From: Alessandro Vesely <vesely@tana.it>
To: Jan Engelhardt <jengelh@medozas.de>
Cc: netfilter@vger.kernel.org
Subject: Re: can we design a modified fail2ban ?
Date: Sun, 18 Apr 2010 15:46:36 +0200 [thread overview]
Message-ID: <4BCB0D3C.3060006@tana.it> (raw)
In-Reply-To: <alpine.LSU.2.01.1004171956030.10627@obet.zrqbmnf.qr>
On 17/Apr/10 19:58, Jan Engelhardt wrote:
> On Saturday 2010-04-17 18:01, Alessandro Vesely wrote:
>>> fail2ban has the ability - if I read its own short description right - to already use various blocking methods, including not only /etc/hosts.deny but also iptables.
>>
>> I don't think it uses netfilter, though. I've read it has to restart a daemon in order to unlist an IP --not sure it's still so for the current version.
>
> Better know than think.
The bit I had read is "You currently have to restart the daemon to
unban." in http://www.fail2ban.org/wiki/index.php/Features#0.9.0
However, reading slightly more carefully, that's about _manually_
unbanning an IP (e.g. a misconfigured client that locked out the whole
office behind its NAT.)
> N.B.: If what http://en.wikipedia.org/wiki/Fail2ban says is not correct, by all means you should correct it.
>
> Besides, if it is accurate, it uses iptables, not directly Netfilter.
Correct. Browsing action.d/iptables.conf one finds
# Option: actionban
# Notes.: command executed when banning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags: <ip> IP address
# <failures> number of failures
# <time> unix timestamp of the ban time
# Values: CMD
#
actionban = iptables -I fail2ban-<name> 1 -s <ip> -j DROP
# Option: actionunban
# Notes.: command executed when unbanning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags: <ip> IP address
# <failures> number of failures
# <time> unix timestamp of the ban time
# Values: CMD
#
actionunban = iptables -D fail2ban-<name> -s <ip> -j DROP
I think the daemon just executes those commands, after replacing the
tags. I don't know whether fail2ban uses some other storage to
remember frequently banned IPs.
How would you compare iptables and netfilter? I mean fail2ban actions
versus looking up a b-tree file, in terms of rough memory consumption
and responsiveness expectations? For the max number of entries, I
reckon b-trees can allow to map the entire IPv4 address space within
1Tb of mass storage. But what might be the difference with usual volumes?
next prev parent reply other threads:[~2010-04-18 13:46 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-04-16 3:57 can we design a modified fail2ban ? J. Bakshi
2010-04-16 7:28 ` Jan Engelhardt
2010-04-17 16:01 ` Alessandro Vesely
2010-04-17 17:58 ` Jan Engelhardt
2010-04-18 13:46 ` Alessandro Vesely [this message]
2010-04-18 16:44 ` Jan Engelhardt
2010-04-19 15:18 ` Alessandro Vesely
2010-04-19 3:16 ` J. Bakshi
2010-04-16 15:29 ` Pascal Hambourg
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4BCB0D3C.3060006@tana.it \
--to=vesely@tana.it \
--cc=jengelh@medozas.de \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.