[Server-devel] Question on number of iptables rules

[Tom Mitchell]

On Tue, Feb 1, 2011 at 5:28 PM, Anna <aschoolf at gmail.com> wrote:
> My test XS at home has a FQDN and is open to the outside.  Therefore this is
> probably a pretty rare issue in XS land, but I thought I'd ask.
>
> I noticed my "ambient" rx/tx traffic on eth0 had gone from really low (like
> 0.1 to 0.7 kB/s) to hovering between 5-20 kB/s.  I went through httpd's
> access_log and error_log and blocked a bunch of IPs that looked kinda
> sketchy.  Chinese and Russian search engine bots, script kiddies looking for
> phpmyadmin, that kinda stuff.


It can help to block China and Russia but the way spam and denial
of service botnets work that is more limited than you might wish.

Two tools "denyhosts" and "PortSentry" come to mind.  They
will deal with many blunt script attacks that come from anyplace on the
globe even Iceland ;-)

With a system live on the internet it is often valuable to block
everything first and then open exactly what you need
for exactly those that need it.

The number of rules by itself almost does not matter.
Sometimes the order of rules matters more.
For example you can drop/block all connections to telnet
and many other port services in a very early rule and never
need to test your long list of IP address blocks.

Log files always need to be watched.







-- 

                      T o m   M i t c h e l l
                    mitch-at-niftyegg-dot-com
"My lifetime goal is to be the kind of person my dogs think I am."