On 4/5/2011 2:11 PM, Steve Edwards wrote: > On Tue, 5 Apr 2011, Sherwood McGowan wrote: > >> Why run fail2ban and add overhead when you can just do the same thing >> with iptables itself? > > Because it's not the same? > > The iptables approach is great because it is 'light-weight' and it > should already 'be there.' Also, it can react quicker because it > doesn't have to read log files to make a decision. > > The 'downside' of the iptables approach is that the blocks go away > when iptables is reloaded -- like when the host is restarted. > > Probably not an issue with Gordon since his hosts stay up for years. > > I'm thinking the iptables approach supplemented with a script to > periodically save the block list to disk would allow persistent blocks > as well as letting you accumulating blocks between all your hosts. > > Which would still be much 'lighter' than fail2ban. >
Agreed on all points Steve. I've already implemented an auto save function, to workaround the drawback you mentioned. Are there possibly other drawbacks that I'm not seeing/remembering? I've been running an iptables based setup for some time, never really jumped into the fail2ban wagon -- Sherwood McGowan <[email protected]> Carrier, ITSP, Call Center, and PBX Solutions Consultant -- _____________________________________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
