Menu
▾
▴
[SSHGuard-users] performance when using firewalld: adding/removing many entries at once
|
From: Felix S. <fel...@os...> - 2020-08-27 07:30:37
|
Hi, short version: I think SSHguard uses firewalld's API inefficiently as it seems to add/remove only a single IP per CLI call. I suspect this leads to high CPU usage by firewalld when SSHguard needs to block many addresses. firewalld also offers options to add/remove many items at once. Do you think SSHguard could use these options? Felix background: I'm a satisfied user of SSHguard. So far it really works great and I found it easy to set up with CentOS and Fedora. This morning however one of my servers is targeted by some kind of distributed brute force "attack". I see roughly 10-20 SSH login attempts per second from various IP addresses (I guess a few hundred but well below 1000). SSHguard is happily blocking IPs and still working as intended but the CPU of that poor little server is maxed out at 100% (it is a very tiny instance). When using "top" I see that firewalld needs a lot of CPU over longer periods of time. I can see that SSHguard uses "firewall-cmd [...] --add-entry=.../32" and seems to add/remove only a single IP at a time. Based on experience with other software I suspect that inefficient use of the firewalld API might contribute to this high CPU usage. Right now SSHguard log output about blocked IP addresses is delayed by ~4-7 minutes. Even though the server is probed for more than 10 hours now SSHguard still sees new IP addresses so I don't dare to hope that the attacker will be running out of new IP addresses soon. |
