-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
David Serrano:
On 2013-10-27 15:00:10 (-0700), Gordon Morehouse wrote:
Here's my 'iptables -L' output, on pastebin because it's a mess when formatted for email: http://pastebin.com/f1VZNeTF
That's not a fresh boot, though, I did:
'iptables -F' 'service fail2ban reload'
and then ran the iptables commands by hand, in order.
Things may potentially be different after a reboot, so I'd recommend rebooting now and see how the firewall ends up. Right now it seems that fail2ban would ban and break existing circuits. It all depends on what rules it inserts into its chain.
Here's the output of 'iptables -L' after a fresh boot: http://pastebin.com/b0PUbJJX
And, after the boot, I've simulated an aggressive host from another machine using hping, and here's the output of 'iptables -L' after fail2ban banned the host (LAN IP partly redacted to settle my paranoia): http://pastebin.com/1L62z23b
Incidentally, this experiment confirmed that once fail2ban has banned a host, further packets are not logged such that fail2ban must parse them, which was an open question and is now answered, and answered the way I wanted.
However, do you need fail2ban now that you are throttling SYNs without affecting circuits?
Uncertain. I'd added it as an adjunct to the throttling, hoping a temporary placement into the DROP chain would save cycles and memory as REJECT ICMP packets would no longer be sent; in the only major Tor SYN flood I've experienced since adding fail2ban to the mix (and reducing the SYN limits from 4/sec burst 10 to 3/sec burst 6), fail2ban eventually fell far enough behind in parsing logs of those SYNs exceeding the limits that it could not catch up and stopped banning hosts. The node survived the flood for the first time without crashing, but fail2ban was working for the first 20-30 min or so IIRC, so that may have helped, or it may have just been the reduction in the SYN throttle limits.
I have an open bug in the project tracker[1] regarding figuring out what to do with fail2ban, and one of the options is to get rid of it, but I don't know enough yet.
1. https://www.pivotaltracker.com/s/projects/917796
Thanks a ton for your help!
Best, - -Gordon M.