This morning, when I did the routinely scan of the server’s resource usage history, I noticed a suspicious network activity between 1 and 5 am. Some reading of the latest log files soon identified the traffic to have been caused by a dictionary attack on my SSH server. I took the opportunity to extend my current setup for the script-kiddie enemy called fail2ban. This program monitors potentially any service’s log file for failed login attempts and if their number exceeds a certain limit, it blocks the issuing host using iptables rules.
Unfortunately the first start of the new service turned out to blow up the memory usage by about 100 MB which is unacceptable regarding the tight resources of my virtual private server. As I found out, others had similar experience and switched to DenyHosts due to this issue. My experience with setting up Trac two weeks ago taught me that a Python application (like fain2ban) might consume a lot of memory only because of the relatively oversized default stack size on Linux.
The means to reduce the default stack size in Linux are widely known to be the limits.conf file and the ulimit command. But how to use those two in my situation? The solution turns out to be a one-liner on Debian Lenny: All I had to do was to append the ulimit command to my /etc/default/fail2ban file.
This is the changed /etc/default/fail2ban file:
# This file is part of Fail2Ban. # # Fail2Ban is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Fail2Ban is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Fail2Ban; if not, write to the Free Software # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA # # Author: Cyril Jaquier # # $Revision: 1.2 $ # Command line options for Fail2Ban. Refer to "fail2ban-client -h" for # valid options. FAIL2BAN_OPTS="" ulimit -s 256
Using this sets the default stack size for the Python instances running fail2ban to 256 KB and lowers the memory consumption of fail2ban approximately by a factor of 10.
Thanks Fabian. This was really useful. I was having the same issue on my 256MB VPS. Went from ~100MB to about ~10MB of RAM use.
Best fail2ban tweak ever. Should be the default.
Thank you. Works well on my v-server. It reduced the memory footprint from 20 MB to 4.5 MB.
Thank you for sharing this 🙂 I was having fail2ban consuming 1.6 GBytes of RAM during some DDOS attacks… and basically bringing the server down in an attempt to block the attacks that tried to bring the server down! So that was clearly one of those cases where the medicine was being more harmful than the disease 🙂
I hope that this simple fix gives my poor server some breathing space… because the DDOS attacks have been coming non-stop 😛
Kommentare sind geschlossen.