Jason L Tibbitts III wrote: > During its operation it reads /var/log/secure, maintains databases and > such under /var/lib/denyhosts, and writes to /etc/hosts.deny. It may > also make some xmlrpc calls out over the 'net if so configured > (although by default this is not the case). I just wanted to point out that I don't run DenyHosts to write directly to hosts.deny. Here is how I have tcpwrappers configured: ---- hosts.allow ---- # Whitelist my LAN ALL: 192.168.1.0/255.255.255.0 sshd: /etc/hosts.deny.sshd : DENY sshd: /etc/hosts.allow.us # hosts.allow.us is a list of IPs in the USA only, since that's # where I live. No reason to accept SSH from where I don't. ---- hosts.deny ---- ALL: ALL So, hosts.deny just denies everything, and services need to be whitelisted in hosts.allow. I have DenyHosts write to /etc/hosts.deny.sshd, and any IP not in the US is already denied. As you can see, it would be pointless to append to hosts.deny. I'm sure there are plenty of other people who do it this way, since it's a configuration option in DenyHosts. I just wanted to point it out so you don't go making changes to the SELinux policy and leave out the possibility of writing to an alternate deny file like I have done. -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
