Menu
▾
▴
Re: [SSHGuard-users] performance when using firewalld: adding/removing many entries at once
|
From: Kevin B. <kev...@gm...> - 2022-01-19 09:10:15
|
On 2022/01/11 12:36, Kevin Zheng wrote: > On 1/9/22 9:22 PM, Kevin Buckley wrote: >> 2h 00min 13916 >> 1h 45min 12116 15mins 1800 120.00/m 2.00/s >> 1h 12min 8405 33mins 3711 112.45/m 1.87/s >> 1h 8min 7936 4mins 469 117.25/m 1.95/s > > These numbers don't look good. > > I don't have a system handy where I can test firewall-cmd, but is there > an interface (or another command) that lets you bulk-add address to an > ipset without invoking firewall-cmd once per address? > > I took a cursory look at what our "competitor" fail2ban does: > > https://github.com/fail2ban/fail2ban/blob/80805cabfcf57dd0454d47d7f86d43c6738ce629/config/action.d/firewallcmd-ipset.conf > > Which, to summarize, seems to be: > > actionban = firewall-cmd --ipset=<ipmset> --add-entry=<ip> > > actionunban = firewall-cmd --ipset=<ipmset> --remove-entry=<ip> > > Which seems to be exactly what SSHGuard is doing. > > Anyone with more Linux firewall experience who could tell us if there's > a faster way to add to a firewalld ipset? Is it time to teach SSHGuard > how to use the dbus interface? > I am not going to claim vast firewalld experience, but one thing worth noting is that adding IP addresses, or ranges, read from an existing blakclist file at SSHGuard startup, results in every line in var/lib/sshguard/blacklist being added to /etc/firewalld/ipsets/sshguard4.xml as entries between these lines <?xml version="1.0" encoding="utf-8"?> <ipset type="hash:net"> <option name="family" value="inet"/> ... entries here ... </ipset> so, for example, <entry>192.102.251.102/32</entry> That suggests that one could take the blacklist lines and simply pre-populate the sshguard4.xml IPSet file, before starting SSHGuard, however I am not sure what SSHGuard would do with existing entries if, on starting, it finds that the sshguard4 IPSet exists, and already has entries. I can't currently speak to the speed with which a pre-populated IPSet file is read into FirewallD, because my instance is still slowly churning through the ingest of my blacklist, after the most recent restart but once, I have the IPSet file, I intend to take a look at that. Kevin |
