> > On 21. Jun 2024, at 05:15, Raymond Burkholder via mailop <mailop@mailop.org> > wrote: > > On 2024-06-20 17:20, Jeff Pang via mailop wrote: >> today I clear up iptables rules, and run fail2ban again. >> in half of an hour, it blocked 1400+ IPs. >> >> $ sudo iptables -L -n|grep DROP|wc -l >> 1407 >> >> I am afraid too many iptables will slow down the performance of systems. >> do you have any suggestion for handling this case? >> > use the iptables hashtable > > or migrate to nftables and use a similar technique
A modern system usually uses iptables only as a frontend for nftables. You could think about analyzing those IPs (use a script or ask an LLM of your choice because they are descent with those kinds of tasks) by checking if they are adjacent and from which AS they come. And then aggregate certain of them into networks and put those in an ipset for a permanent ban. Chances are good that they are coming from some cloud-AS or from some network that probably will never send you a real mail (which AS depend on your location, kind of users etc) and if you ban /24 you won’t ban anything that will ever send real IPs. Niels
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop