I looked around for a nice way to ban attackers who try to get into my machines and settled on DenyHosts as my favorite. One emerge later I was editing the configuration file, and after I got done with that the trouble started.
First sshd completely ignored the
/etc/hosts.denyfile that DenyHosts 2.6-r1 writes into. Maybe I forgot to install tcp-wrappers? Nope, those are there. Maybe I forgot to build sshd with the tcpd USE flag? No, that's there. It turns out that the default sshd configuration will bind to all interfaces on your machine, and for some reason that leads to entries in
/etc/hosts.denynot being respected. The details are muddy, at least to me, but adding a
ListenAddress your.ip.here.pleasesolves the problem. And you gotta put your actual ip address!
So once that's working, I try the init script to (re)start DenyHosts. And it fails. At least that's what the init script says, in
htopI can clearly see that I have a
denyhostsprocess running now. What do you know, the init script that comes with Denyhosts 2.6-r1 on Gentoo is broken. You need to replace
--name /path/to/pythoninstead. Yes, you'll have to change it every time you update the Python interpreter to a new major version. What can I say? Someone needs to rewrite the init script from scratch I guess.
So now I have DenyHosts running, and script kiddies who try to get into my machine are banned. What else could I wish for? I don't know, a similar tool for Apache maybe? :-D