Damion Brown's Blog

0x7F1F27C3C19D9B74

Reducing Fail2ban Disk Load


  • Thu 27 August 2020
  • Tech

Long time no siege!

Welcome! Let's talk about Fail2ban and disk utilization / load.

Item #1: SQLite Database

By default fail2ban keeps a persistent database of banned IPs.

fail2ban.conf:

# Options: dbfile
# Notes.: Set the file for the fail2ban persistent data to be stored.
#         A value of ":memory:" means database is only stored in memory 
#         and data is lost when fail2ban is stopped.
#         A value of "None" disables the database.
# Values: [ None :memory: FILE ] Default: /var/lib/fail2ban/fail2ban.sqlite3
dbfile = /var/lib/fail2ban/fail2ban.sqlite3

If you're running a server with a publicly facing SSH server, over time this thing is gonna get large!

This becomes a problem for IO restricted environments, as operations against a "massive" sqlite database become quite disk intensive. In my experience, a one year old database file of 150MB resulted in a sustained ~230 iops for multiple hours.

As I have no need for such persistence, it is appropriate for me to have the following configuration:

dbfile = None
Item #2: Large Log Files

By default upon initialization Fail2ban will ingest entire log files. This means reading potentially tens of megabytes of text.

You can opt to have fail2ban tail the logfile instead. This does mean that if you restart the service, fail2ban will not consider any previous activity.

jail.conf:

[sshd]

# To use more aggressive sshd modes set filter parameter "mode" in jail.local:
# normal (default), ddos, extra or aggressive (combines all).
# See "tests/files/logs/sshd" or "filter.d/sshd.conf" for usage example and details.
#mode   = normal
port    = ssh
logpath = %(sshd_log)s
backend = %(sshd_backend)s

would be adjusted as for

logpath = %(sshd_log)s tail

Documentation here, ctrl+f for "tail"


With these top ten tips, I hope you are able to get the most out of your $10/year VPS services.