On Mon, 2010-01-11 at 03:56 -0600, Scott L. Barber wrote: > I need to be very specific about this request, please bear with me. > > My searching the internet shows no "option" that resolves what I wish > to do. > > In the denyhosts.conf, I see an option for BLOCK_SERVICE. > > I seem to have choices of All, sshd, or "fill in the blank". I'm > needing to fill in that blank. > > For various reasons, I don't wish to block ALL services. But I do > wish to block more than just sshd. > > I'm expecting that I could simply (as a poor example) > > BLOCK_SERVICE = sshd, smtpd, imapd, 15901 > > (The 15901 is simply a port). > > The big question would be, is the above valid?
I don't know offhand; if denyhosts copies that line exactly to hosts.deny, it may (I think that's valid tcp wrapper syntax for a daemon_list). I don't believe denyhosts parses that and adds multiple entries itsself. As another means to that end, you could use: HOST_DENY = /etc/denyhosts.blocked BLOCK_SERVICE = Ie. an empty BLOCK_SERVICE; that will record just the ip addresses to be blocked in that file (a filename under /var may be more appropriate - also make sure you create that file, eg. "touch /etc/denyhosts.blocked"). Then in hosts.allow you add lines to the specific services you'd want to block: sshd : /etc/denyhosts.blocked : DENY smtpd : /etc/denyhosts.blocked : DENY imap4d : /etc/denyhosts.blocked : DENY and of course you could use ALL as a catch-all (eg. at the end): ALL : /etc/denyhosts.blocked : DENY > or do I need multiple BLOCK_SERVICE = lines, or can it only take one > entry--comma spaced, space spaced, (what's the delimiter), etc.... > > Additionally, does this also mean that 25 and smtpd are equivalent > (meaning, could I specify port numbers instead of service names, > etc...) In hosts.allow/deny a service name like "smtpd" is not the same as a port number (ie. it's not a match in /etc/services), it's a name that is hard-coded in the program. (OK, it's not always hard-coded, it may use argv[0] or a configurable value, but it's supplied by the program using tcp wrappers library.) I didn't know you could use port numbers there till just looking that up, but apparently that is valid. So one mail server could match with "smtpd" and another maybe "in.smtpd" - but apparently both should match "25" (completely untested by me). > > Please advise... > > Scott L. Barber -- Jesse Norell Kentec Communications, Inc. [email protected] ------------------------------------------------------------------------------ This SF.Net email is sponsored by the Verizon Developer Community Take advantage of Verizon's best-in-class app development support A streamlined, 14 day to market process makes app distribution fast and easy Join now and get one step closer to millions of Verizon customers http://p.sf.net/sfu/verizon-dev2dev _______________________________________________ Denyhosts-user mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/denyhosts-user
