Any limit to number of iptables rules?

I've been watching a distributed ssh attack on my linode over the last few days, and fail2ban is handling it nicely, but I'm starting to wonder if there is a limit to the number of hosts it can block using iptables. I've got about 500 hosts blocked right now, but there seems to be no end in sight.

Anyone know if there is a limit to the number of iptables rules we can put into the linode UML kernel before SomethingBad happens?

6 Replies

I don't think there's a specific limit on the number of rules. There's a memory limit for connection tracking (e.g. NAT), but the fail2ban rules don't need that. The main problem with having lots of rules is that every packet has to get by them, and eventually you'll see significant CPU suckage. OTOH, 500 isn't actually that many, in my experience. You're not logging every DROP, are you?

My fail2ban instance, too, has caught a ton of ssh auth attempts during the last 36 hours or so. The vast majority of the hits seem to be coming from Germany. This recent onslaught finally convinced me (after resisting for 5 years) to run my sshd on an alternative port. I made that change this morning and haven't had a single brute force attempt :-)

Maybe something to consider?

That's right, I never run sshd on the standard port unless I don't have to. This dramatically reduces ssh attacks. Also, if you don't have to stick with user/password logins, use rsa/dsa key based authentication only

A couple of weeks ago i was getting massive port 80 requests to a 404 on my server, that were attached to my domain, so i could not just change the ip or whatever.

I needed to block this bot requests and still have my apache up and running so i started to dynamically block through iptables. At the end of the first 24 hours i was already blocking over 22'000 distinct ip's. I had to upgrade my linode with 90 extra mb of RAM (from a linode 360) but everything else was fine!

After a week i had already blocked over 53'000 different ips. Everything ran like a charm and was still able to keep apache running untill eventually the bots stopped trying… :D :D

By the way, i flushed up tables once a week, just in case.

http://isc.sans.org/diary.html?storyid=4408

@pdepartida:

After a week i had already blocked over 53'000 different ips. I suppose my 500 (577 now) is nothing to worry about then :)

I appreciate all the other suggestions, but so far I'm not terribly worried about the security of the system. I think I'm going to hold out on port 22 until I see a more viable threat.

Besides, it is kinda cool to get a list of somebody's botnet :twisted:

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct