How to improve Fail2ban IO Performance
Solution #1: inotify vs gamin
If you don’t have it installed already, get python-inotify installed. Fail2ban should then automatically start using that library rather than gamin for log file updates. This is very helpful when it comes to servers with *many* log files. Details on how this is done here.
If that doesn’t cut it, try solution #2.
Solution #2: Add tail
By default fail2ban reads logs through from the head (top) of the log file all the way to the end. This is good to ensure maximal security, however it also presents disk I/O problems when working with very large log files — particularly on start-up.
To resolve this, fail2ban has a little known configuration option to tell it to tail the logs rather than read through each of the large files from the head. Unfortunately this must be applied on a per-jail basis.
Edit /etc/fail2ban/jail.conf and look for each entry of “logpath”. Immediately after the path, add a space character followed by: tail
For example:
logpath = /var/log/secure tail
If you’re running Plesk with Fail2ban, be sure to also do the same to each jail in /etc/fail2ban/jail.d/plesk.conf Unfortunately these files will likely be overwritten, so long-term it would be best to copy the whole logpath config over to /etc/fail2ban/jail.local. Unfortunately this is a somewhat involved process that we’ll get to at a later date.
Now restart fail2ban: service fail2ban restart
Posted in Security
About Websavers
Websavers provides web services like Canadian WordPress Hosting and VPS Hosting to customers all over the globe, from hometown Halifax, CA to Auckland, NZ.
If this article helped you, our web services surely will as well! We might just be the perfect fit for you.
Hi Jordan,
Very interesting topic.
All my logpaths looks like this:
logpath = %(system being monitored)s
would it still work if I added a tail at the back?
logpath = %(system being monitored)s tail
Regards,
Jay
Hey Jay,
Probably? I’d say give it a try and see 🙂