Re: [SSHGuard-users] performance when using firewalld: adding/removing many entries at once

[Christopher E. <ce...@lc...>]

Hi,

On 27.08.20 09:14, Felix Schwarz wrote:
> Hi,
> 
> short version:
> I think SSHguard uses firewalld's API inefficiently as it seems to add/remove
> only a single IP per CLI call. I suspect this leads to high CPU usage by
> firewalld when SSHguard needs to block many addresses.
> 
> firewalld also offers options to add/remove many items at once. Do you think
> SSHguard could use these options?

One could maybe modify the loop in sshg-fw.in [1] to collect the
addresses etc. in a bash array:

args=( addr1 addrtype1 cidr1 addr2 addrtype2 cidr2 ...)

and pass that to the fw_block()-etc functions if the previous line was
read more than a given interval ago, like a second or so:

<add vars to argarray>
if [[ $(( $CURRENTTIME - $LASTTIME )) -gt 1 ]]; then
  fw_block <argarray>
  <clear argarray>
fi
LASTTIME=$CURRENTTIME

The backends would then be modified to loop over the arg array instead
of using the parameters directly:

arg=($@)
for ((i=0; i < $#; i+=3)); do
  addr="${arg[i]}"
  addrtype="${arg[i+1]}"
  cidr="${arg[i+2]}"

  <do stuff>
done

If the backend can not do multiple addresses, <do stuff> would be the
same as before, but if it can, it could use the loop to assemble the
actual command to run and then only trigger the backend once.

> Even though the server is probed for more than 10 hours now SSHguard still
> sees new IP addresses so I don't dare to hope that the attacker will be
> running out of new IP addresses soon.

Ouch.


Christopher

[1] https://bitbucket.org/sshguard/sshguard/src/master/src/fw/sshg-fw.in