Menu
▾
▴
Re: [SSHGuard-users] performance when using firewalld: adding/removing many entries at once
|
From: Kevin Z. <kev...@gm...> - 2020-08-27 16:53:03
|
It's been a while since we've heard of an attack like this on the SSHGuard mailing list. > Right now SSHguard log output about blocked IP addresses is delayed > by ~4-7 minutes. What do you mean by this? Is it that sshg-blocker warns about the attacker 4-7 minutes after the attack has begun, or is it simply that attacks are not blocked until 4-7 minutes later? If your `top` or `ps` shows wait states, could you check if sshg-blocker is running, idle, or being blocked something by a pipe write? If it is blocked by sshg-fw, then this suggests what you expect is true, that sshg-fw is inefficient. >> I think SSHguard uses firewalld's API inefficiently as it seems to add/remove >> only a single IP per CLI call. I suspect this leads to high CPU usage by >> firewalld when SSHguard needs to block many addresses. >> >> firewalld also offers options to add/remove many items at once. Do you think >> SSHguard could use these options? > > One could maybe modify the loop in sshg-fw.in [1] to collect the > addresses etc. in a bash array: > > args=( addr1 addrtype1 cidr1 addr2 addrtype2 cidr2 ...) > > and pass that to the fw_block()-etc functions if the previous line was > read more than a given interval ago, like a second or so: Like discussed here, one approach could be to collect multiple IP's and run firewall-cmd once per second. I also want to mention that sshg-fw is just an ordinary program; you can write a drop-in substitute, not necessarily in Bourne shell. I suspect, without any measurement to back my suspicion, that the slowness comes from trying to invoke a separate firewall-cmd process so many times. Are there other ways to talk to firewalld without spinning up a process? I don't use firewalld, but some searching shows that there's a D-Bus interface and a "direct" interface. How does the firewalld GUI talk to firewalld? Through firewall-cmd or one of the interfaces I mentioned? Unfortunately, I don't have a Fedora installation around and won't be able to test. But this is something we should keep in mind for all the other firewall backends. (I use pf, and sshg-fw-pf does the expensive thing of spinning up a pfctl process for each address that it blocks. It would be more efficient if I rewrote it using the ioctl(2) interface to talk directly to the /dev/pf device node.) |
