fail2ban and denyhosts constantly ban me on Ubuntu

I believe I've seen someone say that some of those apps will count failed key logins as a brute force attempt. Do you have an ssh-agent running with keys in it? Connecting with that set will offer every key in turn before falling back to password, so that might be why. Try setting sshd's log level higher, and check fail2ban/denyhost logs.

Edit: here is the original source that tipped me off, with a way to fix it.

please review the following links:

• http://denyhosts.sourceforge.net/faq.html#3_9
• http://denyhosts.sourceforge.net/faq.html#3_19
• http://denyhosts.sourceforge.net/faq.html#allowed

if you wanted to scrap the whole fail2ban, and denyhosts idea, do as Nathan Powell below says, change from port 22 to something more obscure

also a few more ideas:

1. iptables: the following example will drop incoming connections which make more than 2 connection attempts upon port 22 within ten minutes:

   iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW 
            -m recent --set
   
   iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW
            -m recent --update --seconds 60 --hitcount 4 -j DROP
   

2. key-based login

3. port knocker (knockd)

If sshd is set to VERBOSE logging level (or higher) it puts the phrase '...Failed none...' in the system log whenever a user successfully logs in. By default, fail2ban is set up to count this as a failure. I cured the problem by setting the logging level for sshd back down to INFO.

For details, please see my answer to this question fail2ban bans me after a series of *successful* logins

if you are sshing as root for a specific reason, i hope you have keys set up. i would recommend these changes to your sshd_config file:

PermitRootLogin without-password
AllowUsers [email protected]

to lock down which host you can ssh into your server as root as.

if you don't need to ssh as root, which there is a good chance you don't, you should set up a normal user for yourself, create a group ssh or something, set up keys for the user, add them to the group ssh and add AllowGroups ssh to sshd_config

then give your user sudo access by running visudo as root, and adding the line: user ALL=(ALL) ALL which will allow your user root access, with your user's password, when running sudo commandX

making sure sshd is locked down would be my first priority, especially if root login must be allowed.

even running on an obscured port, the advanced kiddies will find you with port scanning.

If you are open in going back to fail2ban you can always use the ignoreip directive in the jail.conf. For example:

ignoreip = 127.0.0.1 192.168.1.0/32

This way you don't get blocked with your sloppy typing ;-) It also means people can't block you by spoofing your IP (Although with any TCP traffic that isn't to big of a concern).

I think if you are green enough to not be able to solve this by reading the config file and examining the logs, you should aim a bit lower till you get some experience.

If you are optimizing to thwart the brute force attacks that are common, change the port that sshd runs on. That will take care of the vast majority of those.