Score:0

Is it necessary to ban malicious IP regardless of default firewall setting being deny/reject?

us flag

I'm on Linux and using fail2ban as the ban system. So far, it has collected and banned about 150K of malicious IPs, and I'm concerned and wondering if this will gobble a fair amount of resources. As I see it on top, it has a relatively high CPU time.. My questions are,

  1. If there are more banned IP addresses, then will my CPU take more resources to filter an incoming connection? (My concern roots in the unverified-idea if the CPU has to compare any incoming IP with 150k-ban-list to determine filtration.)
  2. If I just simply set the default firewall setting to deny/reject, then would banning the system be not necessary anymore? Or should I have the ban system running regardless? (if so, what are the reasons?)
cn flag
Bob
It depends a bit on how those IP addresses are banned. Sequential checking of individual netfilter rules is more “expensive” than using an `ipset` to store the IP addresses but even the penalties of the first are usually not too severe
Score:0
il flag
  1. if you use some of "plain" iptables banning actions in fail2ban you could switch to iptables-ipset or to nftables action, for example:
[DEFAULT]
banaction = iptables-ipset[type=multiport]
banaction_allports = iptables-ipset[type=allports]
[DEFAULT]
banaction = iptables-ipset-proto6
banaction_allports = iptables-ipset-proto6-allports
  1. as regards the question "deny/reject"...

    Although I must admit I don't quite understand the sentence "then would banning the system be not necessary anymore" or rather how some default firewall settings could prevent against that. If the listener ports are still open and public available.

    Any kind of banning system is not necessary if you'd either trust in strong password policies or use asymmetric keys instead of passwords by authentication (so that a bruteforce would not really make sense anymore) and certain load by continuous serving of failed authentication attempts as well as flood in log journals is acceptable for you. Or if you'd switch to some strict firewall rules whitelisting certain addresses only or open listener ports on demand only (port-, http- or whatever else knocking mechanisms), so your services become not public accessible anymore.

As for "drop vs. reject" see https://github.com/fail2ban/fail2ban/issues/2217#issuecomment-423248516 discussion.

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.