Fail2ban high CPU usage

ozzmos · February 7, 2017, 9:09pm

Hi,

I have a problem with Fail2ban. The process is eating my CPU.

I had the problem with version 2.4 and I have upgraded to 2.5.4 but no changes.

Here is the content of my fail2ban.log

2017-02-07 21:37:10,458 fail2ban.server [1343]: INFO 2017-02-07 21:37:11,237 fail2ban.jail [1343]: INFO 2017-02-07 21:37:12,002 fail2ban.jail [1343]: INFO 2017-02-07 21:37:12,248 fail2ban.jail [1343]: INFO 2017-02-07 21:37:12,904 fail2ban.jail [1343]: INFO 2017-02-07 21:37:13,913 fail2ban.jail [1343]: INFO 2017-02-07 21:37:13,976 fail2ban.jail [1343]: INFO 2017-02-07 21:37:14,031 fail2ban.jail [1343]: INFO 2017-02-07 21:37:14,033 fail2ban.server [1343]: ERROR 2017-02-07 21:37:14,034 fail2ban.server [1343]: INFO 2017-02-07 21:37:17,249 fail2ban.server [14569]: INFO 2017-02-07 21:37:17,254 fail2ban.jail [14569]: INFO 2017-02-07 21:37:17,357 fail2ban.jail [14569]: INFO 2017-02-07 21:37:17,476 fail2ban.jail [14569]: INFO 2017-02-07 21:37:17,481 fail2ban.filter [14569]: INFO 2017-02-07 21:37:17,484 fail2ban.filter [14569]: INFO 2017-02-07 21:37:17,489 fail2ban.filter [14569]: INFO 2017-02-07 21:37:17,491 fail2ban.actions[14569]: INFO 2017-02-07 21:37:17,740 fail2ban.jail [14569]: INFO 2017-02-07 21:37:17,741 fail2ban.jail [14569]: INFO 2017-02-07 21:37:17,755 fail2ban.jail [14569]: INFO 2017-02-07 21:37:17,766 fail2ban.filter [14569]: INFO 2017-02-07 21:37:17,769 fail2ban.filter [14569]: INFO 2017-02-07 21:37:17,774 fail2ban.filter [14569]: INFO 2017-02-07 21:37:17,776 fail2ban.actions[14569]: INFO 2017-02-07 21:37:17,815 fail2ban.jail [14569]: INFO 2017-02-07 21:37:17,815 fail2ban.jail [14569]: INFO 2017-02-07 21:37:17,838 fail2ban.jail [14569]: INFO 2017-02-07 21:37:17,842 fail2ban.filter [14569]: INFO 2017-02-07 21:37:17,845 fail2ban.filter [14569]: INFO 2017-02-07 21:37:17,850 fail2ban.filter [14569]: INFO 2017-02-07 21:37:17,852 fail2ban.actions[14569]: INFO 2017-02-07 21:37:17,941 fail2ban.jail [14569]: INFO 2017-02-07 21:37:17,942 fail2ban.jail [14569]: INFO 2017-02-07 21:37:17,964 fail2ban.jail [14569]: INFO 2017-02-07 21:37:17,968 fail2ban.filter [14569]: INFO 2017-02-07 21:37:17,971 fail2ban.filter [14569]: INFO 2017-02-07 21:37:17,975 fail2ban.filter [14569]: INFO 2017-02-07 21:37:17,977 fail2ban.actions[14569]: INFO 2017-02-07 21:37:18,026 fail2ban.jail [14569]: INFO 2017-02-07 21:37:18,026 fail2ban.jail [14569]: INFO 2017-02-07 21:37:18,041 fail2ban.jail [14569]: INFO 2017-02-07 21:37:18,056 fail2ban.filter [14569]: INFO 2017-02-07 21:37:18,059 fail2ban.filter [14569]: INFO 2017-02-07 21:37:18,063 fail2ban.filter [14569]: INFO 2017-02-07 21:37:18,065 fail2ban.actions[14569]: INFO 2017-02-07 21:37:18,169 fail2ban.jail [14569]: INFO 2017-02-07 21:37:18,170 fail2ban.jail [14569]: INFO 2017-02-07 21:37:18,185 fail2ban.jail [14569]: INFO 2017-02-07 21:37:18,195 fail2ban.filter [14569]: INFO 2017-02-07 21:37:18,200 fail2ban.filter [14569]: INFO 2017-02-07 21:37:18,203 fail2ban.filter [14569]: INFO 2017-02-07 21:37:18,206 fail2ban.filter [14569]: INFO 2017-02-07 21:37:18,210 fail2ban.filter [14569]: INFO 2017-02-07 21:37:18,213 fail2ban.filter [14569]: INFO 2017-02-07 21:37:18,221 fail2ban.filter [14569]: INFO 2017-02-07 21:37:18,226 fail2ban.actions[14569]: INFO 2017-02-07 21:37:18,399 fail2ban.jail [14569]: INFO 2017-02-07 21:37:18,400 fail2ban.jail [14569]: INFO 2017-02-07 21:37:18,421 fail2ban.jail [14569]: INFO 2017-02-07 21:37:18,425 fail2ban.filter [14569]: INFO 2017-02-07 21:37:18,428 fail2ban.filter [14569]: INFO 2017-02-07 21:37:18,432 fail2ban.filter [14569]: INFO 2017-02-07 21:37:18,435 fail2ban.filter [14569]: INFO 2017-02-07 21:37:18,446 fail2ban.filter [14569]: INFO 2017-02-07 21:37:18,449 fail2ban.filter [14569]: INFO 2017-02-07 21:37:18,454 fail2ban.filter [14569]: INFO 2017-02-07 21:37:18,456 fail2ban.actions[14569]: INFO 2017-02-07 21:37:18,491 fail2ban.jail [14569]: INFO 2017-02-07 21:37:18,511 fail2ban.jail [14569]: INFO 2017-02-07 21:37:18,535 fail2ban.filter [14569]: ERROR 2017-02-07 21:37:18,537 fail2ban.jail [14569]: INFO 2017-02-07 21:37:18,570 fail2ban.jail [14569]: INFO 2017-02-07 21:37:18,579 fail2ban.jail [14569]: INFO 2017-02-07 21:37:18,616 fail2ban.jail [14569]: INFO 2017-02-07 21:37:18,634 fail2ban.jail [14569]: INFO 2017-02-07 21:49:14,611 fail2ban.server [14569]: INFO 2017-02-07 21:49:15,333 fail2ban.jail [14569]: INFO 2017-02-07 21:49:16,265 fail2ban.jail [14569]: INFO 2017-02-07 21:49:17,166 fail2ban.jail [14569]: INFO 2017-02-07 21:49:17,377 fail2ban.jail [14569]: INFO 2017-02-07 21:49:18,103 fail2ban.jail [14569]: INFO 2017-02-07 21:49:18,524 fail2ban.jail [14569]: INFO 2017-02-07 21:49:19,008 fail2ban.jail [14569]: INFO 2017-02-07 21:49:19,009 fail2ban.server [14569]: INFO 2017-02-07 21:49:56,288 fail2ban.server [17716]: INFO 2017-02-07 21:49:56,292 fail2ban.jail [17716]: INFO 2017-02-07 21:49:56,386 fail2ban.jail [17716]: INFO 2017-02-07 21:49:56,482 fail2ban.jail [17716]: INFO 2017-02-07 21:49:56,486 fail2ban.filter [17716]: INFO 2017-02-07 21:49:56,496 fail2ban.filter [17716]: INFO 2017-02-07 21:49:56,501 fail2ban.filter [17716]: INFO 2017-02-07 21:49:56,503 fail2ban.actions[17716]: INFO 2017-02-07 21:49:56,728 fail2ban.jail [17716]: INFO 2017-02-07 21:49:56,729 fail2ban.jail [17716]: INFO 2017-02-07 21:49:56,745 fail2ban.jail [17716]: INFO 2017-02-07 21:49:56,752 fail2ban.filter [17716]: INFO 2017-02-07 21:49:56,756 fail2ban.filter [17716]: INFO 2017-02-07 21:49:56,760 fail2ban.filter [17716]: INFO 2017-02-07 21:49:56,762 fail2ban.actions[17716]: INFO 2017-02-07 21:49:56,802 fail2ban.jail [17716]: INFO 2017-02-07 21:49:56,802 fail2ban.jail [17716]: INFO 2017-02-07 21:49:56,822 fail2ban.jail [17716]: INFO 2017-02-07 21:49:56,826 fail2ban.filter [17716]: INFO 2017-02-07 21:49:56,829 fail2ban.filter [17716]: INFO 2017-02-07 21:49:56,834 fail2ban.filter [17716]: INFO 2017-02-07 21:49:56,836 fail2ban.actions[17716]: INFO 2017-02-07 21:49:56,920 fail2ban.jail [17716]: INFO 2017-02-07 21:49:56,920 fail2ban.jail [17716]: INFO 2017-02-07 21:49:56,937 fail2ban.jail [17716]: INFO 2017-02-07 21:49:56,946 fail2ban.filter [17716]: INFO 2017-02-07 21:49:56,952 fail2ban.filter [17716]: INFO 2017-02-07 21:49:56,956 fail2ban.filter [17716]: INFO 2017-02-07 21:49:56,958 fail2ban.actions[17716]: INFO 2017-02-07 21:49:56,994 fail2ban.jail [17716]: INFO 2017-02-07 21:49:56,994 fail2ban.jail [17716]: INFO 2017-02-07 21:49:57,012 fail2ban.jail [17716]: INFO 2017-02-07 21:49:57,018 fail2ban.filter [17716]: INFO 2017-02-07 21:49:57,021 fail2ban.filter [17716]: INFO 2017-02-07 21:49:57,026 fail2ban.filter [17716]: INFO 2017-02-07 21:49:57,027 fail2ban.actions[17716]: INFO 2017-02-07 21:49:57,120 fail2ban.jail [17716]: INFO 2017-02-07 21:49:57,120 fail2ban.jail [17716]: INFO 2017-02-07 21:49:57,141 fail2ban.jail [17716]: INFO 2017-02-07 21:49:57,145 fail2ban.filter [17716]: INFO 2017-02-07 21:49:57,149 fail2ban.filter [17716]: INFO 2017-02-07 21:49:57,151 fail2ban.filter [17716]: INFO 2017-02-07 21:49:57,154 fail2ban.filter [17716]: INFO 2017-02-07 21:49:57,158 fail2ban.filter [17716]: INFO 2017-02-07 21:49:57,163 fail2ban.filter [17716]: INFO 2017-02-07 21:49:57,171 fail2ban.filter [17716]: INFO 2017-02-07 21:49:57,173 fail2ban.actions[17716]: INFO 2017-02-07 21:49:57,338 fail2ban.jail [17716]: INFO 2017-02-07 21:49:57,338 fail2ban.jail [17716]: INFO 2017-02-07 21:49:57,359 fail2ban.jail [17716]: INFO 2017-02-07 21:49:57,363 fail2ban.filter [17716]: INFO 2017-02-07 21:49:57,367 fail2ban.filter [17716]: INFO 2017-02-07 21:49:57,370 fail2ban.filter [17716]: INFO 2017-02-07 21:49:57,375 fail2ban.filter [17716]: INFO 2017-02-07 21:49:57,380 fail2ban.filter [17716]: INFO 2017-02-07 21:49:57,384 fail2ban.filter [17716]: INFO 2017-02-07 21:49:57,388 fail2ban.filter [17716]: INFO 2017-02-07 21:49:57,390 fail2ban.actions[17716]: INFO 2017-02-07 21:49:57,425 fail2ban.jail [17716]: INFO 2017-02-07 21:49:57,481 fail2ban.jail [17716]: INFO 2017-02-07 21:49:57,533 fail2ban.jail [17716]: INFO 2017-02-07 21:49:57,579 fail2ban.jail [17716]: INFO 2017-02-07 21:49:57,608 fail2ban.jail [17716]: INFO 2017-02-07 21:49:57,656 fail2ban.jail [17716]: INFO 2017-02-07 21:49:57,702 fail2ban.jail [17716]: INFO Stopping all jails
Jail ‘nginx’ stopped
Jail ‘sasl’ stopped
Jail ‘pam-generic’ stopped
Jail ‘dovecot’ stopped
Jail ‘postfix’ stopped
Jail ‘yunohost’ stopped
Jail ‘ssh’ stopped
Unable to remove PID file: [Errno 2] No such file or directory: '/var/run/fail2ban/fail2ban.pid’
Exiting Fail2ban
Changed logging target to /var/log/fail2ban.log for Fail2ban v0.8.13
Creating new jail 'ssh’
Jail ‘ssh’ uses pyinotify
Initiated ‘pyinotify’ backend
Added logfile = /var/log/auth.log
Set maxRetry = 6
Set findtime = 600
Set banTime = 600
Creating new jail 'pam-generic’
Jail ‘pam-generic’ uses pyinotify
Initiated ‘pyinotify’ backend
Added logfile = /var/log/auth.log
Set maxRetry = 6
Set findtime = 600
Set banTime = 600
Creating new jail 'postfix’
Jail ‘postfix’ uses pyinotify
Initiated ‘pyinotify’ backend
Added logfile = /var/log/mail.log
Set maxRetry = 3
Set findtime = 600
Set banTime = 600
Creating new jail 'sasl’
Jail ‘sasl’ uses pyinotify
Initiated ‘pyinotify’ backend
Added logfile = /var/log/mail.log
Set maxRetry = 3
Set findtime = 600
Set banTime = 600
Creating new jail 'dovecot’
Jail ‘dovecot’ uses pyinotify
Initiated ‘pyinotify’ backend
Added logfile = /var/log/mail.log
Set maxRetry = 3
Set findtime = 600
Set banTime = 600
Creating new jail 'nginx’
Jail ‘nginx’ uses pyinotify
Initiated ‘pyinotify’ backend
Added logfile = /var/log/nginx/error.log
Added logfile = /var/log/nginx/search.wheek.me-error.log
Added logfile = /var/log/nginx/wheek.me-error.log
Added logfile = /var/log/nginx/wiki.wheek.me-error.log
Added logfile = /var/log/nginx/ozzmos.ddns.net-error.log
Set maxRetry = 6
Set findtime = 600
Set banTime = 600
Creating new jail 'yunohost’
Jail ‘yunohost’ uses pyinotify
Initiated ‘pyinotify’ backend
Added logfile = /var/log/nginx/error.log
Added logfile = /var/log/nginx/search.wheek.me-error.log
Added logfile = /var/log/nginx/wheek.me-error.log
Added logfile = /var/log/nginx/wiki.wheek.me-error.log
Added logfile = /var/log/nginx/ozzmos.ddns.net-error.log
Set maxRetry = 6
Set findtime = 600
Set banTime = 600
Jail ‘ssh’ started
Jail ‘pam-generic’ started
Error in FilterPyinotify callback: ‘module’ object has no attribute '_strptime_time’
Jail ‘postfix’ started
Jail ‘sasl’ started
Jail ‘dovecot’ started
Jail ‘nginx’ started
Jail ‘yunohost’ started
Stopping all jails
Jail ‘nginx’ stopped
Jail ‘sasl’ stopped
Jail ‘pam-generic’ stopped
Jail ‘dovecot’ stopped
Jail ‘postfix’ stopped
Jail ‘yunohost’ stopped
Jail ‘ssh’ stopped
Exiting Fail2ban
Changed logging target to /var/log/fail2ban.log for Fail2ban v0.8.13
Creating new jail 'ssh’
Jail ‘ssh’ uses pyinotify
Initiated ‘pyinotify’ backend
Added logfile = /var/log/auth.log
Set maxRetry = 6
Set findtime = 600
Set banTime = 600
Creating new jail 'pam-generic’
Jail ‘pam-generic’ uses pyinotify
Initiated ‘pyinotify’ backend
Added logfile = /var/log/auth.log
Set maxRetry = 6
Set findtime = 600
Set banTime = 600
Creating new jail 'postfix’
Jail ‘postfix’ uses pyinotify
Initiated ‘pyinotify’ backend
Added logfile = /var/log/mail.log
Set maxRetry = 3
Set findtime = 600
Set banTime = 600
Creating new jail 'sasl’
Jail ‘sasl’ uses pyinotify
Initiated ‘pyinotify’ backend
Added logfile = /var/log/mail.log
Set maxRetry = 3
Set findtime = 600
Set banTime = 600
Creating new jail 'dovecot’
Jail ‘dovecot’ uses pyinotify
Initiated ‘pyinotify’ backend
Added logfile = /var/log/mail.log
Set maxRetry = 3
Set findtime = 600
Set banTime = 600
Creating new jail 'nginx’
Jail ‘nginx’ uses pyinotify
Initiated ‘pyinotify’ backend
Added logfile = /var/log/nginx/error.log
Added logfile = /var/log/nginx/search.wheek.me-error.log
Added logfile = /var/log/nginx/wheek.me-error.log
Added logfile = /var/log/nginx/wiki.wheek.me-error.log
Added logfile = /var/log/nginx/ozzmos.ddns.net-error.log
Set maxRetry = 6
Set findtime = 600
Set banTime = 600
Creating new jail 'yunohost’
Jail ‘yunohost’ uses pyinotify
Initiated ‘pyinotify’ backend
Added logfile = /var/log/nginx/error.log
Added logfile = /var/log/nginx/search.wheek.me-error.log
Added logfile = /var/log/nginx/wheek.me-error.log
Added logfile = /var/log/nginx/wiki.wheek.me-error.log
Added logfile = /var/log/nginx/ozzmos.ddns.net-error.log
Set maxRetry = 6
Set findtime = 600
Set banTime = 600
Jail ‘ssh’ started
Jail ‘pam-generic’ started
Jail ‘postfix’ started
Jail ‘sasl’ started
Jail ‘dovecot’ started
Jail ‘nginx’ started
Jail ‘yunohost’ started

ozzmos · May 5, 2017, 12:10pm

For information, I resolved the problem. The auth.log file was really huge and failban read it to ban ip.
I had to tweak logrotate:

/var/log/auth.log {
missingok
daily
notifempty
compress
rotate 7
size 10M
}

Djiko · March 30, 2018, 11:10am

Hi @ozzmos and thanks for sharing: I just ran into the same issue, it even made the server unresponsive. I managed to fix my server with your trick. I had to first install logrotate (though I’m using a debian 8 server. Weird!) and force-run it.

dawoodjee · April 22, 2018, 9:55am

My CPU usage dropped from 100% to 3%. Thanks buddy!

Location of logrotate is /etc/logrotate.conf

You want to paste Ozzmos’ code at the bottom of the file:

/var/log/auth.log {
   missingok
   daily
   notifempty
   compress
   rotate 7
   size 10M
}

awdigi · June 18, 2019, 5:25am

Hi, I’m facing the same issue and as I am not an IT person I have no idea how to arrive at /etc/logrotate.conf to add the code. If someone can give me any direction that would be much appreciated.

EnSeal · July 5, 2019, 4:19am

Hello Dear

I am facing the same issue at the moment. i have applied @ozzmos lines but still having same issue. See screenshot

Kindly assist on resolution