Hello, today I saw that Fail2ban causing high CPU usage. how can i fix this? I tried removing auth.log from /etc/logrotate.d/rsyslog, i change daily instead of weekly, stop fail2ban and remove fail2ban dabase with sudo rm /var/lib/fail2ban/fail2ban.sqlite3. I manually force logrotate to rotate the auth.log file with sudo logrotate --force rsyslog, but that didn't fix the problem. I use Debian 12 with KVM virtualisation. This is my rsyslog file: root@server1:~# cat /etc/logrotate.d/rsyslog /var/log/syslog /var/log/mail.log /var/log/kern.log /var/log/auth.log /var/log/user.log /var/log/cron.log { rotate 4 daily missingok notifempty size 20M su root syslog compress delaycompress sharedscripts postrotate /usr/lib/rsyslog/rsyslog-rotate endscript }
Fail2ban log 2023-09-24 12:20:02,458 fail2ban.filter [18675]: INFO [dovecot] Ignore ::1 by ignoreself rule 2023-09-24 12:20:02,502 fail2ban.filter [18675]: INFO [dovecot] Ignore ::1 by ignoreself rule 2023-09-24 12:23:04,364 fail2ban.filter [18675]: INFO [dovecot] Found 195.144.21.56 - 2023-09-24 12:21:51 2023-09-24 12:23:04,365 fail2ban.filter [18675]: WARNING [sshd] Detected a log entry 1m 3s before the current time in operation mode. This looks like a latency problem. Treating such entries as if they just happened. 2023-09-24 12:23:04,366 fail2ban.filter [18675]: WARNING [dovecot] Detected a log entry 1m 12s before the current time in operation mode. This looks like a latency problem. Treating such entries as if they just happened. 2023-09-24 12:23:04,366 fail2ban.filter [18675]: WARNING [sshd] Please check a jail for a timing issue. Line with odd timestamp: 2023-09-24T12:22:01.584556-04:00 server1 CRON[28432]: pam_unix(cron:session): session opened for user root(uid=0) by (uid=0) 2023-09-24 12:23:04,366 fail2ban.filter [18675]: WARNING [dovecot] Please check a jail for a timing issue. Line with odd timestamp: 2023-09-24T12:21:52.507679-04:00 server1 dovecot: imap-login: Disconnected: Connection closed: SSL_read failed: error:0A0000F5:SSL routines::unexpected record (no auth attempts in 0 secs): user=<>, rip=195.144.21.56, lip=192.111.144.130, TLS: SSL_read failed: error:0A0000F5:SSL routines::unexpected record, session=<wYVMPR0GArbDkBU4> root@server1:~# Jail.local root@server1:~# cat /etc/fail2ban/jail.local [pure-ftpd] enabled = true port = ftp filter = pure-ftpd logpath = /var/log/syslog maxretry = 1 bantime = -1 [dovecot] enabled = true filter = dovecot logpath = /var/log/mail.log maxretry = 1 bantime = -1 [postfix-sasl] enabled = true port = smtp filter = postfix[mode=auth] logpath = /var/log/mail.log maxretry = 1 bantime = -1 [sshd] enabled = true port = ssh filter = sshd logpath = /var/log/auth.log maxretry = 1 bantime = -1 root@server1:~#
Internet search engines found these tips: which jails are enabled? which log-files are affected/monitored? is jail recidive enabled? and which log-level is set by fail2ban? do you have some custom jails (or filters)? if so try to disable them one by one in order to find a culprit (e. g. use fail2ban-client set <jailname> enabled false to do it without restart); do you have some service (monitored by fail2ban) which logging persistently? and please provide how fast (e. g. how many log-lines per second);
Ok I understand, but I used this tutorial , enabled, disabled 2 days and no result, only after restart it works 3-4 hours normally and then again at 100% This tutorial too didn't work and that's why I asked for help here. UPDATE: Just asking why on my other 2 servers everything is working fine? Is everything one to one?
How large was auth.log file before you altered configuration? If new logration did not help at all, maybe diagnosis was erroneous and the reason for high CPU usage is something else? Anyway, You quoted my questions but provided no answers to them. Have you altered fail2ban configuration in any way?
fail2ban version 1.0.2 ( latest ) Logfile sizes for 24h.: root@server1:~# ls -lh /var/log/syslog.1 -rw-r----- 1 root adm 3.0M Sep 27 00:00 /var/log/syslog.1 root@server1:~# ls -lh /var/log/auth.log.1 -rw-r----- 1 root adm 767K Sep 27 00:00 /var/log/auth.log.1 root@server1:~# ls -lh /var/log/mail.log.1 -rw-r--r-- 1 root adm 469K Sep 26 23:55 /var/log/mail.log.1 root@server1:~# Yes, I always make a backup before editing a file. I restored the original files but no result Update: Linux and Kernel: root@server1:~# lsb_release -a No LSB modules are available. Distributor ID: Debian Description: Debian GNU/Linux 12 (bookworm) Release: 12 Codename: bookworm root@server1:~# uname -a Linux server1 6.1.0-12-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.52-1 (2023-09-07) x86_64 GNU/Linux root@server1:~#
Those log files are not large. They are not the cause of high CPU usage. Did you find the questions in #4 uninteresting and dull?
