[asterisk-users] Iptables configuration to handle brute, force registrations?
Steve Edwards
asterisk.org at sedwards.com
Tue Apr 5 14:40:43 CDT 2011
>> On Tue, 5 Apr 2011, Sherwood McGowan wrote:
>>> Why run fail2ban and add overhead when you can just do the same thing
>>> with iptables itself?
> On 4/5/2011 2:11 PM, Steve Edwards wrote:
>> Because it's not the same?
>> The iptables approach is great because it is 'light-weight' and it
>> should already 'be there.' Also, it can react quicker because it
>> doesn't have to read log files to make a decision.
>>
>> The 'downside' of the iptables approach is that the blocks go away when
>> iptables is reloaded -- like when the host is restarted.
>>
>> Probably not an issue with Gordon since his hosts stay up for years.
>>
>> I'm thinking the iptables approach supplemented with a script to
>> periodically save the block list to disk would allow persistent blocks
>> as well as letting you accumulating blocks between all your hosts.
>>
>> Which would still be much 'lighter' than fail2ban.
On Tue, 5 Apr 2011, Sherwood McGowan wrote:
> Agreed on all points Steve. I've already implemented an auto save
> function, to workaround the drawback you mentioned.
Then you're already a couple of steps down the path further than me :)
> Are there possibly other drawbacks that I'm not seeing/remembering? I've
> been running an iptables based setup for some time, never really jumped
> into the fail2ban wagon
I've never used fail2ban either. I don't think it's advantages are
functional, but the more somewhat intangible:
) It's included with several of the all-in-one Asterisk distributions.
) It's documented.
) It's more flexible
) Somebody else gets to enhance and maintain the code.
--
Thanks in advance,
-------------------------------------------------------------------------
Steve Edwards sedwards at sedwards.com Voice: +1-760-468-3867 PST
Newline Fax: +1-760-731-3000
More information about the asterisk-users
mailing list