I'd let fail2ban write to a temporary file / cidr file which you move by cronjob all 10 minutes if there has been a change (shasum).
That way your blacklist will updated at maximum all 10 minutes (or whatever delay you define) and _only_ if there has been a change. though 3000 times would mean circa all 30 minutes, if I calculated correctly, that doesn't sound that bad imo. On Wed, 23 May 2012 11:23:14 +0200 Maciej Uhlig <[email protected]> wrote: > We run fail2ban to update postscreen blacklist which is cidr file. To > make postscreen see the changes we have to reload postfix. Yesterday we > found postfix was reloaded more than 3000 times. Sure it is not acceptable. > > What would be the best way to refresh postscreen blacklist (something > like kill -HUP) without paying the penalty of losing performance? Would > changing cidr type to hash do the trick? > > Best regards, > > MU > -- Jean-Michel Bruenn <[email protected]>
