D Steward wrote: > Because I don't believe a solution such as fail2ban will scale (it can't > be healthy having tens of thousands of IPs in iptables), I use denyhosts Wherever possible I use layer 2 bridging OpenBSD firewalls in front of my networks, I don't have a problem with brute force attacks but it seems it can scale to tens of thousands of IPs without a problem. I'm not sure if iptables has similar capabilities or not -- http://www.openbsd.org/faq/pf/tables.html "[..]Lookups against a table are very fast and consume less memory and processor time than lists. For this reason, a table is ideal for holding a large group of addresses as the lookup time on a table holding 50,000 addresses is only slightly more than for one holding 50 addresses" And the pf equivilent to the iptables throttling: http://www.openbsd.org/faq/pf/filter.html An example: table <abusive_hosts> persist block in quick from <abusive_hosts> pass in on $ext_if proto tcp to $web_server \ port www flags S/SA keep state \ (max-src-conn 100, max-src-conn-rate 15/5, overload <abusive_hosts> flush) This does the following: * Limits the maximum number of connections per source to 100 * Rate limits the number of connections to 15 in a 5 second span * Puts the IP address of any host that breaks these limits into the <abusive_hosts> table * For any offending IP addresses, flush any states created by this rule. --- I don't like/use OpenBSD for anything other than firewalls. But I do think as a firewall, pf really can't be beat, the configuration for typical rules just 'flows'. IPTables by comparison is so cryptic. (speaking as a past user of ipfwadm, ipfw, ipchains, iptables, pf, and Cisco PIX, which is probably the worst of the ones I've used). I use linux pretty much everywhere else other than firewalls. Even my preferred network gear - load balancers and switches run linux (commercial variants). nate