From: Thomas Lamprecht <t.lamprecht@proxmox.com>
To: Oguz Bektas <o.bektas@proxmox.com>,
Proxmox VE development discussion <pve-devel@lists.proxmox.com>
Subject: Re: [pve-devel] [RFC firewall] implement fail2ban in firewall
Date: Wed, 25 Aug 2021 14:51:00 +0200 [thread overview]
Message-ID: <e46f9d3a-a5bf-2493-e85f-36ba514a9fe0@proxmox.com> (raw)
In-Reply-To: <YSYOj74RW45DNLzp@gaia>
On 25/08/2021 11:34, Oguz Bektas wrote:
> On Tue, Aug 24, 2021 at 08:58:10PM +0200, Thomas Lamprecht wrote:
>> E.g., did you think about checking the log just directly here, after all we run
>> every 10s anyway, so one could just directly parse the daemon log and add the
>> rules directly here, no extra daemon and external instance, which adapts filter
>> rules, required (the latter is racy anyway). Not necessarily a must, but the
>> simple regex on a single file would be easy, hardest thing would be to handle
>> rotations and make reading not completely inefficient; but neither to complicated
>> either.
>
> in the v2 it works better after implementing your suggestions (i'll send
> it today), now we check if the jail file has changed and only write it then.
>
that has zero to do with thinking and evaluating about just doing it ourself here
though? As there's still an additional dependency with an extra daemon running that
may not even interact correctly with how we operate the iptables...
>>
>> any how, does fail2ban always flushes all their rules, as else our rewrite of
>> the filter and raw tables on each update would make it somewhat moot?
>
> i'm not exactly sure, but in my tests the banned IP addresses stayed
> even after changing configuration and reloading the services. you can
> check with `fail2ban-client banned`.
I did not asked about the banned IP address view from the fail2ban daemon but
rather if the actual *iptables* rules persist, would be good to get sure about
such stuff if wanting to integrate such a feature..
next prev parent reply other threads:[~2021-08-25 12:51 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-08-23 14:07 Oguz Bektas
2021-08-24 18:58 ` Thomas Lamprecht
2021-08-25 9:34 ` Oguz Bektas
2021-08-25 12:51 ` Thomas Lamprecht [this message]
2021-10-11 10:50 ` Oguz Bektas
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=e46f9d3a-a5bf-2493-e85f-36ba514a9fe0@proxmox.com \
--to=t.lamprecht@proxmox.com \
--cc=o.bektas@proxmox.com \
--cc=pve-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox