<div class="gmail_quote">On Tue, Apr 5, 2011 at 2:40 PM, Steve Edwards <span dir="ltr"><<a href="http://asterisk.org">asterisk.org</a>@<a href="http://sedwards.com">sedwards.com</a>></span> wrote:<br><div><snip> <br>
</div><blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
<div class="im"><br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Are there possibly other drawbacks that I'm not seeing/remembering? I've been running an iptables based setup for some time, never really jumped into the fail2ban wagon<br>
</blockquote>
<br></div>
I've never used fail2ban either. I don't think it's advantages are functional, but the more somewhat intangible:<br>
<br>
) It's included with several of the all-in-one Asterisk distributions.<br>
<br>
) It's documented.<br>
<br>
) It's more flexible<br>
<br>
) Somebody else gets to enhance and maintain the code.<div class="im"><br clear="all"></div></blockquote></div><br>Fail2ban is "easy". It's well documented and can be setup in just a few minutes. It's got an easy way to setup a whitelist that doesn't get banned (so you don't ban yourself or any of your trunks, etc), and you can use it for more than just "asterisk" blocking (I use it to monitor ssh and ftp as well). You can easily copy config files between systems, etc, plus all the things you mentioned Steve.<br>
<br>That being said, it has several downsides too, i.e - whenever fail2ban is restarted, the fail2ban chains are flushed (this is occurs on system restarts as well). If you need to make changes to your iptables setup (i.e change an IP address of a service provider), you really want to unload fail2ban, make your changes directly to iptables, then save your new iptables setup, then restart fail2ban. Otherwise you'll end up saving your fail2ban chains in with your regular chains, and when you restart fail2ban, it'll try to add new f2b chains. And for some reason people seem to think that it requiring Python is a bad thing. But then again, I'm not running it on small systems - most of the systems I've put it on have plenty of excess cpu and memory, so that hasn't been an issue for me.<br>
<br>-- <br>Thanks,<br>--Warren Selby, dCAP<br><a href="http://www.selbytech.com" target="_blank">http://www.selbytech.com</a><br>