Is fail2ban slowing my system or iptables?

Question

I have a server (VPS) with the following services:

• email server (postfix/dovecot)
• dns server (bind9)
• http server (nginx)

Fail2ban creates a lot of entries in iptables and this causes the server to become very slow and even sometimes it becomes unreachable and I have to login via the console and flush iptables before I can connect to the server. The used jails are shown below:

• Jail list: dovecot, named-refused, nginx-botsearch, nginx-http-auth, nginx-limit-req, php-url-fopen, postfix, postfix-auth, recidive

95% of bans are triggered by postfix jail. I reduced iptables size by setting recidive jail with : bantime = 7200 findtime = 3600 maxretry = 5 , the system slowness slightly improved but still not enough. My question : - is fail2ban to blame for this slowness? or iptables itself? In a previous project, I had no fail2ban installed and I used iptables with many entries (more entries than what my actual fail2ban creates) and the system was fast.

I appreciate any advice on how can I deal with this fail2ban issue.

Answer 1

You can add tail after the logpath so fail2ban will only read from the end of the file. Otherwise, if you reboot there can be a very long pause while fail2ban reads huge log files.

logpath = /var/log/yourfile tail

Answer 2

Both of them are to blame. Fail2Ban monitors your logs - so if there is a lot of logging, Fail2Ban will have to parse more text. IPtables performs linear search over the list of rules - it is not possible to use binary search as this will break the logic. So the more rules - the slower IPtables will be.

You should check the usedns and banaction settings in /etc/fail2ban/jail.conf. DNS queries may be slow and you may want to try iptables-ipset-proto4 instead of iptables-multiport as an action.