How to improve Fail2ban IO Performance

Solution #1: inotify vs gamin

If you don’t have it installed already, get python-inotify installed. Fail2ban should then automatically start using that library rather than gamin for log file updates. This is very helpful when it comes to servers with *many* log files. Details on how this is done here.

If that doesn’t cut it, try solution #2.

Solution #2: Add tail

By default fail2ban reads logs through from the head (top) of the log file all the way to the end. This is good to ensure maximal security, however it also presents disk I/O problems when working with very large log files — particularly on start-up.

To resolve this, fail2ban has a little known configuration option to tell it to tail the logs rather than read through each of the large files from the head. Unfortunately this must be applied on a per-jail basis.

Edit /etc/fail2ban/jail.conf and look for each entry of “logpath”. Immediately after the path, add a space character followed by: tail

For example:

logpath  = /var/log/secure tail

If you’re running Plesk with Fail2ban, be sure to also do the same to each jail in /etc/fail2ban/jail.d/plesk.conf  Unfortunately these files will likely be overwritten, so long-term it would be best to copy the whole logpath config over to /etc/fail2ban/jail.local. Unfortunately this is a somewhat involved process that we’ll get to at a later date.

Now restart fail2ban: service fail2ban restart

Source

Jordan is a computer, security, and network systems expert and a lover of all things web and tech. Jordan consults with project management for software companies. Jordan is a founder and managing partner at Websavers Inc.

Leave a Comment