Menu
▾
▴
Re: [SSHGuard-users] performance when using firewalld: adding/removing many entries at once
|
From: Felix S. <fel...@os...> - 2020-08-27 19:15:57
|
Am 27.08.20 um 18:52 schrieb Kevin Zheng: >> Right now SSHguard log output about blocked IP addresses is delayed >> by ~4-7 minutes. > > What do you mean by this? Is it that sshg-blocker warns about the > attacker 4-7 minutes after the attack has begun, or is it simply that > attacks are not blocked until 4-7 minutes later? I opened "journalctl -f -u sshguard" and "watch systemctl status sshguard" in a a terminal. The times shown in these log outputs lagged ~4-7 minutes while they are near real time otherwise. (And there was a continuous stream of new login attempts so there should have been a many messages about new blocks.) The firewalld ipset contained ~600 ip addresses at some point but after ~16 hours the flooding eventually stopped so I can not check all the details anymore. However: > If your `top` or `ps` shows wait states, could you check if sshg-blocker > is running, idle, or being blocked something by a pipe write? "systemctl status sshguard" shows also child processes and what I could see is that there was always a call to "firewall-cmd" visible. Also my manual calls to "firewall-cmd" in a separate terminal took pretty long (a few seconds per invocation). Usually these commands are pretty quick. I guess I should try to create a test scenario where I call add random IP addresses via firewall-cmd and check if I also see high CPU load. Ideally I'd see much a lower CPU load - though I'm a bit swamped currently so it'll take a few days. Felix |
