Continue working on my lightweight fail2ban clone for better performance.
I had fail2ban running on my private server but set it up to not only watch log files for login failures but in addition wanted to block this annoying requests to random php, aspx and different typical admin pages. They’re just probes for possible attack chances I guess but still they’re bloating my logs and I wanted to block them off.
When load testing my server I realized that fail2ban took over 60% of the CPU usage cutting my requests per second rate by more than half.
So I set of to build a clone of it in Rust with the goal of significantly speeding up the performance. The MVP is still not ready but as soon as it is I’ll share the code on Github. My recent tests were quite promising. It can parse a 500,000 lines long log file in about 2 seconds on a single CPU.
This weekend I will specifically work on the triggers for blocking IPs and unblocking scheduling. Currently it will just block an IP forever and on the first match of a filter. I want it to only block after it detected a set amount of matches from a single IP and unblock it after a given time again.
I’m using sshguard in part because it’s lighter than fail2ban, but I’d be interested in a more flexibly lightweight alternative - I hope you’ll post the repo here when it’s done. Unfortunately, Postfix’s use of saslauthd doesn’t log the IP address for failed connections, so sshguard can’t see it. The most annoying thing about sshguard is that it has no way of manually removing things from the blacklist. I’ve managed to accidentally blacklist my home IP a few times and then have to ssh via another machine to add a whitelist to the firewall rules (the whitelist is there, it’s just that my home IP sometimes changes). I have to add the whitelist manually to the persistent firewall rules because I can’t ever remove that IP from the sshguard database.