Host in hosts.allow that are set to DENY can still access

[durty_nacho]

I run VSFTPD and get dictionary attacks a lot, so I have a cron job that runs blockhosts every 5 minutes and scans my vsftpd.log file for failed login attempts, and adds the culprits who attack me to my hosts.allow file as a DENY. This has always worked, but today I found an IP that keeps attacking me even though he has been successfully added to the hosts.allow file as a DENY. The cron job is running fine, it definitely added the IP to the hosts.allow file and it is set to DENY, so why does this host still access me? I have him blocked with an iptables rule for the moment but I am very curious why this host is not being blocked with my hosts.allow file.

[Hu]

Blocking with an iptables rule is a better choice anyway. Is your hosts.allow file written in such a way that an earlier entry is matching the attacking machine? As I read the manpage, hosts.allow is a first-match-wins design, so if something higher up has whitelisted the host, your blacklist entry will have no effect.

[durty_nacho]

Yeah I thought about that, I have nothing whitelisted at all. The reason I use blockhosts instead of iptables is I want an automated and dynamic process to temporarily ban an IP. This seems to work best for what I need.

[Cyker]

Erm.. did you mean hosts.deny...?

[bunder]

last i checked hosts.allow/deny only works with things built with tcp-wrappers, do you have the tcpd flag set?

cheers

ps: if you don't want to install it, go the iptables route instead.

pps: iptables can be automated with fail2ban.
_________________

[durty_nacho]

I dont want to use fail2ban because it only works for sshd and proftp, not vsftpd (from what i read). vsftpd has its tcp_wrappers=YES option enabled. It is working again, not sure what the heck was wrong. Maybe the cron job was failing without errors. Thanks for the replies.