I've been watching a distributed ssh attack on my linode over the last few days, and fail2ban is handling it nicely, but I'm starting to wonder if there is a limit to the number of hosts it can block using iptables. I've got about 500 hosts blocked right now, but there seems to be no end in sight.

Anyone know if there is a limit to the number of iptables rules we can put into the linode UML kernel before SomethingBad happens?

I don't think there's a specific limit on the number of rules. There's a memory limit for connection tracking (e.g. NAT), but the fail2ban rules don't need that. The main problem with having lots of rules is that every packet has to get by them, and eventually you'll see significant CPU suckage. OTOH, 500 isn't actually that many, in my experience. You're not logging every DROP, are you?

_________________
The irony is that Bill Gates claims to be making a stable operating system and Linus Torvalds claims to be trying to take over the world.
-- seen on the net

My fail2ban instance, too, has caught a ton of ssh auth attempts during the last 36 hours or so. The vast majority of the hits seem to be coming from Germany. This recent onslaught finally convinced me (after resisting for 5 years) to run my sshd on an alternative port. I made that change this morning and haven't had a single brute force attempt

Maybe something to consider?

That's right, I never run sshd on the standard port unless I don't have to. This dramatically reduces ssh attacks. Also, if you don't have to stick with user/password logins, use rsa/dsa key based authentication _only_

A couple of weeks ago i was getting massive port 80 requests to a 404 on my server, that were attached to my domain, so i could not just change the ip or whatever.

I needed to block this bot requests and still have my apache up and running so i started to dynamically block through iptables. At the end of the first 24 hours i was already blocking over 22'000 distinct ip's. I had to upgrade my linode with 90 extra mb of RAM (from a linode 360) but everything else was fine!

After a week i had already blocked over 53'000 different ips. Everything ran like a charm and was still able to keep apache running untill eventually the bots stopped trying...

By the way, i flushed up tables once a week, just in case.

I suppose my 500 (577 now) is nothing to worry about then

I appreciate all the other suggestions, but so far I'm not terribly worried about the security of the system. I think I'm going to hold out on port 22 until I see a more viable threat.

Besides, it is kinda cool to get a list of somebody's botnet