I'm new to fail2ban and having a hard time figuring out performance considerations for different configurations I'm thinking about setting up. This is running on a raspberry pi board, so performance is a concern.
The obvious optimizations I can think of are using efficient regular expressions and only the minimum number of jails needed. I guess my specific questions are:
- How does resource usage increase with respect to findtime values? I'm guessing very small and very large values could both impact the server in different ways regarding RAM vs. CPU.
- Similarly, how does the size of a log file and the number of different log files monitored by fail2ban impact overall resource usage?
As an example, this jail would let someone try 3,600 SSH login passwords a day if they figured out the fail2ban config and adjusted their script timing to accommodate.
[ssh]
enabled = true
action = iptables-allports[name=ssh]
filter = sshd
logpath = /var/log/auth.log
maxretry = 6
findtime = 120
If we changed findtime to a different extreme of 86400 (1 day), it would only allow 5 attempts a day, but now it's monitoring a larger portion of the log file. How does this affect resource usage?
Another example, a jail for POST flood attacks:
[apache-post-flood]
enabled = true
action = iptables-allports[name=apache-post-flood]
filter = apache-post-flood
logpath = /var/log/apache2/*access.log
maxretry = 10
findtime = 10
Here, we have the opposite, where the findtime counter is resetting every 10 seconds. It's also monitoring all *access logs (I'm guessing, again, I'm new to this). That could mean it's monitoring access.log, other_vhosts_access.log, and perhaps an https_access.log for https portions of the site. What if it's been a busy day and these files are all 10-20mb each?
Hope this helps explain what's on my mind. Thanks in advance for your help.
