sshguard causes firewalld to consume 100% of CPU for dozen of minutes after reboot

Create issue
Issue #133 open
Former user created an issue

Operating system and version

FedoraServer 32

SSHGuard version, or full package version string


SSHGuard invocation (command line or configuration)

CGroup: /system.slice/sshguard.service
             ├─791 /usr/bin/sh /usr/sbin/sshguard
             ├─793 /usr/bin/sh /usr/sbin/sshguard
             ├─794 /usr/libexec/sshguard/sshg-parser
             ├─795 /usr/libexec/sshguard/sshg-blocker -a 3 -b 3:/var/lib/sshguard/blacklist
             ├─796 /usr/bin/journalctl -afb -p info -n1 -o cat -t sshd
             └─797 /usr/bin/sh /usr/libexec/sshguard/sshg-fw-firewalld

On default configuration I changed only the following two:


Firewall backend being used

firewalld (firewalld-0.8.3) which uses nft (nftables-0.9.3).

After few days the blacklist file contains ~2k entries

# wc -l /var/lib/sshguard/blacklist
1817 /var/lib/sshguard/blacklist

and if I reboot machine I'm observing that fiewalld consumes 100% cpu for over a dozen minutes (this is even more visible on arm platform (Raspberry Pi) then on x86_64 platform).

This seems to be triggered by sshguard which in a loop and one by one tries to add those ~2k entries from blacklist file. So executing ps at any time always returns something like:

/usr/bin/python3 -s /usr/bin/firewall-cmd --quiet --ipset=sshguard4 --add-entry=

What I also tested is the following:

# awk -F '|' '{print $4"/32"}' /var/lib/sshguard/blacklist >/var/lib/sshguard/blacklist.ipset
# time firewall-cmd --ipset=sshguard4 --add-entries-from-file=/var/lib/sshguard/blacklist.ipset

real    0m0.651s
user    0m0.485s
sys 0m0.036s

Based on above it seems to be possible to add all of those entries from blacklist in a quite efficient way to firewalld

Comments (1)

  1. Kevin Zheng
    • changed status to open

    Thanks for the report. Others have reported before that firewalld is slow. Ideally, we'd fix firewalld to be less slow.

    I'd be open to reviewing a patch that uses firewall-cmd to load the initial blacklist to speed this up. Unfortunately, since I don't run firewall-cmd, I can't implement this change myself.

  2. Log in to comment