I have a server (VPS) with the following services:
Fail2ban creates a lot of entries in iptables and this causes the server to become very slow and even sometimes it becomes unreachable and I have to login via the console and flush iptables before I can connect to the server. The used jails are shown below:
dovecot, named-refused, nginx-botsearch, nginx-http-auth, nginx-limit-req, php-url-fopen, postfix, postfix-auth, recidive95% of bans are triggered by postfix jail.
I reduced iptables size by setting recidive jail with :
bantime = 7200
findtime = 3600
maxretry = 5
, the system slowness slightly improved but still not enough.
My question : - is fail2ban to blame for this slowness? or iptables itself? In a previous project, I had no fail2ban installed and I used iptables with many entries (more entries than what my actual fail2ban creates) and the system was fast.
I appreciate any advice on how can I deal with this fail2ban issue.
Both of them are to blame. Fail2Ban monitors your logs - so if there is a lot of logging, Fail2Ban will have to parse more text. IPtables performs linear search over the list of rules - it is not possible to use binary search as this will break the logic. So the more rules - the slower IPtables will be.
You should check the usedns and banaction settings in /etc/fail2ban/jail.conf. DNS queries may be slow and you may want to try iptables-ipset-proto4 instead of iptables-multiport as an action.