Announcement

**Feathers McGraw** · Feb 01, 2014, 01:09 PM

Another iptables/fail2ban question.

I've been blocking comment spam with an Akismet plugin for Wordpress so far, but I've had problems today with connection to their servers, so some has been getting through.

So, I'm now looking at a local solution. This plugin will write comments that are marked as spam to a log file that fail2ban can go to work on.

My question is, are there any disadvantages to blocking lots of stuff with fail2ban/iptables? I guess it will take some load off the server, and will probably be a good thing in general, but I just wanted to check. For example, if you have loads of rules in iptables, does it slow things down or is the time/processing power taken to check an IP address isn't on a list pretty much negligible?

**SteveRiley** · Feb 02, 2014, 06:43 PM

A little slice of CPU time is indeed required for each rule evaluation. Whether iptables places a load on your server depends on your specific configuration. How many rules? More rules --> more CPU usage. Given that Fail2Ban removes entries after a while, do you find your rules to still be quite large at any one time?

Useful background reading:
http://blog.softlayer.com/2012/iptab...le-processing/
http://blog.softlayer.com/2013/iptab...with-iptables/

Probably not too useful since you're relying on Fail2Ban to write your rules. But good to know nevertheless.

**Feathers McGraw** · Feb 04, 2014, 12:58 PM

So if I understood that correctly, whitelisting is probably faster if you can reliably predict who will use the website, as legitimate traffic will meet the first rule and won't be passed through the rest of them.

Unfortunately, that won't work for me because I don't know who will want to visit the site ahead of time

I suppose passing traffic through iptables is still faster than what the Akismet plugin is doing to filter spam though, right? From what I can tell it connects to the Akismet server every time and runs the comment past them, waits for the sever to tell it whether or not it's spam and then moves it to the spam folder if it is.

**SteveRiley** · Feb 04, 2014, 05:23 PM

Originally posted by Feathers McGraw View Post

So if I understood that correctly, whitelisting is probably faster if you can reliably predict who will use the website, as legitimate traffic will meet the first rule and won't be passed through the rest of them.

Correct.

Originally posted by Feathers McGraw View Post

Unfortunately, that won't work for me because I don't know who will want to visit the site ahead of time

Also correct.

Originally posted by Feathers McGraw View Post

I suppose passing traffic through iptables is still faster than what the Akismet plugin is doing to filter spam though, right? From what I can tell it connects to the Akismet server every time and runs the comment past them, waits for the sever to tell it whether or not it's spam and then moves it to the spam folder if it is.

Yep, the plugin is doing much more work than iptables.

Maybe you should buy another Pi. Call it ScrubPi, place it in front of the server. Run all your blocking/filtering processes on ScrubPi. Then send the resulting clean traffic to ServerPi.

**Feathers McGraw** · Feb 05, 2014, 12:39 AM

Originally posted by SteveRiley View Post

Maybe you should buy another Pi.

Don't encourage me, I have 4 already!

Was thinking maybe I could upgrade to that ChromeBox I posted about in another thread: my previous experiences with ProxyPass indicated that connecting the two with TLS uses a lot of CPU on both machines (no wonder Google didn't encrypt communications between their data centres before the Snowden leaks!).

Out of interest though, how would you run fail2ban on "scrubpi" based on the logs of the other machine?

**SteveRiley** · Feb 05, 2014, 01:56 PM

Originally posted by Feathers McGraw View Post

Out of interest though, how would you run fail2ban on "scrubpi" based on the logs of the other machine?

Thinking out loud (er, with fingers...)

Whenever Fail2Ban detects something in the logs on ServerPi, create the corresponding iptables rule on ScrubPi. This would require some bash scripting, I suspect. Sounds like a good reason to learn it

You'd have another handy tutorial to post.

**Feathers McGraw** · Feb 05, 2014, 04:05 PM

True! I'll have a think about it. Just realised I wouldn't have to use ProxyPass, I could probably just do a port forward, since "ScrubPi" isn't trying to filter HTTP traffic and redirect it based on the domain/subdomain.

Did you choose the name "ScrubPi" because it's likely to catch fire, or because it's "scrubbing" IP addresses?

Thinking about it, my OpenWrt router could do the same job as ScrubPi.

**SteveRiley** · Feb 05, 2014, 04:17 PM

Originally posted by Feathers McGraw View Post

Did you choose the name "ScrubPi" because it's likely to catch fire, or because it's "scrubbing" IP addresses?

Because it's scrubbing bad guy traffic out of the flow, so that ServerPi receives only good guy traffic.

What does scrubbing have to do with fires? Is this yet another instance of where you guys over there just can't speak English correctly?

**Feathers McGraw** · Feb 05, 2014, 04:21 PM

Think Australia...

**SteveRiley** · Feb 05, 2014, 04:27 PM

Wouldn't mind being there right now... It's freeeeeeeeeeezing here in Seattle.

**Feathers McGraw** · Feb 05, 2014, 04:43 PM

Well you wouldn't want to be in the scrub, it might catch fire!

Announcement

fail2ban & WordPress Plugin: some help with PHP please?

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment