Hello,

I have a public server running Deb 7.4 amd64 multiarch where I host multiple public game servers. Current security includes iptables and fail2ban, among other things. Because this is a public server, I have to ban IP address for a variety of reasons including habitual break-in attempts and DoS or other types of server attacks. Most of the offending IPs are not from a contiguous range or from the same subnet, so they must be banned individually.

Because low latency is so very important for game servers I am always concerned about the server and network running as efficiently and as fast as possible. As such, I do not want to create any bottlenecks with excessive filtering of incoming or outgoing traffic.

Currently I block individual IPs using an iptables rule. However, the list of blocked IPs is getting rather long.

Q: Are individual "DROP" rules inserted into iptables the most efficient way to manage numerous IP bans or is there a better way?

Thank you for your help,

PGn

Specifically which other measures?


Sure: use ipset, preferably in the mangle table. BTW I ran a little test a while ago.

Other measures include disabling SSH password authentication and root login in favor of RSA key pair authentication. Fail2ban is configured to permanently ban IPs that attempt brute-force SSH break-in. Is it possible to have SSH control (ssh restricted to a single ip only) handled by iptables and not use fail2ban? Alternatively, can IPs banned by fail2ban be automatically added to the ipset blacklist instead of staying with f2b?

I've not yet used the mangle table, so all of the rules I've created must be in the filter table.

Can you help me understand why the ipset should be in the mangle table?

Than you,

PGn

This is a great article, especially for someone like me who is not familiar with ipset. So essentially, I can remove all of the individual IP DROP rules from iptables and move all of the "bad" source IPs to a black list in ipset, correct?

Thank you,

PGn

would /etc/hosts.deny help here ?

Public forums like LQ with helpful people are so valuable. From the replies to my first post on LQ, I've already learned a number of new and very useful techniques.

Having read the ipset article referenced by yzT!, I did a test install of ipset on my dev server, created the new set (ip_blacklist) and loaded several hundred "bad" ips with a quick for-loop. The article suggests this iptables rule to reference the new set:
Two points here: 1. since my server is not a web server I want all traffic from the blacklisted IPs stopped, not just tcp and not just to port 80. 2. Why use REJECT rather than DROP? I think the iptables rule I need is:
Is this the right rule to use?

Before moving this onto the production server I am also wondering if null routing the IPs at the kernel would be even more efficient than using ipset?
Thank you again for your help,

PGn

No, please see Denyhosts vs Fail2ban aka tcp_wrappers vs iptables.

Given you've followed the SSH Best practices and since SSH access is already restricted to one IP address only (a white listing scenario) there is absolutely no need to bother with blocking IP addresses trying to access TCP/22.


Yes, fail2ban can use ipset for some time now.


The Frozentux Iptables-tutorial shows you table traversal, mangle comes before input, and since you want to just drop traffic and not do anything with it it's advised to drop that traffic as early on as possible. Also, since you'll be using the filter table for traffic that actually matters it keeps the rule set much cleaner which makes it easier to maintain.


Correct.


Jst adjust the rule then.


That's a matter of preference (or courtesy): as 'man iptables' tells you the REJECT target sends back an ICMP message while DROP just drops the packet in the bit bucket.


These commands makes it the first rule in the raw (disabling connection tracking) and mangle (drop) tables prerouting chains:

Where does that "even more" come from? What have you read that makes you say that? Null routing, just like iptables drop rules, denies any remote system to establish (SYN) a connection. The difference is that with null routing traffic is still(!) received: your system just can't send anything (SYN,ACK) back, while iptables is more fine grained and explicitly drops that traffic.

Understood. However, the reason for asking is because the server has on multiple occasions been flooded with brute-force or other types of unauthorized break-in attempts to the point that I can't even login over SSH because the server is overloaded and unresponsive. Therefore I was looking for a way to block or drop all unauthorized connection requests before they have to be individually processed as invalid.

Thank you! These are exactly what I needed and are very instructive too.

Thank you for the explanation. "even more" was just a question based on the desire to learn "best practices". Being relatively new to Linux administration there are still so many areas where I have only scratched the surface...

Thank you again for all of you help,

PGn

Within a server all services use the same resource pool. So if for example your machine is being (ab)used to send spam because you forgot to update WordPress or one of its plugins that will affect the web server and consequently any other service vying for resources. Apart from using a cap on resources there's also iptables modules that limit the amount of connections a single IP address (or range!) is allowed to initiate. That's something you want to implement efficiently at the network layer and not higher up in the application layer.


It's a good thing to know where you stand and as long as you show you've done some research, as long as you're willing to question responses (not all replies or web log posts are actually good answers), learn from others and practice yourself (doesn't make perfect but it does help ;-p) you can only grow.

Good luck!