Nice article. I also use DenyHosts on my servers, as you say for the minimal effort involved in setting it up, it really is worthwhile.

You mention one security by obscurity measure of changing the SSH service port from 22 to something else, but then needing to specify the port when connecting. Don’t forget you can add an entry to the SSH client configuration file (e.g. /etc/ssh/ssh_config) such as the one below to specify an alternative port. Issuing the command “ssh server.keyboardcat.com” will now automatically use port 2222.

Regarding setting the ADMIN_EMAIL variable, I personally leave this “commented out”. There is no option in the configuration to summarise updates to weekly or monthly intervals, and I got tired of daily emails with a couple of new IP’s in it. Alternatively, I have used a Munin plugin script to graph the DenyHosts ban list (http://www.tjansson.dk/?p=717) to keep tabs on the volume of attacks.

Optionally, the administrator can modify the BLOCK_SERVICE parameter inn the configuration file from “sshd” to “ALL”. This means an IP attempting an SSH bruteforce will not only be banned from access to the SSH service, but also to any other system services using TCP wrappers. As an aside, note that Apache2 will not use /etc/hosts.deny by default (on Ubuntu server at least).

Another optional step to consider is adding your management IP address (if it is static) to /etc/hosts.allow just to ensure you don’t accidentally lock yourself out.

RB