iptables and denyhost

If you have a Linux server exposed to the Internet, then you may be aware of the constant authorization attempts from all over the world. If you are not aware, then you just have not looked at your log files to see all the failed attempts.

This is where denyhost comes into play. It will monitor these attempts and after a number of failed attempts add an iptables entry to block that IP. I typically allow 3 attempts before adding the IP to be blacklisted. This has worked nicely for me. I proactively block huge blocks of IP addresses with a simple script that gets all the IP addresses for certain countries and blocks them all. This has been the single most effective measure to eliminate a huge percentage of the auth guessing attempts.