On Fri, 21 Jun 2024, Jeff Pang via mailop wrote:
today I clear up iptables rules, and run fail2ban again.
in half of an hour, it blocked 1400+ IPs.
$ sudo iptables -L -n|grep DROP|wc -l
1407
it seems the black ips are coming endlessly.
most of the bad actions are like this one:
postfix/smtps/smtpd[451948]: warning: unknown[211.184.190.87]: SASL LOGIN
authentication failed: UGFzc3dvcmQ6
I am afraid too many iptables will slow down the performance of systems.
do you have any suggestion for handling this case?
n.b. I don't think there's anything to worry about performance-wise.
To add to what others have suggested (iptables sets and null routing), I use
nftables with a "fail2ban" set, to which addresses get inserted by fail2ban.
For "elegance" (as I said, I don't think performance is an issue here), I have
set the "auto-merge" flag in my fail2ban set. This "compacts" addresses when
inserted/deleted, so that neighboring addresses are turned into CIDR sets.
Hope it helps,
Bernardo
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
