Is it necessary to ban malicious IP regardless of default firewall setting being deny/reject?

BigRat

7/1/23, 9:28 PM

I'm on Linux and using fail2ban as the ban system. So far, it has collected and banned about 150K of malicious IPs, and I'm concerned and wondering if this will gobble a fair amount of resources. As I see it on top, it has a relatively high CPU time.. My questions are,

If there are more banned IP addresses, then will my CPU take more resources to filter an incoming connection? (My concern roots in the unverified-idea if the CPU has to compare any incoming IP with 150k-ban-list to determine filtration.)
If I just simply set the default firewall setting to deny/reject, then would banning the system be not necessary anymore? Or should I have the ban system running regardless? (if so, what are the reasons?)

0 + 0

security

performance

firewall

performance-tuning

fail2ban

Bob

7/1/23, 10:57 PM

It depends a bit on how those IP addresses are banned. Sequential checking of individual netfilter rules is more “expensive” than using an `ipset` to store the IP addresses but even the penalties of the first are usually not too severe

Score:0

Server

sebres

7/2/23, 1:01 PM

if you use some of "plain" iptables banning actions in fail2ban you could switch to iptables-ipset or to nftables action, for example:

[DEFAULT]
banaction = iptables-ipset[type=multiport]
banaction_allports = iptables-ipset[type=allports]

or to iptables-ipset-proto6 and iptables-ipset-proto6-allports for older versions:

[DEFAULT]
banaction = iptables-ipset-proto6
banaction_allports = iptables-ipset-proto6-allports

as regards the question "deny/reject"...

Although I must admit I don't quite understand the sentence "then would banning the system be not necessary anymore" or rather how some default firewall settings could prevent against that. If the listener ports are still open and public available.

Any kind of banning system is not necessary if you'd either trust in strong password policies or use asymmetric keys instead of passwords by authentication (so that a bruteforce would not really make sense anymore) and certain load by continuous serving of failed authentication attempts as well as flood in log journals is acceptable for you. Or if you'd switch to some strict firewall rules whitelisting certain addresses only or open listener ports on demand only (port-, http- or whatever else knocking mechanisms), so your services become not public accessible anymore.

As for "drop vs. reject" see https://github.com/fail2ban/fail2ban/issues/2217#issuecomment-423248516 discussion.

0 + 0

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Is it necessary to ban malicious IP regardless of default firewall setting being deny/reject?

TH: จำเป็นหรือไม่ที่จะต้องแบน IP ที่เป็นอันตรายโดยไม่คำนึงว่าการตั้งค่าไฟร์วอลล์เริ่มต้นจะถูกปฏิเสธ/ปฏิเสธ?

RO: Este necesar să interziceți IP rău intenționat, indiferent de setarea implicită a firewall-ului care este refuzată/respinsă?

RU: Нужно ли запрещать вредоносный IP-адрес независимо от того, что по умолчанию брандмауэр настроен на запрет/отклонение?

VI: Có cần thiết phải cấm IP độc hại bất kể cài đặt tường lửa mặc định bị từ chối/từ chối không?

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.