Discussion:
[Fail2ban-users] Server stops responding during Fail2ban restart
Rodrigo Abrantes Antunes
2015-07-22 13:08:43 UTC
Permalink
Hi, where does fail2ban store the current banned ips and the ammount of
time left to unban them? How many banned ips at the same time fail2ban can
handle? What's the recommended size Im'of the logs that fail2ban analizes?

I'm having about 1000 ips banned and when I restart fail2ban the server
stops responding and I have to force reboot. In the logs I saw that it was
unbanning ip by ip. I tried flush the tables via iptables but it still
tries to unban ip by ip.

Thanks
--
Rodrigo Abrantes Antunes
Instituto Federal Sul-rio-grandense
Patrick B. Shanahan
2015-07-22 13:19:58 UTC
Permalink
Post by Rodrigo Abrantes Antunes
Hi, where does fail2ban store the current banned ips and the ammount of
time left to unban them? How many banned ips at the same time fail2ban can
handle? What's the recommended size Im'of the logs that fail2ban analizes?
I'm having about 1000 ips banned and when I restart fail2ban the server
stops responding and I have to force reboot. In the logs I saw that it was
unbanning ip by ip. I tried flush the tables via iptables but it still
tries to unban ip by ip.
Probably /var/lib/fail2ban/fail2ban.sqlite3

fail2ban-client status <jail>
will give you a visiual report
--
(paka)Patrick Shanahan Plainfield, Indiana, USA @ptilopteri
http://en.opensuse.org openSUSE Community Member facebook/ptilopteri
http://wahoo.no-ip.org Photo Album: http://wahoo.no-ip.org/gallery2
Registered Linux User #207535 @ http://linuxcounter.net
Darac Marjal
2015-07-22 13:45:31 UTC
Permalink
Post by Rodrigo Abrantes Antunes
Hi, where does fail2ban store the current banned ips and the ammount of
time left to unban them? How many banned ips at the same time fail2ban can
handle? What's the recommended size Im'of the logs that fail2ban analizes?
I'm having about 1000 ips banned and when I restart fail2ban the server
stops responding and I have to force reboot. In the logs I saw that it was
unbanning ip by ip. I tried flush the tables via iptables but it still
tries to unban ip by ip.
I suspect the issue here is the extensible nature of fail2ban. The core
of fail2ban doesn't actually know how to ban and unban IPs; all it does
is call an "action" for each ban/unban. That action could be calling
iptables or ufw, it could be controlling the local firewall or one on a
remote machine. So, at the moment, all that fail2ban can do is to spawn
that script multiple times, once for each IP.

I suppose it might be nice to have "setup"/"flush" actions (in addition
to "ban" and "unban") which, if set, add and remove IPs in bulk from the
firewall. What I'm thinking is that, where a firewall system supports
bulk banning/unbanning, a different action can be called when the jail
is started or stopped (respectively), but when the "setup" or "flush"
action isn't set (because the system doesn't support that), then it
falls back to banning/unbanning individual IPs.
Rodrigo Abrantes Antunes
2015-10-27 10:59:12 UTC
Permalink
Still some doubts..

1- But how fail2ban knows which ips it needs to unban, it stores them in a
temporary file?

2- And how can I view the time left to unban an IP?

3- How many banned ips at the same time fail2ban can handle without slow
down the system?

4- What's the recommended size of the logs that fail2ban analizes (syslog,
kern.log, etc) ? I think if the file is too big it can slows down fail2ban
right?

Many questions, sorry..
Post by Darac Marjal
Post by Rodrigo Abrantes Antunes
Hi, where does fail2ban store the current banned ips and the ammount of
   time left to unban them? How many banned ips at the same time
fail2ban can
   handle? What's the recommended size Im'of the logs that fail2ban
analizes?
   I'm having about 1000 ips banned and when I restart fail2ban the
server
   stops responding and I have to force reboot. In the logs I saw that
it was
   unbanning ip by ip. I tried flush the tables via iptables but it
still
Post by Darac Marjal
Post by Rodrigo Abrantes Antunes
   tries to unban ip by ip.
I suspect the issue here is the extensible nature of fail2ban. The core
of fail2ban doesn't actually know how to ban and unban IPs; all it does
is call an "action" for each ban/unban. That action could be calling
iptables or ufw, it could be controlling the local firewall or one on a
remote machine. So, at the moment, all that fail2ban can do is to spawn
that script multiple times, once for each IP.
I suppose it might be nice to have "setup"/"flush" actions (in addition
to "ban" and "unban") which, if set, add and remove IPs in bulk from the
firewall. What I'm thinking is that, where a firewall system supports
bulk banning/unbanning, a different action can be called when the jail
is started or stopped (respectively), but when the "setup" or "flush"
action isn't set (because the system doesn't support that), then itfalls
back to banning/unbanning individual IPs.
--
Rodrigo Abrantes Antunes
Instituto Federal Sul-rio-grandense
Nick Howitt
2015-10-27 12:55:30 UTC
Permalink
I don't know if you missed it but there has been a similar thread
recently:
http://sourceforge.net/p/fail2ban/mailman/fail2ban-users/thread/5613A88B.1080306%40castlehillcc.co.za/#msg34518311

It suggested just flushing the chain when f2b stopped rather than
unbanning IP address by IP address. There is also a very neat method
using ipset which is faster to add IP's to and can also expire IP
addresses automatically.

Nick
Post by Rodrigo Abrantes Antunes
Still some doubts..
1- But how fail2ban knows which ips it needs to unban, it stores them
in a temporary file?
2- And how can I view the time left to unban an IP?
3- How many banned ips at the same time fail2ban can handle without
slow down the system?
4- What's the recommended size of the logs that fail2ban analizes
(syslog, kern.log, etc) ? I think if the file is too big it can slows
down fail2ban right?
Many questions, sorry..
Post by Darac Marjal
Post by Rodrigo Abrantes Antunes
Hi, where does fail2ban store the current banned ips and the
ammount of
time left to unban them? How many banned ips at the same time fail2ban can
handle? What's the recommended size Im'of the logs that fail2ban analizes?
I'm having about 1000 ips banned and when I restart fail2ban the server
stops responding and I have to force reboot. In the logs I saw that it was
unbanning ip by ip. I tried flush the tables via iptables but it still
tries to unban ip by ip.
I suspect the issue here is the extensible nature of fail2ban. The core
of fail2ban doesn't actually know how to ban and unban IPs; all it does
is call an "action" for each ban/unban. That action could be
calling
iptables or ufw, it could be controlling the local firewall or one on a
remote machine. So, at the moment, all that fail2ban can do is to spawn
that script multiple times, once for each IP.
I suppose it might be nice to have "setup"/"flush" actions (in addition
to "ban" and "unban") which, if set, add and remove IPs in bulk from the
firewall. What I'm thinking is that, where a firewall system
supports
bulk banning/unbanning, a different action can be called when the jail
is started or stopped (respectively), but when the "setup" or
"flush"
action isn't set (because the system doesn't support that), then
itfalls back to banning/unbanning individual IPs.
Rodrigo Abrantes Antunes
Instituto Federal Sul-rio-grandense
------------------------------------------------------------------------------
_______________________________________________
Fail2ban-users mailing list
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
------------------------------------------------------------------------------
Harrison Johnson
2015-07-22 14:33:38 UTC
Permalink
Rodrigo,
I hope I said that right, I can't roll my R's. Persistent storage is
controllable in the fail2ban.conf file with the line dbfile= . It can be
a file name, memory or none. My is none actually commented out. Any time
fail2ban does an order shutdown it unbans the ips one at a time.
Post by Rodrigo Abrantes Antunes
Hi, where does fail2ban store the current banned ips and the ammount
of time left to unban them? How many banned ips at the same time
fail2ban can handle? What's the recommended size Im'of the logs that
fail2ban analizes?
I'm having about 1000 ips banned and when I restart fail2ban the
server stops responding and I have to force reboot. In the logs I saw
that it was unbanning ip by ip. I tried flush the tables via iptables
but it still tries to unban ip by ip.
Thanks
Rodrigo Abrantes Antunes
Instituto Federal Sul-rio-grandense
------------------------------------------------------------------------------
Don't Limit Your Business. Reach for the Cloud.
GigeNET's Cloud Solutions provide you with the tools and support that
you need to offload your IT needs and focus on growing your business.
Configured For All Businesses. Start Your Cloud Today.
https://www.gigenetcloud.com/
Patrick B. Shanahan
2015-07-22 14:38:44 UTC
Permalink
Post by Harrison Johnson
Rodrigo,
I hope I said that right, I can't roll my R's. Persistent storage is
controllable in the fail2ban.conf file with the line dbfile= . It can be
a file name, memory or none. My is none actually commented out. Any time
fail2ban does an order shutdown it unbans the ips one at a time.
Post by Rodrigo Abrantes Antunes
Hi, where does fail2ban store the current banned ips and the ammount
of time left to unban them? How many banned ips at the same time
fail2ban can handle? What's the recommended size Im'of the logs that
fail2ban analizes?
I'm having about 1000 ips banned and when I restart fail2ban the
server stops responding and I have to force reboot. In the logs I saw
that it was unbanning ip by ip. I tried flush the tables via iptables
but it still tries to unban ip by ip.
And when you start back up, each is individually banned again ...
--
(paka)Patrick Shanahan Plainfield, Indiana, USA @ptilopteri
http://en.opensuse.org openSUSE Community Member facebook/ptilopteri
http://wahoo.no-ip.org Photo Album: http://wahoo.no-ip.org/gallery2
Registered Linux User #207535 @ http://linuxcounter.net

------------------------------------------------------------------------------
Loading...