Mayuresh <mayur...@acm.org> writes: > Just tinkering with blacklistd settings. > > Trying to arrive at a good duration for blocking. > > I find that for 6 hours blocking, the blocked IPs settle around 90 to 100. > > Most of them just recur after block duration is over, typically they might > be bots. > > Increasing the block duration would increase the count of blocked IPs. > Would that start affecting any aspects of performance of my system or > is there any limit beyond which npf won't accept them? > > i.e. what are absolute limits and what are advisable counts of > simultaneously blocked IPs? > > Further, are there any ways to figure out ranges of IPs to block? I need > ssh access from only handful of devices, but not all have static IPs. I > think Geography may provide a clue, but not sure what's the best way to > utilize such clue. > > Mayuresh
My comments are not specific to blacklistd, as I am running a home grown system that is simular. I keep stats on when a IP is first blocked and, in many cases, when it was last seen. Currently I have about 78,000 distinct IP addresses in a ippool(5) pool driving ipf and some of these IP addresses that were seen recently were first seen in 2006. I suspect it depends on how brutal you want to be to the offending IP. I tend to keep the addresses around for a few years before purging them from the ban database. -- Brad Spencer - b...@anduin.eldar.org - KC8VKS - http://anduin.eldar.org
