[asterisk-users] Iptables configuration to handle brute, force registrations?
Sherwood McGowan
sherwood.mcgowan at gmail.com
Tue Apr 5 14:19:22 CDT 2011
On 4/5/2011 2:11 PM, Steve Edwards wrote:
> On Tue, 5 Apr 2011, Sherwood McGowan wrote:
>
>> Why run fail2ban and add overhead when you can just do the same thing
>> with iptables itself?
>
> Because it's not the same?
>
> The iptables approach is great because it is 'light-weight' and it
> should already 'be there.' Also, it can react quicker because it
> doesn't have to read log files to make a decision.
>
> The 'downside' of the iptables approach is that the blocks go away
> when iptables is reloaded -- like when the host is restarted.
>
> Probably not an issue with Gordon since his hosts stay up for years.
>
> I'm thinking the iptables approach supplemented with a script to
> periodically save the block list to disk would allow persistent blocks
> as well as letting you accumulating blocks between all your hosts.
>
> Which would still be much 'lighter' than fail2ban.
>
Agreed on all points Steve. I've already implemented an auto save
function, to workaround the drawback you mentioned.
Are there possibly other drawbacks that I'm not seeing/remembering? I've
been running an iptables based setup for some time, never really jumped
into the fail2ban wagon
--
Sherwood McGowan <sherwood.mcgowan at gmail.com>
Carrier, ITSP, Call Center, and PBX Solutions Consultant
More information about the asterisk-users
mailing list