In my setup, I use fail2ban for monitoring a linux-based firewall system. I need to log either allowed and denied connections, so the log file that fail2ban parses has a size of about 1.3GB. I rotate that log file every day; the size can't be lesser than 1GB.
When fail2ban starts, it parses the log file from the beginning. This task takes several minutes to complete. Until the parse finishes, fail2ban doesn't recognize additions of matching entries at the end of file and may allow more authentication attempts from an attacker.
In this particular case, I don't need fail2ban parses that log file from the beginning. So I wish to suggest an option in "jail.local" for controlling this behavior. Maybe an option "parse from the beginning yes/no" or an integer option specifying a size limit so that log files bigger than that will be skipped to the end.
Log in to post a comment.