[kajika91]

I think fail2ban should never be used to directly add rules with iptable. This will get the iptable too bloated and each additional rule hurts performance. There are benchmark about that.

A solution is to use ipset and have fail2ban adding/removing up with ipset. I intend to write a blog about it, and other things about running your own server, as soon as I get some free time.

[fragmede]

Does it meaningfully hurt performance though? Like, if I'm serving Google.com, adding microseconds to reply to a packet really add up to be a problem, but for a raspberry pi sitting at my house, what's the performance impact of having a million iptable rules?

[Joel_Mckay]

In general, hobbyists will add the rule updates via a firewall whisper command override in fail2ban.

For example, shorewall/shorewall6 has rule set optimization for blrules (be warned single threaded Perl can take awhile for 300k IPs, and quick-boot rule-caching should be off during initial configuration).

I also use a crude ban-list generator script for certain persistently annoying country codes poking around, that currently imports a lot of iblocklist, spamhaus, known compromised IP posts on dodgy forums, and malformed whois records.

Yes it is rude to black-hole entire countries, but these same areas often tend to ruin the games with lagged connections and lame vulnerability/exfiltration scans.

https://www.youtube.com/watch?v=eGOtZDk6wRc