Some useful information about DenyHosts as packaged by Fedora Extras -------------------------------------------------------------------- It installs and runs as a service, so you can start it with: service denyhosts start and enable it at boot time with: chkconfig denyhosts on By default denyhosts runs continuously waking up to process your logs every thirty seconds. However, you can choose to have it run periodically via cron. To do so, edit /etc/sysconfig/denyhosts and change the "DAEMON=yes" line to "DAEMON=no". Then edit /etc/cron.d/denyhosts, uncomment the appropriate lines and adjust the interval at which it runs to your choosing. You can see a description of the file format by running: man 5 crontab By default, DenyHosts is set up to purge old block entries, but only after four weeks. If you wish to adjust this, edit /etc/denyhosts.conf and look for "PURGE_DENY". DenyHosts will process only your current logfile (/var/log/secure). If you want to incorporate an old logfile (in this example, /var/log/secure.1) , you can run denyhosts.py -c /etc/denyhosts.conf /var/log/secure.1 DenyHosts can also handle logs compressed with gzip or bzip2. Notes about sync ---------------- Denyhosts can communicate with a remote server to exchange information about blocked hosts. This functionality is disabled by default. The maintainers of this package in Fedora do not recommend enabling the sync functionality for the following reasons: *) It has been linked to hangs and crashes of the daemon. The upstream developers have not been able to fix these issues. *) The server itself is closed-source, so these problems cannot be debugged from the server end by anyone other than the upstream developers. If you choose to enable the sync functionality, please do the following: *) Watch your denyhosts daemon carefully. If it exits inexplicably or hangs, attempted ssh hacks will not be blocked automatically. *) Report issues to the upstream developers (at http://denyhosts.sf.net). Please do not report issues to Fedora; we cannot fix them. Denyhosts has proven to be very stable when sync functionality is not enabled. Notes about upgrading --------------------- If upgrading from DenyHosts 0.6.0 or earlier, note that this package does not run denyhosts --migrate to make the old entries expirable. This preserves any entries that may have been manually added. You can, of course, run this yourself. This package runs denyhosts --upgrade099 automatically to move any post-0.6.0 and pre-0.9.9 entries into the proper format.