Menu
▾
▴
Re: [SSHGuard-users] performance when using firewalld: adding/removing many entries at once
|
From: lists <li...@la...> - 2022-01-20 04:08:20
|
I dropped using sshguard specifically for the load cause by adding IPs to firewalld. It was less of a load to allow failed ssh attempts than to block them. I use PKI so I think the odds of a breach are small. More likely than not some software vulnerability will lead to a breach than someone hacking ssh. I realize sshguard also can protect your email. What I did is block all out of country use on all email ports other than 25 in addition to the servers list that I block. Totally impractical except if you have a personal web server. I see very little hacking on my email and I use anvil to throttle was little does occur. My situation is I am using a one CPU VPS. Now to complete the story, I have a very large list of IP space that I block. I assume firewalld processes the cidrs into some hash table that it efficiently searches. That is the overhead of a static IP blocking list is nil. It does use a fair amount of memory but that isn't an issue for the VPS. At times my VPS would stall due to the CPU load. Probably at moments when sshguard was altering the block list and the VPS wasn't getting much CPU juice. Sshguard is a fine program but firewalld doesn't handle dynamic blocking. Given the state of centos, I probably will have to change to a new disty in a year or so. I stay on the list since the traffic is light and I may learn something for the next time I install it. Blathering on a bit more, something like a two step firewall is what you need. Use the big list first then follow up with the small list. I have over 30k cidrs in the big list. I never had more than a few hundred at a time in the sshguard block list. Original Message From: ssh...@li... Sent: January 19, 2022 3:10 PM To: ssh...@li... Reply-to: rr...@ro... Subject: Re: [SSHGuard-users] performance when using firewalld: adding/removing many entries at once On 1/10/2022 8:36 PM, Kevin Zheng wrote: > On 1/9/22 9:22 PM, Kevin Buckley wrote: >> 2h 00min 13916 >> 1h 45min 12116 15mins 1800 120.00/m 2.00/s >> 1h 12min 8405 33mins 3711 112.45/m 1.87/s >> 1h 8min 7936 4mins 469 117.25/m 1.95/s > > These numbers don't look good. > > I don't have a system handy where I can test firewall-cmd, but is > there an interface (or another command) that lets you bulk-add address > to an ipset without invoking firewall-cmd once per address? firewall-cmd --ipset=ipset --add-entries-from-file=filename seems to be possibly what you are looking for but that may in fact just be programmed to invoke firewall-cmd one per address in the file as opposed to a bulk load. I would read carefully that documentation and run some tests to see if it's faster for you and works for you. A script to read a line from a file you prepare and invoke the firewall-cmd command like SSHGuard currently does as you are using it timed and then another script to invoke the firewall-cmd command with the --add-entries-from-file options times should give you benchmarks. You also could investigate other BACKENDS as SSHGuard calls them and see if others happen to be faster. > > I took a cursory look at what our "competitor" fail2ban does: I don't think many would agree that fail2ban is a competitor of SSHGuard. At least to me they seem to have very different strategies both of which could be integrated into the same system or used on a network for different systems in a way where they are not competitors per se but both used in different situations depending on their strengths in solving particular problems. > > https://github.com/fail2ban/fail2ban/blob/80805cabfcf57dd0454d47d7f86d43c6738ce629/config/action.d/firewallcmd-ipset.conf > > > Which, to summarize, seems to be: > > actionban = firewall-cmd --ipset=<ipmset> --add-entry=<ip> > > actionunban = firewall-cmd --ipset=<ipmset> --remove-entry=<ip> > > Which seems to be exactly what SSHGuard is doing. > > Anyone with more Linux firewall experience who could tell us if > there's a faster way to add to a firewalld ipset? Is it time to teach > SSHGuard how to use the dbus interface? I think if you want to stick to the firewalld ipset option with SSHGuard carefully reading their documentation and in particular for your questions information about firewall-cmd options such as the one listing the ability to add ip addresses from a file on their web site if you have access to that would be a good idea. Documentation about firewall-cmd is available at the web site https://firewalld.org/documentation/man-pages/firewall-cmd.html if you don't have access to a machine to run something like 'man firewall-cmd'. As I said above though, I'm not sure it would be faster. It would seem it would but I haven't done any testing. > > Regards, > Kevin > > > _______________________________________________ > sshguard-users mailing list > ssh...@li... > https://lists.sourceforge.net/lists/listinfo/sshguard-users -- This email has been checked for viruses by AVG. https://www.avg.com _______________________________________________ sshguard-users mailing list ssh...@li... https://lists.sourceforge.net/lists/listinfo/sshguard-users |
