8

Persistent overseas network attacks being performed on my system without my permission inclined me to install fail2ban since cphulkd does not ban ips. I am monitoring a few services for unwelcome penetration attempts. Once the service was started, I noticed it was using extremely high CPU resources. 22 emails after the startup discloses that the SSH server jail is stopped and started.

Here is my fail2ban.conf http://pastebin.com/ptCLmpqm

my jail.conf http://pastebin.com/KDdmTSCL note my email are obscured for obvious security & spam reasons

fail2ban log pastebin(dot)com/rq0cqm9J

Sever Neacsu MCHub.ca CEO
  • 81
  • 1
  • 2
  • Same problem, have you got find solution? – bourvill Dec 31 '14 at 09:18
  • 2
    Could be another log too big and too frequently updated, ie maillog – Veve Feb 15 '16 at 09:56
  • I had a similar issue. To debug it I started editing my jail.conf file disabling rules one by one and restarting fail2ban until I found the ones that were causing me problems. As @Veve, my problem was a log file that was getting to big and wasn't being rotated properly. – Maxime Rainville Jun 21 '16 at 00:48

1 Answers1

5

In my case, I was running fail2ban only for sshd. My /var/log/auth.log file was huge and configured to rotate only weekly.

I setup daily rotation (and forced the rotation to run immediately, which triggered a permission error).

This did not fix things until I also

  • Stopped fail2ban
  • Deleted /var/lib/fail2ban/fail2ban.sqlite3
  • Started fail2ban

With those steps, 

sudo fail2ban-client status sshd

showed bans within a few minutes.

Community
  • 1
  • 1
Eric J.
  • 147,927
  • 63
  • 340
  • 553