hosts.deny line too long or too big file?

Question

I have about 50k ip addresses denied in the hosts.deny file, generated by a script with 7 addresses per line max and get this error:

warning: /etc/hosts.deny, line 4429: missing newline or line too long

Line 4429 is the one in the middle here:

ALL: 96.47.225.95, 96.47.225.96, 96.47.225.97, 96.47.225.98, 96.47.225.99, 96.56.113.123, 96.8.112.149
ALL: 98.126.161.178, 98.15.206.118, 98.159.4.16, 98.197.212.67, 98.83.135.94, 98.94.6.213, 98.94.6.78
ALL: 99.167.89.146, 99.177.96.73, 99.235.84.25, 99.244.9.103, 99.49.94.70

whats wrong?

Update:

The warning only appears when at the moment a connection is made up, the hosts.deny file gets written at the same time. (i/o, lock, fopen for write, fopen for read problem).

Dude, why are you not denying IPs in blocks instead of one at a time? — Chris S, Jul 03 '13 at 15:39
I have different tools, servers and sources reporting bot and evil ip addresses into a single database, and a cron that generates hosts.deny and ipset rules from that table. Not all servers are able to use iptables. I don't know any tool building blocks of given addresses I don't want to lock a whole block when there's only 2-3 bad ip's in it. :-S — Daniel W., Jul 03 '13 at 15:44
@ChrisS what tool can you suggest to sum up single ips to groups? — Daniel W., Jul 04 '13 at 11:29
Perhaps I should ask why you're using hosts.deny instead of iptables? — Chris S, Jul 04 '13 at 18:30
@ChrisS I have root servers with iptables support but some virtual servers without iptables support. — Daniel W., Jul 05 '13 at 09:38

score 1 · Accepted Answer · answered Jul 03 '13 at 19:46

In my opinion, it doesn't make sense to have such a large `/etc/hosts.deny' file for several reasons:

botnet activity can come from possible legitimate sources IP addresses, and it is usually useless to forever block an IP that can just be the temporary public IP of a compromised home computer with dynamic address.
there are better tools for this job, like denyhosts, fail2ban, psad, etc... that will provide some protection from the evil doers, without falling in the trap mentioned in the previous paragraph.

Now, if you really need to maintain such a file, you could try to use a file, as explained in the hosts_access(5) manpage, under the PATTERNS section:

PATTERNS

 The access control language implements the following patterns:

  ·      A  string  that  begins  with a `/´ character is treated as a file name. A host name or address is matched if it matches any host name or address pattern listed in the named file. The file format is zero or
          more lines with zero or more host name or address patterns separated by whitespace.  A file name pattern can be used anywhere a host name or address pattern can be used.

I gave it a try, and generated a list:

# echo 123.{1..255}.{1..255}.{1..254} > /etc/list

Added it to the /etc/hosts.deny file:

# echo 'ALL: /etc/list' >> /etc/hosts.deny

Tried some connections and inspected my logs. I haven't been able to reproduce the warning you mentioned.

1. I don't keep my logs and bans forever. 2. Why u think fail2ban is better when you don't even know my setup? I AM using fail2ban on one of the servers. fail2ban adds ip's to the database and hosts.deny! — Daniel W., Jul 04 '13 at 07:53
Fair enough. Did you try to use a separate file to maintain the list? did it work? — dawud, Jul 04 '13 at 08:10
I didn't try that. But I will go for that, create a temporary list and `mv`it over the hosts.deny — Daniel W., Jul 04 '13 at 08:14
I had a look at this question again after years and I pretty much laughed at the comments and the way I tried to defend my server :D Using fail2ban for a long time now and it works great. — Daniel W., Dec 13 '16 at 10:17
So what's the line length limit of hosts.deny? This doesn't answer his question. — ewatt, Oct 10 '19 at 19:39

hosts.deny line too long or too big file?

1 Answers1