denyhosts bans your repeated ssh brute force offenders and keeps your logfiles smaller.
install denyhosts if it is not already installed.
sudo apt-get -y install denyhosts
edit /etc/hosts.allow and add your allowed ip addresses or host names to whitelist, preventing you from locking yourself out.
sudo nano /etc/hosts.allow
add the following exceptions to the file, matching your hosts:
restart denyhosts to commit the changes immediately.
sudo /etc/init.d/denyhosts restart
for fine grain control concerning ban times and alerts, optionally edit /etc/denyhosts.conf and adjust to suit your level of tolerance.
sudo nano /etc/denyhosts.conf
done. denyhosts is installed and will run at boot time. most brute force ssh attempts should still be logged, but restrictions are now enforced to blacklist offenders and bots.
ufw (uncomplicated firewall) makes it easy to allow or deny specific ports or services.
install ufw if it is not already installed.
sudo apt-get -y install ufw
enable ufw to run at boot time. since no rules are added, this will not affect your current ssh session.
sudo ufw enable
allow traffic for http, https and ssh. you can specify service names, but for this example, we specify port numbers.
sudo ufw allow 22
sudo ufw allow 80
sudo ufw allow 443
restart ufw to apply the changes immediately.
sudo service ufw restart
verify that the rules were properly applied:
sudo ufw status verbose
the projected output should look like the following:
Logging: on (low)
Default: deny (incoming), allow (outgoing)
New profiles: skip
To Action From
-- ------ ----
22 ALLOW IN Anywhere
80 ALLOW IN Anywhere
443 ALLOW IN Anywhere
22 ALLOW IN Anywhere (v6)
80 ALLOW IN Anywhere (v6)
443 ALLOW IN Anywhere (v6)
done. firewall installed and enabled at boot time, filtering all traffic except http, https and ssh. please note that this does not filter outbound traffic in any way, it merely firewalls off all ports except those specified above.