From: Charles B. <cha...@nt...> - 2016-02-11 10:15:56
|
Hello list, I am running fail2ban.noarch 0.9.3-1.el6.1 as installed from the CentOS repository. I have one ipset jail which over time has accumulated more than 17000 permanent bans. This is causing a severe problem during restarts. (obviously!) First it would take many hours to shut down fail2ban gracefully the solution is to force a power down. This leaves the ipset intact. Next when the fail2ban server restarts it takes a similar many hours for the server to redundantly restore the bans from the database to the already intact ipset. This a ridiculous process! The whole purpose of ipsets is to efficiently hold vast numbers of blocked IPs. The most importantly problem here is fail2ban is preventing fast clean shutdowns. Understand 17000 bans is nothing! an ipset can efficiently hold > 65K, under which circumstances the shutdown and restart delays would extend to weeks!! The startup delay is not a severe problem except that 17000 emails and all the disk activity is a total pain in the ass. So the question is: how to turn off fail2ban gracefully without these ridiculous delays. Also note when fail2ban shuts down the ipset entries in iptables do not get deleted, but that's another story. Thanks in advance, Charles Bradshaw |