fail2ban – Is a Large fail2ban Database Normal?

fail2ban

The fail2ban database on my server is quite large (420MB).

The fail2ban log is quite busy (there is a "filter" entry every two seconds) but iptables shows only a few banned addresses.

dbpurgeage is 86400 seconds (24hours)

Is this size coherent with the activity or is there something going on?

I assume that if I do stop/erase DB/start I will get back to a sensible size, but won't this make the active bans permanent?

Best Answer

I just discovered this issue on my own servers. My dbpurgeage is also set to the default 24 hours, yet my fail2ban.sqlite3 grew to 400MB and has 800,000 bans from the last 2 years.

It turns out fail2ban didn't actually have code to purge the DB until v0.11. It was added in this commit. dbpurgeage does nothing before then.

To see how many bans are in the DB:

sqlite3 /var/lib/fail2ban/fail2ban.sqlite3 "select count(*) from bans"

To see how old your oldest DB entry is:

sqlite3 /var/lib/fail2ban/fail2ban.sqlite3 "select datetime(min(timeofban), 'unixepoch') from bans"

To cleanup the DB, for example keep only the last week of data:

sqlite3 /var/lib/fail2ban/fail2ban.sqlite3 "delete from bans where timeofban < strftime('%s', 'now', '-7 days')"
sqlite3 /var/lib/fail2ban/fail2ban.sqlite3 "vacuum"

The deletion might take several minutes, during which fail2ban will get blocked if it tries to access the database. Perhaps you may want to delete in smaller batches (first everything older than 2 years, then 1 year, etc), to give fail2ban a chance to run in between, and vacuum at the end.

Related Solutions

Fail2ban – send email with msmtp

What I would do is the following:

First thing is to copy all action.d/sendmail-*.conf files to action.d/msmtp-*.conf files:

for file in /etc/fail2ban/action.d/sendmail*.conf; do cp "$file" "${file/sendmail/msmtp}"; done

Next step is to change the occurrences of before = sendmail to before = msmtp in the action.d/msmtp-*.conf files:

sed -i 's/before = sendmail/before = msmtp/' /etc/fail2ban/action.d/msmtp-*.conf

This will correct the references to other sendmail configuration files like before = sendmail-common.conf.

Followed by changing all occurrences of sendmail -f <sender> to msmtp in action.d/msmtp-*.conf:

sed -i 's/sendmail -f <sender>/msmtp/p' /etc/fail2ban/action.d/msmtp-*.conf

This will correct the lines where sendmail is called like Fail2Ban | /usr/sbin/sendmail -f <sender> <dest>.

The final step is changing the mta = msmtp in the action.d/jail.conf file. Then reload fail2ban to test whether these modifications work.

Another thing to keep in mind is the user context of fail2ban with respect to the msmtp configuration. If you have a local msmtprc file configured, it might not be applied when fail2ban tries to run msmtp due to other user context. In that case, configure msmtp with a global configuration, or create a separate configuration for the user that runs fail2ban.

Debian – How to automatically permanently ban IP addresses

fail2ban can be configured for permanent bans by setting bantine to -1

In jail.conf

bantime = -1

These will be lost on a reboot, but that's not necessarily a bad thing because so many attempts will be transient from pwned home machines in a botnet...

If you want persistence, then https://arno0x0x.wordpress.com/2015/12/30/fail2ban-permanent-persistent-bans/ may give some guidance.

Essentially modifying the fail2ban config to create a persistent configuration file of all the banned IPs, and have iptables load this list on reboot...

So if you check your default jail.conf you may find the default action is iptables-multiport. This corresponds to the configuration file /etc/fail2ban/ction.d/iptables-multiport.conf

We can add the following entries:

[Definition]
# Option:  actionstart
# Notes.:  command executed once at the start of Fail2Ban.
# Values:  CMD
#
actionstart = iptables -N fail2ban-<name>
              iptables -A fail2ban-<name> -j RETURN
              iptables -I <chain> -p <protocol> -m multiport --dports <port> -j fail2ban-<name>
          cat /etc/fail2ban/persistent.bans | awk '/^fail2ban-<name>/ {print $2}' \
          | while read IP; do iptables -I fail2ban-<name> 1 -s $IP -j <blocktype>; done

# Option:  actionstop
# Notes.:  command executed once at the end of Fail2Ban
# Values:  CMD
#
actionstop = iptables -D <chain> -p <protocol> -m multiport --dports <port> -j fail2ban-<name>
             iptables -F fail2ban-<name>
             iptables -X fail2ban-<name>

# Option:  actioncheck
# Notes.:  command executed once before each actionban command
# Values:  CMD
#
actioncheck = iptables -n -L <chain> | grep -q 'fail2ban-<name>[ \t]'

# Option:  actionban
# Notes.:  command executed when banning an IP. Take care that the
#          command is executed with Fail2Ban user rights.
# Tags:    See jail.conf(5) man page
# Values:  CMD
#
actionban = iptables -I fail2ban-<name> 1 -s <ip> -j <blocktype>
        echo "fail2ban-<name> <ip>" >> /etc/fail2ban/persistent.bans

Now, when fail2ban flags an entry it will add a line to /etc/fail2ban/persistent.bans (via the actionban configuration). When fail2ban starts up it calls actionstart which reads this file and builds the iptables rules necessary.

Of course, fail2ban needs restarting after any of the configuration files are changed.

All credit to "arno0x0x" and his wordpress site for this recipe.

Best Answer

Related Solutions

Fail2ban – send email with msmtp

Debian – How to automatically permanently ban IP addresses

Related Question