Entering too many IP addresses to be blocked at network level by Cloudron results in error: "setBlocklist (stderr): ipset v7.15: Hash is full, cannot add more elements"

d19dotca

@girish said in Entering too many IP addresses to be blocked at network level by Cloudron results in error: "setBlocklist (stderr): ipset v7.15: Hash is full, cannot add more elements":

I started looking into this and something seems off. https://raw.githubusercontent.com/X4BNet/lists_stopforumspam/main/ipv4.txt itself only has only 4267 addresses. I guess you are adding lot more addresses? But 120k addresses seems like a lot.

Oh that’s a great catch! I’m not sure how that happened. Let me test again with clearing out the setting entirely and saving blank, then pasting them in again and see what it says.

girish

@d19dotca One thing I found is that when adding the stopforumspam list and the firehol list together, my system gets hosed! I will debug this further tomorrow. As in, some iptables/ipset issue. Maybe this needs a lot more memory at kernel level.

JLX89

Just throwing this out there for what it is worth... I started experimenting, but got side tracked a while back. But I was looking at using CrowdSec to block traffic. There is at least a few Firhol lists and some other items.

It would be interesting to create one for forums and consolidate data from some of the other sources to create a blocklist. I did this to offset the "blocking" to an outside source, so that my server didn't quite take the hit.

necrevistonnezr

@JLX89 There‘s this guide: https://forum.cloudron.io/topic/6224/crowdsec-install-guide-for-cloudron-purposes but I‘m not sure it‘s still up-to-date - and I‘d very much prefere to have such functionality built-in

JLX89

@necrevistonnezr Yeah, I've seen that before. I'm looking a few things over, hopefully today -- see what I can come up with.

girish

OK, i have debugged this now. The issue was that Firehol lists includes both 127.0.x.x and the 172.16.x.x networks which ends up blocking database and docker access . Commenting out those two works fine.

So, @d19dotca the issue was really just that you have somehow pasted 120k addresses. The max size of ipset is 65536. I will put a validation check in place but otherwise there is no bug.

robi

@girish can the validation check include those internal Cloudron addresses too?

girish

@robi good idea. But just digging deeper, this looks like a bug in our code. Those IP addresses never appear from outside but looks like the firewall rule ends up getting applied for all network connections (internal and external).

d19dotca

@girish said in Entering too many IP addresses to be blocked at network level by Cloudron results in error: "setBlocklist (stderr): ipset v7.15: Hash is full, cannot add more elements":

The max size of ipset is 65536. I will put a validation check in place but otherwise there is no bug.

This may mean that using popular blocklists like this one won't work then (there is over 120k IPs, so I don't think it was a mistake earlier btw as you can see the number of unique IPs in the header comments on this list): https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/stopforumspam_90d.ipset

Perhaps this can be looked at for expansion in the future?

I was able to use their 30 day one (which still included the few IPs that seem persistent for my WordPress sites as trying to spam them) thankfully though as it's less than the limit in Cloudron.

girish

@d19dotca right, the 30d one seems to be 54975 size. I have increased the size of the ipset now to 262144 elements. If these things are growing more, we can look into making this size dynamic .