Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[INSTALLATION] Fail2ban/crowdsec and their interaction with this project, worth it? #572

Open
maxdd opened this issue May 7, 2024 · 3 comments
Open

[INSTALLATION] Fail2ban/crowdsec and their interaction with this project, worth it? #572

maxdd opened this issue May 7, 2024 · 3 comments
Assignees
@mitchellkrogza
Labels
Help Wanted Installation Problems

Comments

@maxdd
Copy link

maxdd commented May 7, 2024

Hello,
this is not really an installation issue per se but more like a question related about the synergy between tools such as fail2ban and crowdsec.
My understanding was that nginx ultimate bad bot blocker also contains a list of IPs which are somewhat up-to-date, is that the case or the main intention of the tool is to reject attacks mainly based on patterns/ua and leave the bad IPs as a secondary feature?

Are then fail2ban/crowdsec overkill against nginx logs?
@itoffshore
Copy link
Collaborator

@maxdd - I always used UBBB with fail2ban (which was already detecting & blocking clients who generated too many bad 40x's)

  • I think the proper place for rate limiting requests is in the firewall (all web clients should behave nicely)

  • I prefer nftables firewalls as it's a single config for ipv4 / ipv6 & ipset functionality is built in.

  • Blocking bad ip's in ipsets at the nftables ingress level hook is a good choice for performance (i.e before packets traverse connection tracking & before prerouting) - requires kernel 5.10+ & nftables 0.9.7+

@HKPhysicist
Copy link

Have you tried CSF firewall?
They can use ipsets which is super fast.

@itoffshore
Copy link
Collaborator

@HKPhysicist - nftables has:

  • ipset functionality built in
  • ipv4 & ipv6 configuration in a single file

CSF firewall uses iptables - I've never used CSF so cannot really comment. It does look like a good choice if you don't know how to drop common attacks / like to have a GUI.

plain nftables with fail2ban will probably always be a bit faster (as it's tuned to your environment)

  • I block 5-6000 persistent ip's with no issues with nftables & fail2ban:

banned

  • Reading journald directly in fail2ban will also always be quicker

I always intended UBBB to have blocking done by ipset / fail2ban (& not by nginx) - as it's much, much faster (& you can drop bad packets at the ingress level in nftables before they hit conntrack preserving server resources)

I always only had nginx log the 405s for fail2ban to pick up & ban.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@mitchellkrogza mitchellkrogza

Labels
Help Wanted Installation Problems
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@itoffshore @maxdd @mitchellkrogza @HKPhysicist