From: Alessandro Vesely <vesely@tana.it>
To: Jan Engelhardt <jengelh@medozas.de>
Cc: netfilter@vger.kernel.org
Subject: Re: can we design a modified fail2ban ?
Date: Sun, 18 Apr 2010 15:46:36 +0200 [thread overview]
Message-ID: <4BCB0D3C.3060006@tana.it> (raw)
In-Reply-To: <alpine.LSU.2.01.1004171956030.10627@obet.zrqbmnf.qr>
On 17/Apr/10 19:58, Jan Engelhardt wrote:
> On Saturday 2010-04-17 18:01, Alessandro Vesely wrote:
>>> fail2ban has the ability - if I read its own short description right - to already use various blocking methods, including not only /etc/hosts.deny but also iptables.
>>
>> I don't think it uses netfilter, though. I've read it has to restart a daemon in order to unlist an IP --not sure it's still so for the current version.
>
> Better know than think.
The bit I had read is "You currently have to restart the daemon to
unban." in http://www.fail2ban.org/wiki/index.php/Features#0.9.0
However, reading slightly more carefully, that's about _manually_
unbanning an IP (e.g. a misconfigured client that locked out the whole
office behind its NAT.)
> N.B.: If what http://en.wikipedia.org/wiki/Fail2ban says is not correct, by all means you should correct it.
>
> Besides, if it is accurate, it uses iptables, not directly Netfilter.
Correct. Browsing action.d/iptables.conf one finds
# Option: actionban
# Notes.: command executed when banning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags: <ip> IP address
# <failures> number of failures
# <time> unix timestamp of the ban time
# Values: CMD
#
actionban = iptables -I fail2ban-<name> 1 -s <ip> -j DROP
# Option: actionunban
# Notes.: command executed when unbanning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags: <ip> IP address
# <failures> number of failures
# <time> unix timestamp of the ban time
# Values: CMD
#
actionunban = iptables -D fail2ban-<name> -s <ip> -j DROP
I think the daemon just executes those commands, after replacing the
tags. I don't know whether fail2ban uses some other storage to
remember frequently banned IPs.
How would you compare iptables and netfilter? I mean fail2ban actions
versus looking up a b-tree file, in terms of rough memory consumption
and responsiveness expectations? For the max number of entries, I
reckon b-trees can allow to map the entire IPv4 address space within
1Tb of mass storage. But what might be the difference with usual volumes?
next prev parent reply other threads:[~2010-04-18 13:46 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-04-16 3:57 can we design a modified fail2ban ? J. Bakshi
2010-04-16 7:28 ` Jan Engelhardt
2010-04-17 16:01 ` Alessandro Vesely
2010-04-17 17:58 ` Jan Engelhardt
2010-04-18 13:46 ` Alessandro Vesely [this message]
2010-04-18 16:44 ` Jan Engelhardt
2010-04-19 15:18 ` Alessandro Vesely
2010-04-19 3:16 ` J. Bakshi
2010-04-16 15:29 ` Pascal Hambourg
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4BCB0D3C.3060006@tana.it \
--to=vesely@tana.it \
--cc=jengelh@medozas.de \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox