I have been using denyhosts for almost a year. To date I have only prevented one person logging in and that is ME ( I used the wrong login name).
Also, I know of no successful break-ins.
My iptables is as follows:
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT ACCEPT
-N block
-A INPUT -j block
-A FORWARD -j block
-A block -i wifi_card -p tcp -m tcp --dport 12123 -j ACCEPT
-A block -i Nic_external -p tcp -m tcp --dport 12123 -j ACCEPT
-A block -i Nic_enternal -j ACCEPT
-A block -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A block -i lo -m conntrack --ctstate NEW -j ACCEPT
-A block -j DROP
First, I think that the above will keep the bad guys out, Is that a true statement?
Sencondly, I have added a LOG rule just above the DROP rule and I have been monitoring it for about 1 1/2 weeks. As each entry is logged I have been adding it to /etc/hosts.deny. Currently there are 4318 ip adresses in the file and the number of packets that have been logged is 51592.
Denyhosts is for stopping ssh attempts and nothing else as I understand it.
Having over 4300 lines in /etc/hosts.deny causes almost no delay in logging in remotely.
Am I being to paranoid about keeping the bad guys out or is the iptable above completely adequate?
I would very much like to here your opinion on this,