[asterisk-users] Iptables configuration to handle brute, force registrations?
Steve Edwards
asterisk.org at sedwards.com
Tue Apr 5 14:11:28 CDT 2011
On Tue, 5 Apr 2011, Sherwood McGowan wrote:
> Why run fail2ban and add overhead when you can just do the same thing
> with iptables itself?
Because it's not the same?
The iptables approach is great because it is 'light-weight' and it should
already 'be there.' Also, it can react quicker because it doesn't have to
read log files to make a decision.
The 'downside' of the iptables approach is that the blocks go away when
iptables is reloaded -- like when the host is restarted.
Probably not an issue with Gordon since his hosts stay up for years.
I'm thinking the iptables approach supplemented with a script to
periodically save the block list to disk would allow persistent blocks as
well as letting you accumulating blocks between all your hosts.
Which would still be much 'lighter' than fail2ban.
--
Thanks in advance,
-------------------------------------------------------------------------
Steve Edwards sedwards at sedwards.com Voice: +1-760-468-3867 PST
Newline Fax: +1-760-731-3000
More information about the asterisk-users
mailing list