Is fail2ban slowing my system or iptables?

0

Issue

I have a server (VPS) with the following services:

  • email server (postfix/dovecot)
  • dns server (bind9)
  • http server (nginx)

Fail2ban creates a lot of entries in iptables and this causes the server to become very slow and even sometimes it becomes unreachable and I have to login via the console and flush iptables before I can connect to the server. The used jails are shown below:

  • Jail list: dovecot, named-refused, nginx-botsearch, nginx-http-auth, nginx-limit-req, php-url-fopen, postfix, postfix-auth, recidive

95% of bans are triggered by postfix jail.
I reduced iptables size by setting recidive jail with :
bantime = 7200
findtime = 3600
maxretry = 5
, the system slowness slightly improved but still not enough.
My question : – is fail2ban to blame for this slowness? or iptables itself? In a previous project, I had no fail2ban installed and I used iptables with many entries (more entries than what my actual fail2ban creates) and the system was fast.

I appreciate any advice on how can I deal with this fail2ban issue.

Solution

Both of them are to blame. Fail2Ban monitors your logs – so if there is a lot of logging, Fail2Ban will have to parse more text. IPtables performs linear search over the list of rules – it is not possible to use binary search as this will break the logic. So the more rules – the slower IPtables will be.

You should check the usedns and banaction settings in /etc/fail2ban/jail.conf. DNS queries may be slow and you may want to try iptables-ipset-proto4 instead of iptables-multiport as an action.

Answered By – IVO GELOV

This Answer collected from stackoverflow, is licensed under cc by-sa 2.5 , cc by-sa 3.0 and cc by-sa 4.0

Leave A Reply

Your email address will not be published.

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Accept Read More