Safe to increase the CSF Deny IP Limit past 1000?

[beansbaxter]

I'm running the latest version of DA with the latest version of CSF.

In my CSF configuration, I currently have my DENY_IP_LIMIT set to 1000, which is the recommended max value.

I want to increase that number. Is there any harm in raising that value?

Or is there a better solution for blocking IP addresses?

Looking at Brute Force Monitor in DA, I am getting hammered with exim1 incorrect authorization attempts.

Any insight or advice or thoughts are greatly appreciated.

Thanks.

 

[nobaloney]

recommendation is rather simplistic. The search through the deny list is done for each packet and is a linear search. Sure, the kernel is fast, but someone decided that 1,000 was a good limit for the average server to keep from having to much latency.

But no server is truly average so feel free to experiment.

Jeff

 

[zEitEr]

Any insight or advice or thoughts are greatly appreciated.

I'd rather not increase the value that high. But instead I'd rather run a cron script to analyze IPs in a block list and aggregate it into subnets, and block IP ranges. We mostly have DENY_IP_LIMIT set to 200-300, and block IP ranges on a gateway/router.

I hope you are running a dedicated server (if to compare with VPS), as on OpenVZ based virtual servers there might be a limit for a number of iptables rules. In this case you'd need to care much about DENY_IP_LIMIT.

Some DC might allow to block IPs on their routers and gateways. So you might want to check with them as well.

 

[scsi]

Just know the more crap you have in your firewall the more time it will take for connections to process cause it has to analyze the firewall rules each time a connection is made.