We use "route" as the banaction in our Fail2Ban. It's not uncommon for us to be blocking 30K-50K IP addresses, with no performance issues. Reboots do take about a minute or two longer however; Fail2Ban rewrites the route table on service start/stop to populate/depopulate the route table.
We did research just after COVID that documented how iptables, ufw etc. all have scaling issues (ipset a bit less so as I recall), but that using "route" as the banaction had hardly any impact on performance, even with hundreds of thousands of entries. There is a Zimbra-specific blog post here: https://wiki.zimbra.com/wiki/Configure_Fail2Ban_for_Zimbra_Server_with_route_instead_of_iptables_to_block_IPs Our filter/jail for a Zimbra-specific nginx add-on is here (again, Zimbra-specific): https://www.missioncriticalemail.com/2023/05/21/zimbra-fail2ban-best-practices/ Our wiki article is intentionally not fully up to date with the totality of the regular expressions that we use (but it's a good start), and unless you are using Zimbra you'll want to use your own regexes of course. The Zimbra wiki article also shows how to run a centralized database across multiple servers. Hope that helps. Regards, Mark _________________________________________________________________ L. Mark Stone, Founder North America's Leading Zimbra VAR/BSP/Training Partner For Companies With Mission-Critical Email Needs ----- Original Message ----- | From: "Jeff Pang via mailop" <mailop@mailop.org> | To: "Mailop Mailing List" <mailop@mailop.org> | Sent: Thursday, June 20, 2024 7:20:17 PM | Subject: [mailop] too many bad IP blocked | today I clear up iptables rules, and run fail2ban again. | in half of an hour, it blocked 1400+ IPs. | | $ sudo iptables -L -n|grep DROP|wc -l | 1407 | | | it seems the black ips are coming endlessly. | most of the bad actions are like this one: | | postfix/smtps/smtpd[451948]: warning: unknown[211.184.190.87]: SASL | LOGIN authentication failed: UGFzc3dvcmQ6 | | I am afraid too many iptables will slow down the performance of systems. | do you have any suggestion for handling this case? | | Thanks. | | -- | Jeff Pang | jeffp...@aol.com | _______________________________________________ | mailop mailing list | mailop@mailop.org | https://list.mailop.org/listinfo/mailop _______________________________________________ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
