The VPS iptables records limit (numiptent) might affect the work of Plesk's Fail2Ban.

Hi there,

The error messages you provided suggest that Fail2Ban is trying to manipulate an iptables chain called “f2b-plesk-postfix” which doesn’t exist, causing the iptables commands to fail. It could be because Fail2Ban is misconfigured or the iptables chain was deleted manually or by some other process.

However, your original concern was about the limit of iptables records (numiptent) affecting the work of Plesk’s Fail2Ban. If the number of iptables rules has exceeded the limit set by the kernel, it can certainly cause issues. Fail2Ban won’t be able to add new rules to ban IP addresses, and you might see errors in your logs.

To resolve this issue, here are a few suggestions:

• Optimize your iptables rules: Check your iptables rules to see if there are any unnecessary or duplicate rules that you could remove to reduce the total number of entries.

Optimize Fail2Ban: You might be able to reduce the number of iptables rules created by Fail2Ban by adjusting its settings. For example, you could increase the “bantime” parameter to ban IP addresses for a longer period, thus reducing the churn of adding and removing rules. You could also adjust the “findtime” and “maxretry” parameters to be more forgiving and generate fewer bans.

• Use ipset with iptables: If you’re dealing with a large number of IP addresses to ban, consider using ipset in conjunction with iptables. Ipset is designed to handle large numbers of entries more efficiently than plain iptables. There’s a Fail2Ban action called “iptables-ipset-proto6-allports” which uses ipset.

• Investigate the issue with the “f2b-plesk-postfix” chain: To address the error messages you provided, you might need to investigate why the “f2b-plesk-postfix” chain is missing. You can start Fail2Ban in debug mode to get more detailed logs which might help identify the issue.

Best,

Bobby