Skip to content

How to improve Fail2ban IO Performance

Solution #1: inotify vs gamin

If you don’t have it installed already, get python-inotify installed. Fail2ban should then automatically start using that library rather than gamin for log file updates. This is very helpful when it comes to servers with *many* log files. Details on how this is done here.

If that doesn’t cut it, try solution #2.

Solution #2: Add tail

By default fail2ban reads logs through from the head (top) of the log file all the way to the end. This is good to ensure maximal security, however it also presents disk I/O problems when working with very large log files — particularly on start-up.

To resolve this, fail2ban has a little known configuration option to tell it to tail the logs rather than read through each of the large files from the head. Unfortunately this must be applied on a per-jail basis.

Edit /etc/fail2ban/jail.conf and look for each entry of “logpath”. Immediately after the path, add a space character followed by: tail

For example:

logpath  = /var/log/secure tail

If you’re running Plesk with Fail2ban, be sure to also do the same to each jail in /etc/fail2ban/jail.d/plesk.conf  Unfortunately these files will likely be overwritten, so long-term it would be best to copy the whole logpath config over to /etc/fail2ban/jail.local. Unfortunately this is a somewhat involved process that we’ll get to at a later date.

Now restart fail2ban: service fail2ban restart

Source

Jordan has been working with computers, security, and network systems since the 90s and is a managing partner at Websavers Inc. As a founder of the company, he's been in the web tech space for over 15 years.

2 Comments

  1. Jason on September 27, 2019 at 10:32 am

    Hi Jordan,

    Very interesting topic.

    All my logpaths looks like this:

    logpath = %(system being monitored)s

    would it still work if I added a tail at the back?

    logpath = %(system being monitored)s tail

    Regards,
    Jay

    • Jordan Schelew on October 7, 2019 at 12:29 pm

      Hey Jay,

      Probably? I’d say give it a try and see 🙂

Leave a Comment