--- Frank Wiles wrote:
On Sat, 30 Apr 2005 21:52:02 -0700 (PDT) Jack [email protected] wrote:
... I'm looking
for
solution to reduce the attacks. The box is a "busy box", that is running several services. It runs
the
...
The best way to lock out these attackers is to simply use iptables to block their IPs from accessing your system. It doesn't prevent a DoS on your available bandwidth, but it keeps them from bugging your system. I'm not sure why this hasn't been suggested before.
I have about half of the addresses blocked, but what is the impact of adding 150 ip addresses to iptables with potentially hundreds more over time? At what point will iptables eat up all my bandwidth in blocking addresses?
Thanks everyone for the suggestions.
Brian D.
__________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
On Sun, 1 May 2005, Jack wrote:
--- Frank Wiles wrote:
On Sat, 30 Apr 2005 21:52:02 -0700 (PDT) Jack [email protected] wrote:
I have about half of the addresses blocked, but what is the impact of adding 150 ip addresses to iptables with potentially hundreds more over time? At what point will iptables eat up all my bandwidth in blocking addresses?
Thanks everyone for the suggestions.
Well, iptables doesn't really eat up your bandwidth - the guys trying to connect to your box is what is wasting the bandwidth. The worst iptables can do is eat up processor cycles filtering connections to your box. I have seen machines with hundreds of iptables rules that operate with no issues at all. It works in the kernel space so it can be very efficient.
You probably do not want to permanently deny any address. I believe you can use an automated daemon like portsentry to dynamically add addresses to iptables and after a period of time have that address removed.
//========================================================\ || D. Hageman [email protected] || \========================================================//
On Sun, 1 May 2005 20:27:02 -0700 (PDT) Jack [email protected] wrote:
I have about half of the addresses blocked, but what is the impact of adding 150 ip addresses to iptables with potentially hundreds more over time? At what point will iptables eat up all my bandwidth in blocking addresses?
Just to add to what Dave said...
I have a production server that is fairly low end hardware that currently has 2952 iptables rules that block individual IPs, several /24 networks, and a handful of /16s. There is no noticeble impact on the box.
--------------------------------- Frank Wiles [email protected] http://www.wiles.org ---------------------------------
-
D. Hageman -
Frank Wiles -
Jack