Just a FYI programs that change the firewall like fail2ban and sshguard
can put a high burdern on the server in the event your firewall blocks
a large amount of IP space AND you are on a very limited CPU.
Touching the firewall can lock out the server for seconds as the
firewalld I assume
creates some efficient table of IP space to block. Once the firewall is
established it isn't much of a CPU load but changing the inputs to it
does burden the CPU.
Have you checked out ipset? It is fast and light weight, allowing you to
add/remove IP's to block without touching the firewall (no
restart/reload) or having to change rules. Ipset is integrated into the
kernel, you just add a one time rule to your firewall to block anything
contained by ipset. One of ipset's features is auto expire time limits,
you can tell it to ban an IP between 1 second to 3 weeks, or no timer
and ban until the IP is manually removed.
