On Wed, Jan 21, 2009 at 6:36 AM, Nikos Chantziaras <[email protected]> wrote: > Paul Hartman wrote: >> >> I'm using the online denyhosts synchronization database, I think that >> may negatively affect how often it blocks hosts locally, because it >> waits until it does a remote sync to scan the local file. This is my >> theory. I like the idea of sharing my blocks and taking advantage of >> the blocks of others, but if it renders the program ineffective >> against the IP /actively/ attacking my system, then it's pointless. >> >> I'm going to turn off the online sharing of denyhosts and see if it >> makes a difference. >> >> Otherwise I guess I need to set up some kind of local firewall on this >> machine to get any more fine control over the connections. > > The shared list of attackers doesn't have anything to do with it. Denyhosts > checks the logs every X seconds. I think 30 by default, not sure. In that > time, there can be many more attempted logins then the maximum you have > configured in Denyhosts. > > Also, the downloaded list of known attack hosts is copied locally into your > hosts.deny file. That's all there is to it.
Then what would cause it to not add a new denied host until after many many attempts? I disabled the network sync but denyhosts still takes "forever" before denying... each IP is able to do hundreds of attempts before getting added to the hosts.deny file.
