On Tue, 5 Apr 2011, Sherwood McGowan wrote:
Why run fail2ban and add overhead when you can just do the same thing
with iptables itself?
Because it's not the same?
The iptables approach is great because it is 'light-weight' and it should
already 'be there.' Also, it can react quicker because it doesn't have to
read log files to make a decision.
The 'downside' of the iptables approach is that the blocks go away when
iptables is reloaded -- like when the host is restarted.
Probably not an issue with Gordon since his hosts stay up for years.
I'm thinking the iptables approach supplemented with a script to
periodically save the block list to disk would allow persistent blocks as
well as letting you accumulating blocks between all your hosts.
Which would still be much 'lighter' than fail2ban.
--
Thanks in advance,
-------------------------------------------------------------------------
Steve Edwards [email protected] Voice: +1-760-468-3867 PST
Newline Fax: +1-760-731-3000
--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
http://www.asterisk.org/hello
asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users
