skip to Main Content

I have a server (VPS) with the following services:

  • email server (postfix/dovecot)
  • dns server (bind9)
  • http server (nginx)

Fail2ban creates a lot of entries in iptables and this causes the server to become very slow and even sometimes it becomes unreachable and I have to login via the console and flush iptables before I can connect to the server. The used jails are shown below:

  • Jail list: dovecot, named-refused, nginx-botsearch, nginx-http-auth, nginx-limit-req, php-url-fopen, postfix, postfix-auth, recidive

95% of bans are triggered by postfix jail.
I reduced iptables size by setting recidive jail with :
bantime = 7200
findtime = 3600
maxretry = 5
, the system slowness slightly improved but still not enough.
My question : – is fail2ban to blame for this slowness? or iptables itself? In a previous project, I had no fail2ban installed and I used iptables with many entries (more entries than what my actual fail2ban creates) and the system was fast.

I appreciate any advice on how can I deal with this fail2ban issue.

2

Answers


  1. Both of them are to blame. Fail2Ban monitors your logs – so if there is a lot of logging, Fail2Ban will have to parse more text. IPtables performs linear search over the list of rules – it is not possible to use binary search as this will break the logic. So the more rules – the slower IPtables will be.

    You should check the usedns and banaction settings in /etc/fail2ban/jail.conf. DNS queries may be slow and you may want to try iptables-ipset-proto4 instead of iptables-multiport as an action.

    Login or Signup to reply.
  2. You can add tail after the logpath so fail2ban will only read from the end of the file. Otherwise, if you reboot there can be a very long pause while fail2ban reads huge log files.

    logpath = /var/log/yourfile tail
    
    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search