Rich Kulawiec on 18 Aug 2018 05:44:26 -0700 |
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
Re: [PLUG] Linux tip: Log IP addresses, not hostnames, for use by fail2ban... |
On Sat, Aug 18, 2018 at 08:15:01AM -0400, Walt Mankowski wrote: > Thanks for posting that link. The list with both the Chinese and > Korean addresses contains nearly 6000 blocks. Can iptables handle that > many rules without performance problems? 1. Yes. 2. In most situations, the performance hit imposed by implementing this is more than made up for by the performance gain achieved by dropping all the garbage/hostile/abusive traffic on the floor rather than letting it get through to services and making them cope with it. And I really do mean "drop": don't even NACK packets. Just silently discard them. If you're really curious or want to do research, maybe you might want to log those -- I do in some cases -- but it's mostly pointless, because the networks originating them will take absolutely no remedial action under any circumstances. 3. You should be doing exactly the same thing with the Spamhaus DROP and EDROP lists. *And* you should be dropping all outbound traffic to networks on those lists, because all possible outcomes of letting it through are bad for you. ---rsk ___________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug