The fail2ban database on my server is quite large (420MB).
The fail2ban log is quite busy (there is a "filter" entry every two seconds) but iptables
shows only a few banned addresses.
dbpurgeage is 86400 seconds (24hours)
Is this size coherent with the activity or is there something going on?
I assume that if I do stop/erase DB/start I will get back to a sensible size, but won't this make the active bans permanent?
Best Answer
I just discovered this issue on my own servers. My
dbpurgeage
is also set to the default 24 hours, yet myfail2ban.sqlite3
grew to 400MB and has 800,000 bans from the last 2 years.It turns out fail2ban didn't actually have code to purge the DB until v0.11. It was added in this commit. dbpurgeage does nothing before then.
To see how many bans are in the DB:
To see how old your oldest DB entry is:
To cleanup the DB, for example keep only the last week of data:
The deletion might take several minutes, during which fail2ban will get blocked if it tries to access the database. Perhaps you may want to delete in smaller batches (first everything older than 2 years, then 1 year, etc), to give fail2ban a chance to run in between, and vacuum at the end.