Hacker News new | past | comments | ask | show | jobs | submit login

Just curious, what problems does fail2ban suffer with thousands of unique ips? (A crowded iptables I guess...)

I still use it with a super oppressive jail time and few retries, with a few whitelisted IPs and it seems to work ok.




I think the concern is a botnet with n IPs is that fail2ban tracks individual IPs, so if you have any kind of grace period before bannination, they get a linear speedup of n, and if there's an expiration period, get to try n times harder than a single bored script kiddie.

Worse, from an economic perspective, theres enough hosts listening on port 22 that a bot can try instead while they wait for timeouts, so you're not really imposing a cost on them. If you view running a botnet as a form of multi-armed bandit problem, the best you can really do is limit the economic value by slowing them down a tad versus their many, many other options.


F2B support subnets: https://github.com/fail2ban/fail2ban/issues/2261


I think they're saying it doesn't stop brute force attacks because the botnet will just try with another IP.




Consider applying for YC's Fall 2025 batch! Applications are open till Aug 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: