# All hosts blocked but fail2ban still edits /etc/hosts.deny

## Xander314

My /etc/hosts.deny file originally contained just the one following line:

```
ALL: all
```

and /etc/hosts.allow contained

```
sshd: avs-workstation.avs-net avs-laptop.avs-net
```

where avs-workstation and avs-laptop resolve to IP addresses on my LAN.

Presumably, therefore, any intrusion attempts would be rejected, since they do not originate from one of these IP addresses. However, I recently checked /etc/hosts.deny, and it had many additional entries of the form

```
ALL: <ip address>
```

which were presumably added by fail2ban. However, how did these attacks get detected by fail2ban at all, since the /etc/hosts.deny file specifies that these attackers be completely denied access? Doesn't fail2ban detect failed authentification attempts in the log files (none of which should even happen given the top line in my /etc/hosts.deny)? My question, therefore, is why were all these attackers detected and blocked, and should I be worried? Also, if I have "ALL: all" in /etc/hosts.deny, is there any point running fail2ban at all?

Finally, I haven't yet set up port forwarding on my router, so how come ssh traffic is making it to my box at all?

Thanks in advance,

Xander

----------

