tasks/openvpn_client.yml
     only_if: "'$env' != 'staging'"
diff --git a/playbooks/groups/badges-web.yml b/playbooks/groups/badges-web.yml
index 15ae8df..4fddc4e 100644
--- a/playbooks/groups/badges-web.yml
+++ b/playbooks/groups/badges-web.yml
@@ -34,6 +34,7 @@
 
   roles:
   - rkhunter
+  - denyhosts
 
   tasks:
   - include: $tasks/hosts.yml
@@ -43,7 +44,6 @@
   - include: $tasks/2fa_client.yml
   - include: $tasks/motd.yml
   - include: $tasks/sudo.yml
-  - include: $tasks/denyhosts.yml
   - include: $tasks/nagios_client.yml
   - include: $tasks/openvpn_client.yml
     only_if: "'$env' != 'staging'"
diff --git a/playbooks/groups/beaker.yml b/playbooks/groups/beaker.yml
index 1be9e9d..43606c1 100644
--- a/playbooks/groups/beaker.yml
+++ b/playbooks/groups/beaker.yml
@@ -30,6 +30,7 @@
 
   roles:
   - rkhunter
+  - denyhosts
 
   tasks:
   # this is how you include other task lists
@@ -41,7 +42,6 @@
   - include: $tasks/collectd/client.yml
   - include: $tasks/motd.yml
   - include: $tasks/sudo.yml
-  - include: $tasks/denyhosts.yml
   - include: $tasks/nagios_client.yml
 
   handlers:
diff --git a/playbooks/groups/gallery.yml b/playbooks/groups/gallery.yml
index a99a438..141e613 100644
--- a/playbooks/groups/gallery.yml
+++ b/playbooks/groups/gallery.yml
@@ -31,6 +31,7 @@
 
   roles:
   - rkhunter
+  - denyhosts
 
   tasks:
   - include: $tasks/hosts.yml
@@ -40,7 +41,6 @@
   - include: $tasks/2fa_client.yml
   - include: $tasks/motd.yml
   - include: $tasks/sudo.yml
-  - include: $tasks/denyhosts.yml
   - include: $tasks/nagios_client.yml
   - include: $tasks/fedmsg_base.yml
   - include: $tasks/apache.yml
diff --git a/playbooks/groups/kernel-qa.yml b/playbooks/groups/kernel-qa.yml
index 4f2fdc7..a99e3b5 100644
--- a/playbooks/groups/kernel-qa.yml
+++ b/playbooks/groups/kernel-qa.yml
@@ -14,6 +14,7 @@
 
   roles:
   - rkhunter
+  - denyhosts
 
   tasks:
   # this is how you include other task lists
@@ -24,7 +25,6 @@
   - include: $tasks/2fa_client.yml
   - include: $tasks/motd.yml
   - include: $tasks/sudo.yml
-  - include: $tasks/denyhosts.yml
   - include: $tasks/nagios_client.yml
 
 
diff --git a/playbooks/groups/keyserver.yml b/playbooks/groups/keyserver.yml
index 0b9e190..9fc5066 100644
--- a/playbooks/groups/keyserver.yml
+++ b/playbooks/groups/keyserver.yml
@@ -31,6 +31,7 @@
 
   roles:
   - rkhunter
+  - denyhosts
 
   tasks:
   - include: $tasks/hosts.yml
@@ -40,7 +41,6 @@
   - include: $tasks/2fa_client.yml
   - include: $tasks/motd.yml
   - include: $tasks/sudo.yml
-  - include: $tasks/denyhosts.yml
   - include: $tasks/nagios_client.yml
   - include: $tasks/fedmsg_base.yml
   - include: $tasks/apache.yml
diff --git a/playbooks/groups/koji-hub.yml b/playbooks/groups/koji-hub.yml
index 6b9725f..2ede558 100644
--- a/playbooks/groups/koji-hub.yml
+++ b/playbooks/groups/koji-hub.yml
@@ -32,6 +32,7 @@
 
   roles:
   - rkhunter
+  - denyhosts
 
   tasks:
   - include: $tasks/hosts.yml
@@ -41,7 +42,6 @@
   - include: $tasks/2fa_client.yml
   - include: $tasks/motd.yml
   - include: $tasks/sudo.yml
-  - include: $tasks/denyhosts.yml
   - include: $tasks/nagios_client.yml
   - include: $tasks/collectd/client.yml
   - include: $tasks/koji/koji_hub.yml
diff --git a/playbooks/groups/mailman.yml b/playbooks/groups/mailman.yml
index cd3af1c..c90f1c5 100644
--- a/playbooks/groups/mailman.yml
+++ b/playbooks/groups/mailman.yml
@@ -30,6 +30,7 @@
 
   roles:
   - rkhunter
+  - denyhosts
 
   tasks:
   # this is how you include other task lists
@@ -41,7 +42,6 @@
   - include: $tasks/collectd/client.yml
   - include: $tasks/motd.yml
   - include: $tasks/sudo.yml
-  - include: $tasks/denyhosts.yml
   - include: $tasks/nagios_client.yml
 
   handlers:
diff --git a/playbooks/groups/mirrorlist.yml b/playbooks/groups/mirrorlist.yml
index dbc70ed..e28e034 100644
--- a/playbooks/groups/mirrorlist.yml
+++ b/playbooks/groups/mirrorlist.yml
@@ -40,6 +40,7 @@
 
   roles:
   - rkhunter
+  - denyhosts
 
   tasks:
   # this is how you include other task lists
@@ -52,7 +53,6 @@
   - include: $tasks/openvpn_client.yml
   - include: $tasks/motd.yml
   - include: $tasks/sudo.yml
-  - include: $tasks/denyhosts.yml
   - include: $tasks/nagios_client.yml
   - include: $tasks/apache.yml
   - include: $tasks/mod_wsgi.yml
diff --git a/playbooks/groups/postgresl-server.yml b/playbooks/groups/postgresl-server.yml
index 44f9934..92fdbde 100644
--- a/playbooks/groups/postgresl-server.yml
+++ b/playbooks/groups/postgresl-server.yml
@@ -32,6 +32,7 @@
 
   roles:
   - rkhunter
+  - denyhosts
 
   tasks:
   - include: $tasks/hosts.yml
@@ -41,7 +42,6 @@
   - include: $tasks/2fa_client.yml
   - include: $tasks/motd.yml
   - include: $tasks/sudo.yml
-  - include: $tasks/denyhosts.yml
   - include: $tasks/nagios_client.yml
   - include: $tasks/collectd/client.yml
   - include: $tasks/postgresql_server.yml
diff --git a/playbooks/groups/taskbot.yml b/playbooks/groups/taskbot.yml
index 47bb3a2..3d57356 100644
--- a/playbooks/groups/taskbot.yml
+++ b/playbooks/groups/taskbot.yml
@@ -30,6 +30,7 @@
 
   roles:
   - rkhunter
+  - denyhosts
 
   tasks:
   # this is how you include other task lists
@@ -41,7 +42,6 @@
   - include: $tasks/collectd/client.yml
   - include: $tasks/motd.yml
   - include: $tasks/sudo.yml
-  - include: $tasks/denyhosts.yml
   - include: $tasks/nagios_client.yml
 
   handlers:
diff --git a/playbooks/groups/virthost.yml b/playbooks/groups/virthost.yml
index 6d22a47..24761a4 100644
--- a/playbooks/groups/virthost.yml
+++ b/playbooks/groups/virthost.yml
@@ -14,6 +14,7 @@
 
   roles:
   - rkhunter
+  - denyhosts
 
   tasks:
   - include: $tasks/hosts.yml
@@ -23,7 +24,6 @@
   - include: $tasks/2fa_client.yml
   - include: $tasks/motd.yml
   - include: $tasks/sudo.yml
-  - include: $tasks/denyhosts.yml
   - include: $tasks/nagios_client.yml
   - include: $tasks/collectd/client.yml
   - include: $tasks/virthost.yml
diff --git a/roles/denyhosts/files/allowed-hosts b/roles/denyhosts/files/allowed-hosts
new file mode 100644
index 0000000..f5a88b7
--- /dev/null
+++ b/roles/denyhosts/files/allowed-hosts
@@ -0,0 +1,27 @@
+# We mustn't block localhost
+127.0.0.1
+
+#bastion
+10.5.126.11
+10.5.126.12
+#lockbox
+10.5.126.23
+# don't block lockbox's remote addr, either
+209.132.181.6
+
+#noc1
+noc1.phx2.fedoraproject.org
+10.5.126.41
+192.168.1.10
+
+# RDU NAT
+66.187.233.202
+66.187.233.206
+# RH NAT 
+66.187.230.200
+# PHX2 NAT
+209.132.181.102
+# tlv RHT NAT
+66.187.237.10
+# brno RHT NAT
+209.132.186.34
diff --git a/roles/denyhosts/files/denyhosts.conf b/roles/denyhosts/files/denyhosts.conf
new file mode 100644
index 0000000..577b851
--- /dev/null
+++ b/roles/denyhosts/files/denyhosts.conf
@@ -0,0 +1,626 @@
+       ############ THESE SETTINGS ARE REQUIRED ############
+
+########################################################################
+#
+# SECURE_LOG: the log file that contains sshd logging info
+# if you are not sure, grep "sshd:" /var/log/*
+#
+# The file to process can be overridden with the --file command line
+# argument
+#
+# Redhat or Fedora Core:
+SECURE_LOG = /var/log/secure
+#
+# Mandrake, FreeBSD or OpenBSD: 
+#SECURE_LOG = /var/log/auth.log
+#
+# SuSE:
+#SECURE_LOG = /var/log/messages
+#
+# Mac OS X (v10.4 or greater - 
+#   also refer to:   http://www.denyhosts.net/faq.html#macos
+#SECURE_LOG = /private/var/log/asl.log
+#
+# Mac OS X (v10.3 or earlier):
+#SECURE_LOG=/private/var/log/system.log
+#
+########################################################################
+
+########################################################################
+#
+# HOSTS_DENY: the file which contains restricted host access information
+#
+# Most operating systems:
+HOSTS_DENY = /etc/hosts.deny
+#
+# Some BSD (FreeBSD) Unixes:
+#HOSTS_DENY = /etc/hosts.allow
+#
+# Another possibility (also see the next option):
+#HOSTS_DENY = /etc/hosts.evil
+#######################################################################
+
+
+########################################################################
+#
+# PURGE_DENY: removed HOSTS_DENY entries that are older than this time
+#             when DenyHosts is invoked with the --purge flag
+#
+#      format is: i[dhwmy]
+#      Where 'i' is an integer (eg. 7) 
+#            'm' = minutes
+#            'h' = hours
+#            'd' = days
+#            'w' = weeks
+#            'y' = years
+#
+# never purge:
+#PURGE_DENY = 
+#
+# purge entries older than 1 week
+#PURGE_DENY = 1w
+#
+# purge entries older than 5 days
+#PURGE_DENY = 5d
+#
+# For the default Fedora Extras install, we want timestamping but no
+# expiration (at least by default) so this is deliberately set high.
+# Adjust to taste.
+PURGE_DENY = 4w
+#######################################################################
+
+#######################################################################
+#
+# PURGE_THRESHOLD: defines the maximum times a host will be purged.  
+# Once this value has been exceeded then this host will not be purged. 
+# Setting this parameter to 0 (the default) disables this feature.
+#
+# default: a denied host can be purged/re-added indefinitely
+PURGE_THRESHOLD = 4
+#
+# a denied host will be purged at most 2 times. 
+#PURGE_THRESHOLD = 2 
+#
+#######################################################################
+
+
+#######################################################################
+#
+# BLOCK_SERVICE: the service name that should be blocked in HOSTS_DENY
+# 
+# man 5 hosts_access for details
+#
+# eg.   sshd: 127.0.0.1  # will block sshd logins from 127.0.0.1
+#
+# To block all services for the offending host:
+#BLOCK_SERVICE = ALL
+# To block only sshd:
+BLOCK_SERVICE  = sshd
+# To only record the offending host and nothing else (if using
+# an auxilary file to list the hosts).  Refer to: 
+# http://denyhosts.sourceforge.net/faq.html#aux
+#BLOCK_SERVICE =    
+#
+#######################################################################
+
+
+#######################################################################
+#
+# DENY_THRESHOLD_INVALID: block each host after the number of failed login 
+# attempts has exceeded this value.  This value applies to invalid
+# user login attempts (eg. non-existent user accounts)
+#
+DENY_THRESHOLD_INVALID = 15
+#
+#######################################################################
+
+#######################################################################
+#
+# DENY_THRESHOLD_VALID: block each host after the number of failed 
+# login attempts has exceeded this value.  This value applies to valid
+# user login attempts (eg. user accounts that exist in /etc/passwd) except
+# for the "root" user
+#
+DENY_THRESHOLD_VALID = 15
+#
+#######################################################################
+
+#######################################################################
+#
+# DENY_THRESHOLD_ROOT: block each host after the number of failed 
+# login attempts has exceeded this value.  This value applies to 
+# "root" user login attempts only.
+#
+DENY_THRESHOLD_ROOT = 5
+#
+#######################################################################
+
+
+#######################################################################
+#
+# DENY_THRESHOLD_RESTRICTED: block each host after the number of failed 
+# login attempts has exceeded this value.  This value applies to 
+# usernames that appear in the WORK_DIR/restricted-usernames file only.
+#
+DENY_THRESHOLD_RESTRICTED = 1
+#
+#######################################################################
+
+
+#######################################################################
+#
+# WORK_DIR: the path that DenyHosts will use for writing data to
+# (it will be created if it does not already exist).  
+#
+# Note: it is recommended that you use an absolute pathname
+# for this value (eg. /home/foo/denyhosts/data)
+#
+WORK_DIR = /var/lib/denyhosts
+#
+#######################################################################
+
+#######################################################################
+#
+# SUSPICIOUS_LOGIN_REPORT_ALLOWED_HOSTS
+#
+# SUSPICIOUS_LOGIN_REPORT_ALLOWED_HOSTS=YES|NO
+# If set to YES, if a suspicious login attempt results from an allowed-host
+# then it is considered suspicious.  If this is NO, then suspicious logins 
+# from allowed-hosts will not be reported.  All suspicious logins from 
+# ip addresses that are not in allowed-hosts will always be reported.
+#
+SUSPICIOUS_LOGIN_REPORT_ALLOWED_HOSTS=YES
+######################################################################
+
+######################################################################
+#
+# HOSTNAME_LOOKUP
+#
+# HOSTNAME_LOOKUP=YES|NO
+# If set to YES, for each IP address that is reported by Denyhosts,
+# the corresponding hostname will be looked up and reported as well
+# (if available).
+#
+HOSTNAME_LOOKUP=YES
+#
+######################################################################
+
+
+######################################################################
+#
+# LOCK_FILE
+#
+# LOCK_FILE=/path/denyhosts
+# If this file exists when DenyHosts is run, then DenyHosts will exit
+# immediately.  Otherwise, this file will be created upon invocation
+# and deleted upon exit.  This ensures that only one instance is
+# running at a time.
+#
+# Redhat/Fedora:
+LOCK_FILE = /var/lock/subsys/denyhosts
+#
+# Debian
+#LOCK_FILE = /var/run/denyhosts.pid
+#
+# Misc
+#LOCK_FILE = /tmp/denyhosts.lock
+#
+######################################################################
+
+
+       ############ THESE SETTINGS ARE OPTIONAL ############
+
+
+#######################################################################
+#
+# ADMIN_EMAIL: if you would like to receive emails regarding newly
+# restricted hosts and suspicious logins, set this address to 
+# match your email address.  If you do not want to receive these reports
+# leave this field blank (or run with the --noemail option)
+#
+# Multiple email addresses can be delimited by a comma, eg:
+# ADMIN_EMAIL = foo@xxxxxxx, bar@xxxxxxx, etc@xxxxxxxxxx
+#
+# ADMIN_EMAIL = ausil@xxxxxxxxxxxxxxxxx
+#
+#######################################################################
+
+#######################################################################
+#
+# SMTP_HOST and SMTP_PORT: if DenyHosts is configured to email 
+# reports (see ADMIN_EMAIL) then these settings specify the 
+# email server address (SMTP_HOST) and the server port (SMTP_PORT)
+# 
+#
+# THEMOVE FIXME this needs to work from external non-VPN machines.
+SMTP_HOST = bastion
+SMTP_PORT = 25
+#
+#######################################################################
+
+#######################################################################
+# 
+# SMTP_USERNAME and SMTP_PASSWORD: set these parameters if your 
+# smtp email server requires authentication
+#
+#SMTP_USERNAME=foo
+#SMTP_PASSWORD=bar
+#
+######################################################################
+
+#######################################################################
+#
+# SMTP_FROM: you can specify the "From:" address in messages sent
+# from DenyHosts when it reports thwarted abuse attempts
+#
+SMTP_FROM = DenyHosts <denyhosts@xxxxxxxxxxxxxxxxx>
+#
+#######################################################################
+
+#######################################################################
+#
+# SMTP_SUBJECT: you can specify the "Subject:" of messages sent
+# by DenyHosts when it reports thwarted abuse attempts
+SMTP_SUBJECT = DenyHosts Report from $[HOSTNAME]
+#
+######################################################################
+
+######################################################################
+#
+# SMTP_DATE_FORMAT: specifies the format used for the "Date:" header
+# when sending email messages.
+#
+# for possible values for this parameter refer to: man strftime
+#
+# the default:
+#
+#SMTP_DATE_FORMAT = %a, %d %b %Y %H:%M:%S %z
+#
+######################################################################
+
+######################################################################
+#
+# SYSLOG_REPORT
+#
+# SYSLOG_REPORT=YES|NO
+# If set to yes, when denied hosts are recorded the report data
+# will be sent to syslog (syslog must be present on your system).
+# The default is: NO
+#
+#SYSLOG_REPORT=NO
+#
+#SYSLOG_REPORT=YES
+#
+######################################################################
+
+######################################################################
+#
+# ALLOWED_HOSTS_HOSTNAME_LOOKUP
+#
+# ALLOWED_HOSTS_HOSTNAME_LOOKUP=YES|NO
+# If set to YES, for each entry in the WORK_DIR/allowed-hosts file,
+# the hostname will be looked up.  If your versions of tcp_wrappers
+# and sshd sometimes log hostnames in addition to ip addresses
+# then you may wish to specify this option.
+# 
+#ALLOWED_HOSTS_HOSTNAME_LOOKUP=NO
+#
+######################################################################
+
+###################################################################### 
+# 
+# AGE_RESET_VALID: Specifies the period of time between failed login
+# attempts that, when exceeded will result in the failed count for 
+# this host to be reset to 0.  This value applies to login attempts 
+# to all valid users (those within /etc/passwd) with the 
+# exception of root.  If not defined, this count will never
+# be reset.
+#
+# See the comments in the PURGE_DENY section (above) 
+# for details on specifying this value or for complete details 
+# refer to:  http://denyhosts.sourceforge.net/faq.html#timespec
+#
+AGE_RESET_VALID=5d
+#
+######################################################################
+
+###################################################################### 
+# 
+# AGE_RESET_ROOT: Specifies the period of time between failed login
+# attempts that, when exceeded will result in the failed count for 
+# this host to be reset to 0.  This value applies to all login 
+# attempts to the "root" user account.  If not defined,
+# this count will never be reset.
+#
+# See the comments in the PURGE_DENY section (above) 
+# for details on specifying this value or for complete details 
+# refer to:  http://denyhosts.sourceforge.net/faq.html#timespec
+#
+AGE_RESET_ROOT=25d
+#
+######################################################################
+
+###################################################################### 
+# 
+# AGE_RESET_RESTRICTED: Specifies the period of time between failed login
+# attempts that, when exceeded will result in the failed count for 
+# this host to be reset to 0.  This value applies to all login 
+# attempts to entries found in the WORK_DIR/restricted-usernames file.  
+# If not defined, the count will never be reset.
+#
+# See the comments in the PURGE_DENY section (above) 
+# for details on specifying this value or for complete details 
+# refer to:  http://denyhosts.sourceforge.net/faq.html#timespec
+#
+AGE_RESET_RESTRICTED=25d
+#
+######################################################################
+
+
+###################################################################### 
+# 
+# AGE_RESET_INVALID: Specifies the period of time between failed login
+# attempts that, when exceeded will result in the failed count for 
+# this host to be reset to 0.  This value applies to login attempts 
+# made to any invalid username (those that do not appear 
+# in /etc/passwd).  If not defined, count will never be reset.
+#
+# See the comments in the PURGE_DENY section (above) 
+# for details on specifying this value or for complete details 
+# refer to:  http://denyhosts.sourceforge.net/faq.html#timespec
+#
+AGE_RESET_INVALID=10d
+#
+######################################################################
+
+
+######################################################################
+#
+# RESET_ON_SUCCESS: If this parameter is set to "yes" then the
+# failed count for the respective ip address will be reset to 0
+# if the login is successful.  
+#
+# The default is RESET_ON_SUCCESS = no
+#
+RESET_ON_SUCCESS = yes
+#
+#####################################################################
+
+
+######################################################################
+#
+# PLUGIN_DENY: If set, this value should point to an executable
+# program that will be invoked when a host is added to the
+# HOSTS_DENY file.  This executable will be passed the host
+# that will be added as it's only argument.
+#
+#PLUGIN_DENY=/usr/bin/true
+#
+######################################################################
+
+
+######################################################################
+#
+# PLUGIN_PURGE: If set, this value should point to an executable
+# program that will be invoked when a host is removed from the
+# HOSTS_DENY file.  This executable will be passed the host
+# that is to be purged as it's only argument.
+#
+#PLUGIN_PURGE=/usr/bin/true
+#
+######################################################################
+
+######################################################################
+#
+# USERDEF_FAILED_ENTRY_REGEX: if set, this value should contain
+# a regular expression that can be used to identify additional
+# hackers for your particular ssh configuration.  This functionality
+# extends the built-in regular expressions that DenyHosts uses.
+# This parameter can be specified multiple times.
+# See this faq entry for more details:
+#    http://denyhosts.sf.net/faq.html#userdef_regex
+#
+#USERDEF_FAILED_ENTRY_REGEX=
+#
+#
+######################################################################
+
+
+
+
+   ######### THESE SETTINGS ARE SPECIFIC TO DAEMON MODE  ##########
+
+
+
+#######################################################################
+#
+# DAEMON_LOG: when DenyHosts is run in daemon mode (--daemon flag)
+# this is the logfile that DenyHosts uses to report it's status.
+# To disable logging, leave blank.  (default is: /var/log/denyhosts)
+#
+DAEMON_LOG = /var/log/denyhosts
+#
+# disable logging:
+#DAEMON_LOG = 
+#
+######################################################################
+
+#######################################################################
+# 
+# DAEMON_LOG_TIME_FORMAT: when DenyHosts is run in daemon mode 
+# (--daemon flag) this specifies the timestamp format of 
+# the DAEMON_LOG messages (default is the ISO8061 format:
+# ie. 2005-07-22 10:38:01,745)
+#
+# for possible values for this parameter refer to: man strftime
+#
+# Jan 1 13:05:59   
+#DAEMON_LOG_TIME_FORMAT = %b %d %H:%M:%S
+#
+# Jan 1 01:05:59 
+#DAEMON_LOG_TIME_FORMAT = %b %d %I:%M:%S
+#
+###################################################################### 
+
+#######################################################################
+# 
+# DAEMON_LOG_MESSAGE_FORMAT: when DenyHosts is run in daemon mode 
+# (--daemon flag) this specifies the message format of each logged
+# entry.  By default the following format is used:
+#
+# %(asctime)s - %(name)-12s: %(levelname)-8s %(message)s
+#
+# Where the "%(asctime)s" portion is expanded to the format
+# defined by DAEMON_LOG_TIME_FORMAT
+#
+# This string is passed to python's logging.Formatter contstuctor.
+# For details on the possible format types please refer to:
+# http://docs.python.org/lib/node357.html
+#
+# This is the default:
+#DAEMON_LOG_MESSAGE_FORMAT = %(asctime)s - %(name)-12s: %(levelname)-8s %(message)s
+#
+#
+###################################################################### 
+
+ 
+#######################################################################
+#
+# DAEMON_SLEEP: when DenyHosts is run in daemon mode (--daemon flag)
+# this is the amount of time DenyHosts will sleep between polling
+# the SECURE_LOG.  See the comments in the PURGE_DENY section (above)
+# for details on specifying this value or for complete details
+# refer to:    http://denyhosts.sourceforge.net/faq.html#timespec
+# 
+#
+DAEMON_SLEEP = 30s
+#
+#######################################################################
+
+#######################################################################
+#
+# DAEMON_PURGE: How often should DenyHosts, when run in daemon mode,
+# run the purge mechanism to expire old entries in HOSTS_DENY
+# This has no effect if PURGE_DENY is blank.
+#
+DAEMON_PURGE = 1h
+#
+#######################################################################
+
+
+   #########   THESE SETTINGS ARE SPECIFIC TO     ##########
+   #########       DAEMON SYNCHRONIZATION         ##########
+
+
+#######################################################################
+#
+# Synchronization mode allows the DenyHosts daemon the ability
+# to periodically send and receive denied host data such that 
+# DenyHosts daemons worldwide can automatically inform one
+# another regarding banned hosts.   This mode is disabled by
+# default, you must uncomment SYNC_SERVER to enable this mode.
+#
+# for more information, please refer to: 
+#        http:/denyhosts.sourceforge.net/faq.html#sync 
+#
+#######################################################################
+
+
+#######################################################################
+#
+# SYNC_SERVER: The central server that communicates with DenyHost
+# daemons.  Currently, denyhosts.net is the only available server
+# however, in the future, it may be possible for organizations to
+# install their own server for internal network synchronization
+#
+# To disable synchronization (the default), do nothing. 
+#
+# To enable synchronization, you must uncomment the following line:
+#SYNC_SERVER = http://xmlrpc.denyhosts.net:9911
+#
+#######################################################################
+
+#######################################################################
+#
+# SYNC_INTERVAL: the interval of time to perform synchronizations if
+# SYNC_SERVER has been uncommented.  The default is 1 hour.
+# 
+SYNC_INTERVAL = 1h
+#
+#######################################################################
+
+
+#######################################################################
+#
+# SYNC_UPLOAD: allow your DenyHosts daemon to transmit hosts that have
+# been denied?  This option only applies if SYNC_SERVER has
+# been uncommented.
+# The default is SYNC_UPLOAD = yes
+#
+#SYNC_UPLOAD = no
+#SYNC_UPLOAD = yes
+#
+#######################################################################
+
+
+#######################################################################
+#
+# SYNC_DOWNLOAD: allow your DenyHosts daemon to receive hosts that have
+# been denied by others?  This option only applies if SYNC_SERVER has
+# been uncommented.
+# The default is SYNC_DOWNLOAD = yes
+#
+#SYNC_DOWNLOAD = no
+#SYNC_DOWNLOAD = yes
+#
+#
+#
+#######################################################################
+
+#######################################################################
+#
+# SYNC_DOWNLOAD_THRESHOLD: If SYNC_DOWNLOAD is enabled this parameter
+# filters the returned hosts to those that have been blocked this many
+# times by others.  That is, if set to 1, then if a single DenyHosts
+# server has denied an ip address then you will receive the denied host.
+# 
+# See also SYNC_DOWNLOAD_RESILIENCY
+#
+#SYNC_DOWNLOAD_THRESHOLD = 10
+#
+# The default is SYNC_DOWNLOAD_THRESHOLD = 3 
+#
+#SYNC_DOWNLOAD_THRESHOLD = 3
+#
+#######################################################################
+
+#######################################################################
+#
+# SYNC_DOWNLOAD_RESILIENCY:  If SYNC_DOWNLOAD is enabled then the
+# value specified for this option limits the downloaded data
+# to this resiliency period or greater.
+#
+# Resiliency is defined as the timespan between a hackers first known 
+# attack and it's most recent attack.  Example:
+# 
+# If the centralized   denyhosts.net server records an attack at 2 PM 
+# and then again at 5 PM, specifying a SYNC_DOWNLOAD_RESILIENCY = 4h 
+# will not download this ip address.
+#
+# However, if the attacker is recorded again at 6:15 PM then the 
+# ip address will be downloaded by your DenyHosts instance.  
+#
+# This value is used in conjunction with the SYNC_DOWNLOAD_THRESHOLD 
+# and only hosts that satisfy both values will be downloaded.  
+# This value has no effect if SYNC_DOWNLOAD_THRESHOLD = 1 
+#
+# The default is SYNC_DOWNLOAD_RESILIENCY = 5h (5 hours)
+#
+# Only obtain hackers that have been at it for 2 days or more:
+#SYNC_DOWNLOAD_RESILIENCY = 2d
+#
+# Only obtain hackers that have been at it for 5 hours or more:
+#SYNC_DOWNLOAD_RESILIENCY = 5h
+#
+#######################################################################
+
diff --git a/roles/denyhosts/handlers/main.yml b/roles/denyhosts/handlers/main.yml
new file mode 100644
index 0000000..83c446b
--- /dev/null
+++ b/roles/denyhosts/handlers/main.yml
@@ -0,0 +1,3 @@
+---
+- name: restart denyhosts
+  action: service name=denyhosts state=restarted
diff --git a/roles/denyhosts/tasks/main.yml b/roles/denyhosts/tasks/main.yml
new file mode 100644
index 0000000..1e0a1c4
--- /dev/null
+++ b/roles/denyhosts/tasks/main.yml
@@ -0,0 +1,26 @@
+---
+#install denyhosts
+- name: install denyhosts
+  yum: name=denyhosts state=installed
+  tags:
+  - packages
+
+- name: /etc/denyhosts.conf
+  copy: src=denyhosts.conf dest=/etc/denyhosts.conf
+  notify:
+  - restart denyhosts
+  tags:
+  - config
+
+- name: /var/lib/denyhosts/allowed-hosts
+  copy: src=allowed-hosts dest=/var/lib/denyhosts/allowed-hosts
+  notify:
+  - restart denyhosts
+  tags:
+  - config
+
+- name: enable the service
+  service: name=denyhosts state=running enabled=true
+  tags:
+  - service
+
diff --git a/tasks/denyhosts.yml b/tasks/denyhosts.yml
deleted file mode 100644
index cc4e756..0000000
--- a/tasks/denyhosts.yml
+++ /dev/null
@@ -1,26 +0,0 @@
----
-#install denyhosts
-- name: install denyhosts
-  yum: name=denyhosts state=installed
-  tags:
-  - packages
-
-- name: /etc/denyhosts.conf
-  copy: src=$files/denyhosts/denyhosts.conf dest=/etc/denyhosts.conf
-  notify:
-  - restart denyhosts
-  tags:
-  - config
-
-- name: /var/lib/denyhosts/allowed-hosts
-  copy: src=$files/denyhosts/allowed-hosts dest=/var/lib/denyhosts/allowed-hosts
-  notify:
-  - restart denyhosts
-  tags:
-  - config
-
-- name: enable the service
-  service: name=denyhosts state=running enabled=true
-  tags:
-  - service
-
-- 
1.8.3.1

_______________________________________________
infrastructure mailing list
infrastructure@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/infrastructure





[Index of Archives]     [Fedora Development]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [KDE Users]

  Powered by Linux