• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion

Question Excessive fail2ban banned hosta may flood memory?

J

Jose Maria Sarachaga

New Pleskian
Hello guys

I'm using fail2ban in Plesk working pretty smoothly. I extended BAN period to months (instead of just some minutes), and the list of banned hosts grows as expected. At this time the list of banned hosts is about 8K, not a problem at all, for now.

My question is if an excessive number of banned hosts might lead to other problem, like memory flooding, or iptables/kernel crash?

I see it's all about iptables rules but don't know if all these rules are stored in memory or a file, for realtime lookup.

As i said, i have no problems at this time, just thinking ahead.

Regards
 
Fail2Ban uses iptables and iptables stores rules in its own "database". I am not aware of a limit, but 8,000 sounds like a whole lot. One downside of that is that it will most definitely slow down your network interface, because each connection needs to run through all these entries before it is passed or dropped.

Are you aware that you also have a "recidive" jail in Fail2Ban? If you combine a short drop for first time offenders with a long drop for repeating offenders you normally don't need thousands of jail entries. All the first time offenders and one shot attempts will be blocked for a short time, the repeating offenders will remain in iptables for a longer time. You'll maybe only have a fourth of your current entries.
 
Peter Debik said:
Fail2Ban uses iptables and iptables stores rules in its own "database". I am not aware of a limit, but 8,000 sounds like a whole lot. One downside of that is that it will most definitely slow down your network interface, because each connection needs to run through all these entries before it is passed or dropped.

Are you aware that you also have a "recidive" jail in Fail2Ban? If you combine a short drop for first time offenders with a long drop for repeating offenders you normally don't need thousands of jail entries. All the first time offenders and one shot attempts will be blocked for a short time, the repeating offenders will remain in iptables for a longer time. You'll maybe only have a fourth of your current entries.
Click to expand...
Thanks for your reply. Yes I’m aware of recidive, I will change the approach to what you suggest, I agree there will be a lot fewer hosts.
 
You must log in or register to reply here.

Similar threads

michaeljoseph01
Question Imunify360 or fail2ban PLEASE give me your input
Replies
6
Views
2K
The 8th
The 8th
N
Resolved "usermng --get-users-list" - Checking system users stuck on Google Cloud
Replies
12
Views
3K
Peter Debik
P
H
Issue fail2ban iptables error, ban doesn't work
Replies
1
Views
2K
hotwert
H
Azurel
Forwarded to devs Block repeated 403 Forbidden requests with Fail2Ban as included plesk-jail - Feature Request
Replies
2
Views
3K
Ehud
Ehud
danami
Input Sentinel Anti-malware Extension for Plesk
Replies
6
Views
3K
danami
danami
Back
Top