- changed status to open
sshguard causes firewalld to consume 100% of CPU for dozen of minutes after reboot
Operating system and version
FedoraServer 32
SSHGuard version, or full package version string
2.4.1
SSHGuard invocation (command line or configuration)
CGroup: /system.slice/sshguard.service
├─791 /usr/bin/sh /usr/sbin/sshguard
├─793 /usr/bin/sh /usr/sbin/sshguard
├─794 /usr/libexec/sshguard/sshg-parser
├─795 /usr/libexec/sshguard/sshg-blocker -a 3 -b 3:/var/lib/sshguard/blacklist
├─796 /usr/bin/journalctl -afb -p info -n1 -o cat -t sshd
└─797 /usr/bin/sh /usr/libexec/sshguard/sshg-fw-firewalld
On default configuration I changed only the following two:
THRESHOLD=3
BLACKLIST_FILE=3:/var/lib/sshguard/blacklist
Firewall backend being used
firewalld
(firewalld-0.8.3) which uses nft
(nftables-0.9.3).
After few days the blacklist file contains ~2k entries
# wc -l /var/lib/sshguard/blacklist
1817 /var/lib/sshguard/blacklist
and if I reboot machine I'm observing that fiewalld
consumes 100% cpu for over a dozen minutes (this is even more visible on arm
platform (Raspberry Pi) then on x86_64
platform).
This seems to be triggered by sshguard which in a loop and one by one tries to add those ~2k entries from blacklist file. So executing ps
at any time always returns something like:
/usr/bin/python3 -s /usr/bin/firewall-cmd --quiet --ipset=sshguard4 --add-entry=119.28.51.97/32
What I also tested is the following:
# awk -F '|' '{print $4"/32"}' /var/lib/sshguard/blacklist >/var/lib/sshguard/blacklist.ipset
# time firewall-cmd --ipset=sshguard4 --add-entries-from-file=/var/lib/sshguard/blacklist.ipset
success
real 0m0.651s
user 0m0.485s
sys 0m0.036s
Based on above it seems to be possible to add all of those entries from blacklist
in a quite efficient way to firewalld
Comments (1)
-
- Log in to comment
Thanks for the report. Others have reported before that firewalld is slow. Ideally, we'd fix firewalld to be less slow.
I'd be open to reviewing a patch that uses firewall-cmd to load the initial blacklist to speed this up. Unfortunately, since I don't run firewall-cmd, I can't implement this change myself.