Securing your server using DenyHosts

Running an internet accessible server means you are opening yourself to crackers. Running the server in itself is a risk, so risk management is of top priority when you open up the ports for accessing the server.
The standard ports are 80(http), 443(https) and mostly 22(for ssh). Port 22 is the most important one. Even though ssh assures secure (encrypted) communication. It's still not safe, say against dictionary attacks. You can do few things to manage the risk

1. Change the ssh port from 22 to something else. This is simple. Even though it doesn't protect against the attacks, it will surely slowdown the automated attacks.

#1.Edit the sshd_config 
nano /etc/ssh/sshd_config 
#2.Locate the below line and change the number 22 to say 1001
Port 22
#3.restart sshd 
service sshd restart
#or by running
/etc/init.d/ssh restart

2. Installing and DenyHosts to control the logins through ssh

#1.Install the denyhosts.
sudo apt-get install denyhosts
#2.edit the denyhosts config
sudo nano /etc/denyhosts.conf
#3.restart denyhosts
sudo /etc/init.d/denyhosts restart
#4.check the logs to see who is trying to login etc
less /var/log/auth.log
#5.see what ip address are blocked
less /etc/hosts.deny

It's important to go through every configurable item in denyhosts.conf before you enable denyhosts. According to me the most important ones are below. These are three important thresholds which will lockup the ip address.

#########################################################
# DENY_THRESHOLD_INVALID: block each host after the 
# number of failed login attempts has exceeded this value.  
# This value applies to invalid user login attempts
# (eg. non-existent user accounts)
#
DENY_THRESHOLD_INVALID = 5
#
##########################################################
# DENY_THRESHOLD_VALID: block each host after the number 
# of failed login attempts has exceeded this value.  This 
# value applies to valid user login attempts (eg. user 
# accounts that exist in /etc/passwd) except for the "root" 
# user
DENY_THRESHOLD_VALID = 10
#
##########################################################
# DENY_THRESHOLD_ROOT: block each host after the number of
# failed login attempts has exceeded this value.  This 
# value applies to "root" user login attempts only.
#
DENY_THRESHOLD_ROOT = 1
#########################################################

Remember denyhosts deosn't lock the account. It locks only the IP address from where an user/cracker tried to login. So in case if you are locked yourself out. Try login from a different IP address (make sure your password right this time) and follow the steps below to remove your IP address.

  1. Stop DenyHosts
  2. Remove the IP address from /etc/hosts.deny
  3. Edit WORK_DIR/hosts and remove the lines containing the IP address. Save the file.
  4. Edit WORK_DIR/hosts-restricted and remove the lines containing the IP address. Save the file.
  5. Edit WORK_DIR/hosts-root and remove the lines containing the IP address. Save the file.
  6. Edit WORK_DIR/hosts-valid and remove the lines containing the IP address. Save the file.
  7. Edit WORK_DIR/user-hosts and remove the lines containing the IP address. Save the file.
  8. (optional) Consider adding the IP address to WORK_DIR/allowed-hosts
  9. Start DenyHosts

You can try Fail2Ban if you want an alternative. Also remember DenyHosts is just one of the security related steps you have to take and not the only step.