I have a server (VPS) with the following services:
- email server (postfix/dovecot)
- dns server (bind9)
- http server (nginx)
Fail2ban creates a lot of entries in iptables and this causes the server to become very slow and even sometimes it becomes unreachable and I have to login via the console and flush iptables before I can connect to the server. The used jails are shown below:
- Jail list:
dovecot, named-refused, nginx-botsearch, nginx-http-auth, nginx-limit-req, php-url-fopen, postfix, postfix-auth, recidive
95% of bans are triggered by postfix jail.
I reduced iptables size by setting recidive jail with :
bantime = 7200
findtime = 3600
maxretry = 5
, the system slowness slightly improved but still not enough.
My question : – is fail2ban to blame for this slowness? or iptables itself? In a previous project, I had no fail2ban installed and I used iptables with many entries (more entries than what my actual fail2ban creates) and the system was fast.
I appreciate any advice on how can I deal with this fail2ban issue.
2
Answers
Both of them are to blame. Fail2Ban monitors your logs – so if there is a lot of logging, Fail2Ban will have to parse more text. IPtables performs linear search over the list of rules – it is not possible to use binary search as this will break the logic. So the more rules – the slower IPtables will be.
You should check the
usedns
andbanaction
settings in/etc/fail2ban/jail.conf
. DNS queries may be slow and you may want to tryiptables-ipset-proto4
instead ofiptables-multiport
as an action.You can add
tail
after thelogpath
so fail2ban will only read from the end of the file. Otherwise, if you reboot there can be a very long pause while fail2ban reads huge log files.