Saw this on /. today.
We found the upper limit of fail2ban and replaced it with reaction, an efficient alternative with our configuration that uses ipset.
I am curious, how so?
After reading the article I did check out the software but I’m not sure. Wasn’t my statement. They said the ‘reasoning’ was in the README but I didn’t go to the source code.
A few questionable statements against F2B.
"taking into account the little traffic on my server."
"fail2ban used to consume 1 hour and 300 MB"
On my own server with 55 domains and traffic to match, F2B is quite active but only uses 39Mb RAM.
They complain that F2B comes with too many default rules, their product will come with no rules, you have to do it all from scratch.
While F2B does come with a lot of rules, many aren’t enabled and you can pick which ones you want or use them as examples of how to do your own rules.
Starting blank doesn’t appeal to me.
It’s a fail from me.
That looks pretty neat. I’ve been happy with sshguard, and it’s available in the repos of our supported distros already. That’s not necessarily disqualifying, we package a bunch of stuff already, but there has to be a good reason to do so.
I’ll have to tinker with it a bit. If it’s as light and easy to use as sshguard, we’ll consider it. Our goal is continuing to shrink the Virtualmin base footprint.
I posted this for informational purposes only. Honestly I misread it and thought it was actually a FSF product and they were sun setting fail2ban. I was confusing it with GNU at the time I guess.
I recommend crowdsec - it comes with a communtiy block list of known bad IP’s that automatically is up to date all the time.
it is still free, but some dashboard features and additional blocklists are to pay these days.
even without the Pro blocklists it is very good, it also blocks local attempts obviously, you can enable various scenarios.
I guess if I searched long enough I’d find the free version. So, no go. ![]()
however if it was added to webmin you would not have to search as webmin would install it — just saying
There are no shortage of logs showing bad actor IP addresses. Until ‘the powers that be’ start pulling allocations for repeated/allowed abuse, nothing meaningful will happen.
Gotta seriously wonder why this hasn’t happened yet? Really low hanging fruit and yet it goes untouched by those that could do something about it.
CrowdSec’s core Security Engine and CrowdSec Console dashboard remain completely free and open-source. The Community Tier includes local attack detection, agent enrollment, and access to three free-tier blocklists with daily updates
you can give it a shot:
it can run alongside fail2ban
if you use nftables instead of iptables (which is default normally these days) make sure to use a bouncer with that as remediation component.
More follow up.