Menu
▾
▴
Re: [SSHGuard-users] performance when using firewalld: adding/removing many entries at once
|
From: Ryan M. R. <rr...@ro...> - 2022-01-19 13:46:16
|
On 1/10/2022 8:36 PM, Kevin Zheng wrote: > On 1/9/22 9:22 PM, Kevin Buckley wrote: >> 2h 00min 13916 >> 1h 45min 12116 15mins 1800 120.00/m 2.00/s >> 1h 12min 8405 33mins 3711 112.45/m 1.87/s >> 1h 8min 7936 4mins 469 117.25/m 1.95/s > > These numbers don't look good. > > I don't have a system handy where I can test firewall-cmd, but is > there an interface (or another command) that lets you bulk-add address > to an ipset without invoking firewall-cmd once per address? firewall-cmd --ipset=ipset --add-entries-from-file=filename seems to be possibly what you are looking for but that may in fact just be programmed to invoke firewall-cmd one per address in the file as opposed to a bulk load. I would read carefully that documentation and run some tests to see if it's faster for you and works for you. A script to read a line from a file you prepare and invoke the firewall-cmd command like SSHGuard currently does as you are using it timed and then another script to invoke the firewall-cmd command with the --add-entries-from-file options times should give you benchmarks. You also could investigate other BACKENDS as SSHGuard calls them and see if others happen to be faster. > > I took a cursory look at what our "competitor" fail2ban does: I don't think many would agree that fail2ban is a competitor of SSHGuard. At least to me they seem to have very different strategies both of which could be integrated into the same system or used on a network for different systems in a way where they are not competitors per se but both used in different situations depending on their strengths in solving particular problems. > > https://github.com/fail2ban/fail2ban/blob/80805cabfcf57dd0454d47d7f86d43c6738ce629/config/action.d/firewallcmd-ipset.conf > > > Which, to summarize, seems to be: > > actionban = firewall-cmd --ipset=<ipmset> --add-entry=<ip> > > actionunban = firewall-cmd --ipset=<ipmset> --remove-entry=<ip> > > Which seems to be exactly what SSHGuard is doing. > > Anyone with more Linux firewall experience who could tell us if > there's a faster way to add to a firewalld ipset? Is it time to teach > SSHGuard how to use the dbus interface? I think if you want to stick to the firewalld ipset option with SSHGuard carefully reading their documentation and in particular for your questions information about firewall-cmd options such as the one listing the ability to add ip addresses from a file on their web site if you have access to that would be a good idea. Documentation about firewall-cmd is available at the web site https://firewalld.org/documentation/man-pages/firewall-cmd.html if you don't have access to a machine to run something like 'man firewall-cmd'. As I said above though, I'm not sure it would be faster. It would seem it would but I haven't done any testing. > > Regards, > Kevin > > > _______________________________________________ > sshguard-users mailing list > ssh...@li... > https://lists.sourceforge.net/lists/listinfo/sshguard-users -- This email has been checked for viruses by AVG. https://www.avg.com |
