| Author |
Message |
Stever
Joined: 07 Dec 2007
Posts: 41
Location: NC, USA
|
| Posted: Mon May 12, 2008 2:25 pm Post subject: Any limit to number of iptables rules? |
|
|
I've been watching a distributed ssh attack on my linode over the last few days, and fail2ban is handling it nicely, but I'm starting to wonder if there is a limit to the number of hosts it can block using iptables. I've got about 500 hosts blocked right now, but there seems to be no end in sight.
Anyone know if there is a limit to the number of iptables rules we can put into the linode UML kernel before SomethingBad happens? |
|
| Back to top |
|
SteveG
Joined: 30 Nov 2003
Posts: 214
|
| Posted: Mon May 12, 2008 3:19 pm Post subject: |
|
|
| I don't think there's a specific limit on the number of rules. There's a memory limit for connection tracking (e.g. NAT), but the fail2ban rules don't need that. The main problem with having lots of rules is that every packet has to get by them, and eventually you'll see significant CPU suckage. OTOH, 500 isn't actually that many, in my experience. You're not logging every DROP, are you? |
|
| Back to top |
|
anderiv
Joined: 27 Apr 2004
Posts: 127
|
| Posted: Mon May 12, 2008 3:51 pm Post subject: |
|
|
My fail2ban instance, too, has caught a ton of ssh auth attempts during the last 36 hours or so. The vast majority of the hits seem to be coming from Germany. This recent onslaught finally convinced me (after resisting for 5 years) to run my sshd on an alternative port. I made that change this morning and haven't had a single brute force attempt :-)
Maybe something to consider? |
|
| Back to top |
|
melon
Joined: 23 Mar 2008
Posts: 3
|
| Posted: Mon May 12, 2008 4:29 pm Post subject: |
|
|
| That's right, I never run sshd on the standard port unless I don't have to. This dramatically reduces ssh attacks. Also, if you don't have to stick with user/password logins, use rsa/dsa key based authentication _only_ |
|
| Back to top |
|
pdepartida
Joined: 12 May 2008
Posts: 4
|
| Posted: Mon May 12, 2008 8:13 pm Post subject: |
|
|
A couple of weeks ago i was getting massive port 80 requests to a 404 on my server, that were attached to my domain, so i could not just change the ip or whatever.
I needed to block this bot requests and still have my apache up and running so i started to dynamically block through iptables. At the end of the first 24 hours i was already blocking over 22'000 distinct ip's. I had to upgrade my linode with 90 extra mb of RAM (from a linode 360) but everything else was fine!
After a week i had already blocked over 53'000 different ips. Everything ran like a charm and was still able to keep apache running untill eventually the bots stopped trying... :D :D
By the way, i flushed up tables once a week, just in case. |
|
| Back to top |
|
mwalling
Joined: 10 Dec 2007
Posts: 135
|
| Posted: Tue May 13, 2008 11:08 am Post subject: |
|
|
| http://isc.sans.org/diary.html?storyid=4408 |
|
| Back to top |
|
Stever
Joined: 07 Dec 2007
Posts: 41
Location: NC, USA
|
| Posted: Tue May 13, 2008 11:18 am Post subject: |
|
|
pdepartida wrote: After a week i had already blocked over 53'000 different ips. I suppose my 500 (577 now) is nothing to worry about then :)
I appreciate all the other suggestions, but so far I'm not terribly worried about the security of the system. I think I'm going to hold out on port 22 until I see a more viable threat.
Besides, it is kinda cool to get a list of somebody's botnet :twisted: |
|
| Back to top |
|
| |
