Fail2ban - Sehr hohe CPU-Auslastung

Deleted member 10028 · Jan 14, 2011

Hallo Zusammen,

seit einigen Tagen scheint es so, als ob fail2ban bei mir Amok laufen würde.
Die CPU läuft seit ~5 Tagen fast durchgehend auf Hochtouren, siehe Munin-Grafik:
cpu-week.png

System:
Debian Lenny 32-Bit
Abgesichert durch SSH-Keys
Nginx als Reverse-Proxy vor dem Apache

Top:

Code:

  PID USER      PR  NI  VIRT  RES  SHR S %CPU %MEM    TIME+  COMMAND
 8920 root      20   0 75568 4868 1880 S   69  0.2   5:23.74 fail2ban-server

CPU:

Code:

AMD Athlon(tm) 64 X2 Dual Core Processor 5600+

/var/log/fail2ban.log:

Code:

2010-12-05 06:28:10,871 fail2ban.server : INFO   Changed logging target to /var/log/fail2ban.log for Fail2ban v0.8.3
2010-12-05 06:28:10,873 fail2ban.jail   : INFO   Creating new jail 'httpDDOS'
2010-12-05 06:28:10,874 fail2ban.jail   : INFO   Jail 'httpDDOS' uses poller
2010-12-05 06:28:10,876 fail2ban.filter : INFO   Added logfile = /var/log/nginx/reverse.log
2010-12-05 06:28:10,878 fail2ban.filter : INFO   Set maxRetry = 50
2010-12-05 06:28:10,882 fail2ban.filter : INFO   Set findtime = 600
2010-12-05 06:28:10,883 fail2ban.actions: INFO   Set banTime = 3600
2010-12-05 06:28:10,908 fail2ban.jail   : INFO   Creating new jail 'ssh'
2010-12-05 06:28:10,909 fail2ban.jail   : INFO   Jail 'ssh' uses poller
2010-12-05 06:28:10,911 fail2ban.filter : INFO   Added logfile = /var/log/auth.log
2010-12-05 06:28:10,913 fail2ban.filter : INFO   Set maxRetry = 5
2010-12-05 06:28:10,916 fail2ban.filter : INFO   Set findtime = 600
2010-12-05 06:28:10,918 fail2ban.actions: INFO   Set banTime = 604800
2010-12-05 06:28:11,011 fail2ban.jail   : INFO   Creating new jail 'SynDDOS'
2010-12-05 06:28:11,012 fail2ban.jail   : INFO   Jail 'SynDDOS' uses poller
2010-12-05 06:28:11,014 fail2ban.filter : INFO   Added logfile = /var/log/nginx/reverse.log
2010-12-05 06:28:11,016 fail2ban.filter : INFO   Set maxRetry = 50
2010-12-05 06:28:11,018 fail2ban.filter : INFO   Set findtime = 600
2010-12-05 06:28:11,020 fail2ban.actions: INFO   Set banTime = 3600
2010-12-05 06:28:11,042 fail2ban.jail   : INFO   Creating new jail 'proftpd'
2010-12-05 06:28:11,042 fail2ban.jail   : INFO   Jail 'proftpd' uses poller
2010-12-05 06:28:11,044 fail2ban.filter : INFO   Added logfile = /var/log/proftpd/proftpd.log
2010-12-05 06:28:11,046 fail2ban.filter : INFO   Set maxRetry = 6
2010-12-05 06:28:11,049 fail2ban.filter : INFO   Set findtime = 600
2010-12-05 06:28:11,050 fail2ban.actions: INFO   Set banTime = 600
2010-12-05 06:28:11,069 fail2ban.jail   : INFO   Jail 'httpDDOS' started
2010-12-05 06:28:11,078 fail2ban.jail   : INFO   Jail 'ssh' started
2010-12-05 06:28:11,081 fail2ban.jail   : INFO   Jail 'SynDDOS' started
2010-12-05 06:28:11,083 fail2ban.jail   : INFO   Jail 'proftpd' started
2010-12-05 06:28:11,173 fail2ban.actions.action: ERROR  iptables -N fail2ban-AntiSSHdBruteforce
iptables -A fail2ban-AntiSSHdBruteforce -j RETURN
iptables -I INPUT -j fail2ban-AntiSSHdBruteforce returned 200
2010-12-05 06:28:11,189 fail2ban.actions.action: ERROR  iptables -N fail2ban-AntiSynDDOS
iptables -A fail2ban-AntiSynDDOS -j RETURN
iptables -I INPUT -j fail2ban-AntiSynDDOS returned 200
2010-12-05 06:29:32,549 fail2ban.filter : INFO   Log rotation detected for /var/log/auth.log
2010-12-05 06:30:02,547 fail2ban.filter : INFO   Log rotation detected for /var/log/auth.log
2010-12-05 08:53:15,607 fail2ban.actions: WARNING [ssh] Ban 123.30.183.120
2010-12-05 08:53:15,769 fail2ban.actions.action: ERROR  iptables -n -L INPUT | grep -q fail2ban-AntiSSHdBruteforce returned 100
2010-12-05 08:53:15,770 fail2ban.actions.action: ERROR  Invariant check failed. Trying to restore a sane environment
2010-12-05 08:53:15,785 fail2ban.actions.action: ERROR  iptables -D INPUT -j fail2ban-AntiSSHdBruteforce
iptables -F fail2ban-AntiSSHdBruteforce
iptables -X fail2ban-AntiSSHdBruteforce returned 100
2010-12-05 10:56:42,924 fail2ban.actions: WARNING [ssh] Ban 152.84.100.166
2010-12-05 11:51:29,234 fail2ban.actions: WARNING [httpDDOS] Ban 192.114.71.13
2010-12-05 12:51:29,515 fail2ban.actions: WARNING [httpDDOS] Unban 192.114.71.13
2010-12-06 01:51:51,863 fail2ban.actions: WARNING [httpDDOS] Ban 192.114.71.13
2010-12-06 02:51:52,274 fail2ban.actions: WARNING [httpDDOS] Unban 192.114.71.13
2010-12-06 06:44:23,423 fail2ban.actions: WARNING [ssh] Ban 64.120.251.114
2010-12-07 00:00:07,864 fail2ban.jail   : INFO   Jail 'proftpd' stopped
2010-12-07 00:00:08,493 fail2ban.actions.action: ERROR  iptables -D INPUT -j fail2ban-AntiSynDDOS
iptables -F fail2ban-AntiSynDDOS
iptables -X fail2ban-AntiSynDDOS returned 100
2010-12-07 00:00:08,818 fail2ban.jail   : INFO   Jail 'SynDDOS' stopped
2010-12-07 00:00:09,491 fail2ban.actions: WARNING [ssh] Unban 123.30.183.120
2010-12-07 00:00:09,603 fail2ban.actions: WARNING [ssh] Unban 152.84.100.166
2010-12-07 00:00:09,662 fail2ban.actions: WARNING [ssh] Unban 64.120.251.114
2010-12-07 00:00:09,873 fail2ban.jail   : INFO   Jail 'ssh' stopped
2010-12-07 00:00:10,566 fail2ban.jail   : INFO   Jail 'httpDDOS' stopped
2010-12-07 00:01:21,980 fail2ban.server : INFO   Changed logging target to /var/log/fail2ban.log for Fail2ban v0.8.3
2010-12-07 00:01:21,993 fail2ban.jail   : INFO   Creating new jail 'httpDDOS'
2010-12-07 00:01:21,994 fail2ban.jail   : INFO   Jail 'httpDDOS' uses poller
2010-12-07 00:01:22,158 fail2ban.filter : INFO   Added logfile = /var/log/nginx/reverse.log
2010-12-07 00:01:22,160 fail2ban.filter : INFO   Set maxRetry = 50
2010-12-07 00:01:22,166 fail2ban.filter : INFO   Set findtime = 600
2010-12-07 00:01:22,169 fail2ban.actions: INFO   Set banTime = 3600
2010-12-07 00:01:22,200 fail2ban.jail   : INFO   Creating new jail 'ssh'
2010-12-07 00:01:22,201 fail2ban.jail   : INFO   Jail 'ssh' uses poller
2010-12-07 00:01:22,228 fail2ban.filter : INFO   Added logfile = /var/log/auth.log
2010-12-07 00:01:22,230 fail2ban.filter : INFO   Set maxRetry = 5
2010-12-07 00:01:22,234 fail2ban.filter : INFO   Set findtime = 600
2010-12-07 00:01:22,236 fail2ban.actions: INFO   Set banTime = 604800
2010-12-07 00:01:22,439 fail2ban.jail   : INFO   Creating new jail 'SynDDOS'
2010-12-07 00:01:22,439 fail2ban.jail   : INFO   Jail 'SynDDOS' uses poller
2010-12-07 00:01:22,441 fail2ban.filter : INFO   Added logfile = /var/log/nginx/reverse.log
2010-12-07 00:01:22,443 fail2ban.filter : INFO   Set maxRetry = 50
2010-12-07 00:01:22,446 fail2ban.filter : INFO   Set findtime = 600
2010-12-07 00:01:22,447 fail2ban.actions: INFO   Set banTime = 3600
2010-12-07 00:01:22,472 fail2ban.jail   : INFO   Creating new jail 'proftpd'
2010-12-07 00:01:22,472 fail2ban.jail   : INFO   Jail 'proftpd' uses poller
2010-12-07 00:01:22,474 fail2ban.filter : INFO   Added logfile = /var/log/proftpd/proftpd.log
2010-12-07 00:01:22,476 fail2ban.filter : INFO   Set maxRetry = 6
2010-12-07 00:01:22,479 fail2ban.filter : INFO   Set findtime = 600
2010-12-07 00:01:22,481 fail2ban.actions: INFO   Set banTime = 600
2010-12-07 00:01:22,515 fail2ban.jail   : INFO   Jail 'httpDDOS' started
2010-12-07 00:01:22,543 fail2ban.jail   : INFO   Jail 'ssh' started
2010-12-07 00:01:22,651 fail2ban.jail   : INFO   Jail 'SynDDOS' started
2010-12-07 00:01:22,691 fail2ban.jail   : INFO   Jail 'proftpd' started
2010-12-07 05:01:42,426 fail2ban.actions: WARNING [ssh] Ban 78.138.121.10
2010-12-07 11:00:13,764 fail2ban.actions: WARNING [ssh] Ban 80.240.194.166
2010-12-07 16:01:30,404 fail2ban.actions: WARNING [ssh] Ban 85.93.15.55
2010-12-07 23:47:35,437 fail2ban.actions: WARNING [ssh] Ban 194.106.15.158
2010-12-08 10:59:32,060 fail2ban.actions: WARNING [ssh] Ban 78.129.232.10
2010-12-08 20:57:01,140 fail2ban.actions: WARNING [ssh] Ban 120.50.4.93
2010-12-09 15:08:54,588 fail2ban.actions: WARNING [ssh] Ban 61.7.235.213
2010-12-09 17:54:41,245 fail2ban.actions: WARNING [httpDDOS] Ban 93.202.127.229
2010-12-09 18:54:41,789 fail2ban.actions: WARNING [httpDDOS] Unban 93.202.127.229
2010-12-09 20:11:15,056 fail2ban.actions: WARNING [ssh] Ban 210.2.148.132
2010-12-09 22:56:45,516 fail2ban.actions: WARNING [ssh] Ban 173.12.183.109
2010-12-10 10:12:40,270 fail2ban.actions: WARNING [ssh] Ban 195.149.44.192
2010-12-10 13:37:44,349 fail2ban.actions: WARNING [httpDDOS] Ban 77.92.133.84
2010-12-10 14:37:44,809 fail2ban.actions: WARNING [httpDDOS] Unban 77.92.133.84
2010-12-10 14:50:40,380 fail2ban.actions: WARNING [ssh] Ban 69.72.149.130
2010-12-11 02:43:42,820 fail2ban.actions: WARNING [ssh] Ban 211.126.199.28
2010-12-11 09:36:09,765 fail2ban.actions: WARNING [httpDDOS] Ban 95.78.94.82
2010-12-11 10:36:10,033 fail2ban.actions: WARNING [httpDDOS] Unban 95.78.94.82
2010-12-11 11:28:56,908 fail2ban.actions: WARNING [ssh] Ban 69.162.114.90
2010-12-12 01:47:17,029 fail2ban.actions: WARNING [ssh] Ban 121.180.16.51
2010-12-12 09:13:59,576 fail2ban.actions: WARNING [ssh] Ban 64.17.70.19
2010-12-13 13:44:11,048 fail2ban.actions: WARNING [ssh] Ban 58.49.104.164
2010-12-13 20:16:53,548 fail2ban.actions: WARNING [ssh] Ban 87.117.224.42
2010-12-13 20:27:14,313 fail2ban.actions: WARNING [ssh] Ban 149.169.25.244
2010-12-14 05:01:42,645 fail2ban.actions: WARNING [ssh] Unban 78.138.121.10
2010-12-14 10:32:03,969 fail2ban.actions: WARNING [ssh] Ban 125.67.234.32
2010-12-14 11:00:14,176 fail2ban.actions: WARNING [ssh] Unban 80.240.194.166
2010-12-14 16:01:30,792 fail2ban.actions: WARNING [ssh] Unban 85.93.15.55
2010-12-14 17:27:12,369 fail2ban.actions: WARNING [ssh] Ban 182.72.137.62
2010-12-14 23:13:54,737 fail2ban.actions: WARNING [ssh] Ban 194.116.73.101
2010-12-14 23:47:36,045 fail2ban.actions: WARNING [ssh] Unban 194.106.15.158
2010-12-15 10:59:32,293 fail2ban.actions: WARNING [ssh] Unban 78.129.232.10
2010-12-15 17:01:52,188 fail2ban.actions: WARNING [ssh] Ban 116.127.94.228
2010-12-15 18:01:13,520 fail2ban.actions: WARNING [ssh] Ban 213.229.78.100
2010-12-15 20:57:01,556 fail2ban.actions: WARNING [ssh] Unban 120.50.4.93
2010-12-16 13:19:09,769 fail2ban.actions: WARNING [ssh] Ban 210.66.168.73
2010-12-16 15:08:54,888 fail2ban.actions: WARNING [ssh] Unban 61.7.235.213
2010-12-16 20:11:15,080 fail2ban.actions: WARNING [ssh] Unban 210.2.148.132
2010-12-16 22:56:46,476 fail2ban.actions: WARNING [ssh] Unban 173.12.183.109
2010-12-17 10:12:41,069 fail2ban.actions: WARNING [ssh] Unban 195.149.44.192
2010-12-17 12:50:16,284 fail2ban.actions: WARNING [ssh] Ban 113.53.230.178
2010-12-17 14:50:40,456 fail2ban.actions: WARNING [ssh] Unban 69.72.149.130
2010-12-18 02:43:43,549 fail2ban.actions: WARNING [ssh] Unban 211.126.199.28
2010-12-18 11:28:57,020 fail2ban.actions: WARNING [ssh] Unban 69.162.114.90
2010-12-18 15:43:44,680 fail2ban.actions: WARNING [ssh] Ban 189.57.88.10
2010-12-19 01:47:17,873 fail2ban.actions: WARNING [ssh] Unban 121.180.16.51
2010-12-19 06:02:24,388 fail2ban.actions: WARNING [ssh] Ban 124.67.108.2
2010-12-19 09:14:00,385 fail2ban.actions: WARNING [ssh] Unban 64.17.70.19
2010-12-19 15:01:42,632 fail2ban.actions: WARNING [ssh] Ban 119.188.7.182
2010-12-19 16:30:16,389 fail2ban.actions: WARNING [SynDDOS] Ban 79.235.25.50
2010-12-19 17:30:17,196 fail2ban.actions: WARNING [SynDDOS] Unban 79.235.25.50
2010-12-19 23:47:07,740 fail2ban.actions: WARNING [ssh] Ban 67.23.243.196
2010-12-20 02:41:37,884 fail2ban.actions: WARNING [ssh] Ban 174.34.146.211
2010-12-20 07:01:19,729 fail2ban.actions: WARNING [ssh] Ban 222.255.25.133
2010-12-20 13:44:11,916 fail2ban.actions: WARNING [ssh] Unban 58.49.104.164
2010-12-20 20:16:54,296 fail2ban.actions: WARNING [ssh] Unban 87.117.224.42
2010-12-20 20:27:14,452 fail2ban.actions: WARNING [ssh] Unban 149.169.25.244
2010-12-20 21:18:36,800 fail2ban.actions: WARNING [ssh] Ban 190.26.216.149
2010-12-21 10:32:04,233 fail2ban.actions: WARNING [ssh] Unban 125.67.234.32
2010-12-21 17:27:13,085 fail2ban.actions: WARNING [ssh] Unban 182.72.137.62
2010-12-21 23:13:55,556 fail2ban.actions: WARNING [ssh] Unban 194.116.73.101
2010-12-22 17:01:52,216 fail2ban.actions: WARNING [ssh] Unban 116.127.94.228
2010-12-22 17:21:54,374 fail2ban.actions: WARNING [ssh] Ban 125.46.36.250
2010-12-22 18:01:14,309 fail2ban.actions: WARNING [ssh] Unban 213.229.78.100
2010-12-23 02:58:03,796 fail2ban.actions: WARNING [ssh] Ban 85.25.176.168
2010-12-23 06:44:03,000 fail2ban.actions: WARNING [httpDDOS] Ban 2.94.145.70
2010-12-23 07:44:03,613 fail2ban.actions: WARNING [httpDDOS] Unban 2.94.145.70
2010-12-23 13:19:09,844 fail2ban.actions: WARNING [ssh] Unban 210.66.168.73
2010-12-23 14:56:47,124 fail2ban.actions: WARNING [ssh] Ban 85.114.137.41
2010-12-23 19:26:30,109 fail2ban.actions: WARNING [httpDDOS] Ban 2.94.147.76
2010-12-23 20:26:30,677 fail2ban.actions: WARNING [httpDDOS] Unban 2.94.147.76
2010-12-24 05:04:58,461 fail2ban.actions: WARNING [ssh] Ban 125.141.199.215
2010-12-24 12:50:16,432 fail2ban.actions: WARNING [ssh] Unban 113.53.230.178
2010-12-25 15:43:45,062 fail2ban.actions: WARNING [ssh] Unban 189.57.88.10
2010-12-26 06:02:24,820 fail2ban.actions: WARNING [ssh] Unban 124.67.108.2
2010-12-26 15:01:43,604 fail2ban.actions: WARNING [ssh] Unban 119.188.7.182
2010-12-26 16:45:48,958 fail2ban.actions: WARNING [ssh] Ban 193.136.12.4
2010-12-26 23:47:08,425 fail2ban.actions: WARNING [ssh] Unban 67.23.243.196
2010-12-27 02:41:38,742 fail2ban.actions: WARNING [ssh] Unban 174.34.146.211
2010-12-27 07:01:19,989 fail2ban.actions: WARNING [ssh] Unban 222.255.25.133
2010-12-27 14:17:28,661 fail2ban.actions: WARNING [ssh] Ban 119.188.7.182
2010-12-27 21:18:37,760 fail2ban.actions: WARNING [ssh] Unban 190.26.216.149
2010-12-28 01:04:22,464 fail2ban.actions: WARNING [ssh] Ban 61.128.121.138
2010-12-28 03:35:36,616 fail2ban.actions: WARNING [ssh] Ban 109.226.4.114
2010-12-28 17:04:41,140 fail2ban.actions: WARNING [ssh] Ban 50.22.23.134
2010-12-28 17:19:34,540 fail2ban.actions: WARNING [ssh] Ban 173.14.156.237
2010-12-29 00:14:23,500 fail2ban.actions: WARNING [ssh] Ban 62.75.2.251
2010-12-29 11:09:25,192 fail2ban.actions: WARNING [ssh] Ban 72.167.141.140
2010-12-29 16:44:55,676 fail2ban.actions: WARNING [ssh] Ban 85.114.132.142
2010-12-29 16:50:53,948 fail2ban.actions: WARNING [ssh] Ban 148.208.182.251
2010-12-29 17:21:54,961 fail2ban.actions: WARNING [ssh] Unban 125.46.36.250
2010-12-29 22:04:51,585 fail2ban.actions: WARNING [SynDDOS] Ban 189.137.71.95
2010-12-29 23:04:52,521 fail2ban.actions: WARNING [SynDDOS] Unban 189.137.71.95
2010-12-30 02:58:03,800 fail2ban.actions: WARNING [ssh] Unban 85.25.176.168
2010-12-30 14:56:47,212 fail2ban.actions: WARNING [ssh] Unban 85.114.137.41
2010-12-31 03:14:39,600 fail2ban.actions: WARNING [ssh] Ban 80.34.186.72
2010-12-31 05:04:59,065 fail2ban.actions: WARNING [ssh] Unban 125.141.199.215
2010-12-31 11:07:26,177 fail2ban.actions: WARNING [ssh] Ban 64.17.70.19
2010-12-31 15:46:30,361 fail2ban.actions: WARNING [ssh] Ban 125.15.6.132
2010-12-31 16:07:41,253 fail2ban.actions: WARNING [ssh] Ban 210.240.242.222
2011-01-01 05:24:46,749 fail2ban.actions: WARNING [ssh] Ban 95.110.224.74
2011-01-01 13:12:48,344 fail2ban.actions: WARNING [ssh] Ban 121.244.111.114
2011-01-01 13:33:08,309 fail2ban.actions: WARNING [ssh] Ban 81.95.156.202
2011-01-01 15:26:38,749 fail2ban.actions: WARNING [ssh] Ban 74.208.184.139
2011-01-02 02:11:42,989 fail2ban.actions: WARNING [ssh] Ban 87.244.194.139
2011-01-02 03:38:19,489 fail2ban.actions: WARNING [ssh] Ban 60.28.240.247
2011-01-02 14:43:55,113 fail2ban.actions: WARNING [httpDDOS] Ban 124.120.31.228
2011-01-02 15:43:55,176 fail2ban.actions: WARNING [httpDDOS] Unban 124.120.31.228
2011-01-02 16:45:49,436 fail2ban.actions: WARNING [ssh] Unban 193.136.12.4
2011-01-03 14:17:28,868 fail2ban.actions: WARNING [ssh] Unban 119.188.7.182
2011-01-04 01:04:23,121 fail2ban.actions: WARNING [ssh] Unban 61.128.121.138
2011-01-04 03:32:58,589 fail2ban.actions: WARNING [ssh] Ban 193.140.196.96
2011-01-04 03:35:36,796 fail2ban.actions: WARNING [ssh] Unban 109.226.4.114
2011-01-04 14:22:03,892 fail2ban.actions: WARNING [httpDDOS] Ban 95.128.160.102
2011-01-04 15:22:04,712 fail2ban.actions: WARNING [httpDDOS] Unban 95.128.160.102
2011-01-04 17:04:41,996 fail2ban.actions: WARNING [ssh] Unban 50.22.23.134
2011-01-04 17:19:35,089 fail2ban.actions: WARNING [ssh] Unban 173.14.156.237
2011-01-04 21:26:59,973 fail2ban.actions: WARNING [ssh] Ban 96.9.157.21
2011-01-05 00:14:24,480 fail2ban.actions: WARNING [ssh] Unban 62.75.2.251
2011-01-05 11:09:25,249 fail2ban.actions: WARNING [ssh] Unban 72.167.141.140
2011-01-05 12:40:47,514 fail2ban.actions: WARNING [ssh] Ban 124.125.36.59
2011-01-05 13:16:06,381 fail2ban.actions: WARNING [ssh] Ban 220.225.247.166
2011-01-05 16:44:55,876 fail2ban.actions: WARNING [ssh] Unban 85.114.132.142
2011-01-05 16:50:54,004 fail2ban.actions: WARNING [ssh] Unban 148.208.182.251
2011-01-06 08:51:43,560 fail2ban.actions: WARNING [ssh] Ban 85.25.148.104
2011-01-06 19:17:57,836 fail2ban.actions: WARNING [ssh] Ban 210.200.216.149
2011-01-07 03:14:40,100 fail2ban.actions: WARNING [ssh] Unban 80.34.186.72
2011-01-07 11:07:26,504 fail2ban.actions: WARNING [ssh] Unban 64.17.70.19
2011-01-07 15:46:31,161 fail2ban.actions: WARNING [ssh] Unban 125.15.6.132
2011-01-07 16:07:42,236 fail2ban.actions: WARNING [ssh] Unban 210.240.242.222
2011-01-07 22:20:17,408 fail2ban.actions: WARNING [ssh] Ban 190.17.240.4
2011-01-08 05:24:47,437 fail2ban.actions: WARNING [ssh] Unban 95.110.224.74
2011-01-08 13:12:49,000 fail2ban.actions: WARNING [ssh] Unban 121.244.111.114
2011-01-08 13:33:09,221 fail2ban.actions: WARNING [ssh] Unban 81.95.156.202
2011-01-08 15:26:39,444 fail2ban.actions: WARNING [ssh] Unban 74.208.184.139
2011-01-08 20:23:31,448 fail2ban.actions: WARNING [ssh] Ban 72.252.2.254
2011-01-09 02:11:43,820 fail2ban.actions: WARNING [ssh] Unban 87.244.194.139
2011-01-09 03:38:20,040 fail2ban.actions: WARNING [ssh] Unban 60.28.240.247
2011-01-10 02:25:38,245 fail2ban.actions: WARNING [ssh] Ban 95.211.34.105
2011-01-10 02:25:43,541 fail2ban.actions: WARNING [ssh] 95.211.34.105 already banned
2011-01-11 03:32:59,231 fail2ban.actions: WARNING [ssh] Unban 193.140.196.96
2011-01-11 04:46:02,887 fail2ban.actions: WARNING [ssh] Ban 64.139.147.202
2011-01-11 14:38:18,861 fail2ban.actions: WARNING [ssh] Ban 219.151.4.199
2011-01-11 21:27:01,762 fail2ban.actions: WARNING [ssh] Unban 96.9.157.21
2011-01-11 23:01:39,196 fail2ban.actions: WARNING [ssh] Ban 83.141.4.61
2011-01-12 05:19:41,247 fail2ban.actions: WARNING [ssh] Ban 61.139.143.115
2011-01-12 09:29:09,763 fail2ban.actions: WARNING [ssh] Ban 219.139.243.236
2011-01-12 12:40:49,114 fail2ban.actions: WARNING [ssh] Unban 124.125.36.59
2011-01-12 13:16:06,970 fail2ban.actions: WARNING [ssh] Unban 220.225.247.166
2011-01-12 23:06:31,064 fail2ban.actions: WARNING [ssh] Ban 85.25.148.106
2011-01-13 08:51:44,376 fail2ban.actions: WARNING [ssh] Unban 85.25.148.104
2011-01-13 09:32:48,912 fail2ban.actions: WARNING [ssh] Ban 61.7.235.206
2011-01-13 19:17:57,866 fail2ban.actions: WARNING [ssh] Unban 210.200.216.149
2011-01-14 01:19:00,825 fail2ban.jail   : INFO   Jail 'proftpd' stopped
2011-01-14 01:19:03,473 fail2ban.jail   : INFO   Jail 'SynDDOS' stopped
2011-01-14 01:19:04,470 fail2ban.actions: WARNING [ssh] Unban 190.17.240.4
2011-01-14 01:19:04,523 fail2ban.actions: WARNING [ssh] Unban 72.252.2.254
2011-01-14 01:19:04,544 fail2ban.actions: WARNING [ssh] Unban 95.211.34.105
2011-01-14 01:19:04,568 fail2ban.actions: WARNING [ssh] Unban 64.139.147.202
2011-01-14 01:19:04,590 fail2ban.actions: WARNING [ssh] Unban 219.151.4.199
2011-01-14 01:19:04,612 fail2ban.actions: WARNING [ssh] Unban 83.141.4.61
2011-01-14 01:19:04,635 fail2ban.actions: WARNING [ssh] Unban 61.139.143.115
2011-01-14 01:19:04,660 fail2ban.actions: WARNING [ssh] Unban 219.139.243.236
2011-01-14 01:19:04,682 fail2ban.actions: WARNING [ssh] Unban 85.25.148.106
2011-01-14 01:19:04,707 fail2ban.actions: WARNING [ssh] Unban 61.7.235.206
2011-01-14 01:19:04,813 fail2ban.jail   : INFO   Jail 'ssh' stopped
2011-01-14 01:19:05,549 fail2ban.jail   : INFO   Jail 'httpDDOS' stopped
2011-01-14 01:19:16,737 fail2ban.server : INFO   Changed logging target to /var/log/fail2ban.log for Fail2ban v0.8.3
2011-01-14 01:19:16,739 fail2ban.jail   : INFO   Creating new jail 'httpDDOS'
2011-01-14 01:19:16,740 fail2ban.jail   : INFO   Jail 'httpDDOS' uses poller
2011-01-14 01:19:16,817 fail2ban.filter : INFO   Added logfile = /var/log/nginx/reverse.log
2011-01-14 01:19:16,819 fail2ban.filter : INFO   Set maxRetry = 50
2011-01-14 01:19:16,822 fail2ban.filter : INFO   Set findtime = 600
2011-01-14 01:19:16,824 fail2ban.actions: INFO   Set banTime = 3600
2011-01-14 01:19:16,850 fail2ban.jail   : INFO   Creating new jail 'ssh'
2011-01-14 01:19:16,850 fail2ban.jail   : INFO   Jail 'ssh' uses poller
2011-01-14 01:19:16,853 fail2ban.filter : INFO   Added logfile = /var/log/auth.log
2011-01-14 01:19:16,855 fail2ban.filter : INFO   Set maxRetry = 5
2011-01-14 01:19:16,857 fail2ban.filter : INFO   Set findtime = 600
2011-01-14 01:19:16,859 fail2ban.actions: INFO   Set banTime = 604800
2011-01-14 01:19:17,047 fail2ban.jail   : INFO   Creating new jail 'SynDDOS'
2011-01-14 01:19:17,048 fail2ban.jail   : INFO   Jail 'SynDDOS' uses poller
2011-01-14 01:19:17,051 fail2ban.filter : INFO   Added logfile = /var/log/nginx/reverse.log
2011-01-14 01:19:17,053 fail2ban.filter : INFO   Set maxRetry = 50
2011-01-14 01:19:17,056 fail2ban.filter : INFO   Set findtime = 600
2011-01-14 01:19:17,058 fail2ban.actions: INFO   Set banTime = 3600
2011-01-14 01:19:17,083 fail2ban.jail   : INFO   Creating new jail 'proftpd'
2011-01-14 01:19:17,084 fail2ban.jail   : INFO   Jail 'proftpd' uses poller
2011-01-14 01:19:17,086 fail2ban.filter : INFO   Added logfile = /var/log/proftpd/proftpd.log
2011-01-14 01:19:17,088 fail2ban.filter : INFO   Set maxRetry = 6
2011-01-14 01:19:17,090 fail2ban.filter : INFO   Set findtime = 600
2011-01-14 01:19:17,092 fail2ban.actions: INFO   Set banTime = 600
2011-01-14 01:19:17,125 fail2ban.jail   : INFO   Jail 'httpDDOS' started
2011-01-14 01:19:17,136 fail2ban.jail   : INFO   Jail 'ssh' started
2011-01-14 01:19:17,214 fail2ban.jail   : INFO   Jail 'SynDDOS' started
2011-01-14 01:19:17,217 fail2ban.jail   : INFO   Jail 'proftpd' started
2011-01-14 01:41:38,930 fail2ban.jail   : INFO   Jail 'proftpd' stopped
2011-01-14 01:41:39,940 fail2ban.jail   : INFO   Jail 'SynDDOS' stopped
2011-01-14 01:41:40,725 fail2ban.jail   : INFO   Jail 'ssh' stopped
2011-01-14 01:41:41,725 fail2ban.jail   : INFO   Jail 'httpDDOS' stopped
2011-01-14 01:42:44,854 fail2ban.server : INFO   Changed logging target to /var/log/fail2ban.log for Fail2ban v0.8.3
2011-01-14 01:42:44,857 fail2ban.jail   : INFO   Creating new jail 'httpDDOS'
2011-01-14 01:42:44,857 fail2ban.jail   : INFO   Jail 'httpDDOS' uses poller
2011-01-14 01:42:44,898 fail2ban.filter : INFO   Added logfile = /var/log/nginx/reverse.log
2011-01-14 01:42:44,900 fail2ban.filter : INFO   Set maxRetry = 50
2011-01-14 01:42:44,904 fail2ban.filter : INFO   Set findtime = 600
2011-01-14 01:42:44,906 fail2ban.actions: INFO   Set banTime = 3600
2011-01-14 01:42:44,939 fail2ban.jail   : INFO   Creating new jail 'ssh'
2011-01-14 01:42:44,939 fail2ban.jail   : INFO   Jail 'ssh' uses poller
2011-01-14 01:42:44,943 fail2ban.filter : INFO   Added logfile = /var/log/auth.log
2011-01-14 01:42:44,945 fail2ban.filter : INFO   Set maxRetry = 5
2011-01-14 01:42:44,949 fail2ban.filter : INFO   Set findtime = 600
2011-01-14 01:42:44,951 fail2ban.actions: INFO   Set banTime = 604800
2011-01-14 01:42:45,161 fail2ban.jail   : INFO   Creating new jail 'SynDDOS'
2011-01-14 01:42:45,161 fail2ban.jail   : INFO   Jail 'SynDDOS' uses poller
2011-01-14 01:42:45,164 fail2ban.filter : INFO   Added logfile = /var/log/nginx/reverse.log
2011-01-14 01:42:45,166 fail2ban.filter : INFO   Set maxRetry = 50
2011-01-14 01:42:45,170 fail2ban.filter : INFO   Set findtime = 600
2011-01-14 01:42:45,171 fail2ban.actions: INFO   Set banTime = 3600
2011-01-14 01:42:45,202 fail2ban.jail   : INFO   Creating new jail 'proftpd'
2011-01-14 01:42:45,203 fail2ban.jail   : INFO   Jail 'proftpd' uses poller
2011-01-14 01:42:45,205 fail2ban.filter : INFO   Added logfile = /var/log/proftpd/proftpd.log
2011-01-14 01:42:45,207 fail2ban.filter : INFO   Set maxRetry = 6
2011-01-14 01:42:45,210 fail2ban.filter : INFO   Set findtime = 600
2011-01-14 01:42:45,212 fail2ban.actions: INFO   Set banTime = 600
2011-01-14 01:42:45,248 fail2ban.jail   : INFO   Jail 'httpDDOS' started
2011-01-14 01:42:45,283 fail2ban.jail   : INFO   Jail 'ssh' started
2011-01-14 01:42:45,342 fail2ban.jail   : INFO   Jail 'SynDDOS' started
2011-01-14 01:42:45,352 fail2ban.jail   : INFO   Jail 'proftpd' started
2011-01-14 01:42:45,437 fail2ban.actions.action: ERROR  iptables -N fail2ban-AntiSynDDOS
iptables -A fail2ban-AntiSynDDOS -j RETURN
iptables -I INPUT -j fail2ban-AntiSynDDOS returned 400
2011-01-14 12:55:40,361 fail2ban.jail   : INFO   Jail 'proftpd' stopped
2011-01-14 12:55:43,181 fail2ban.jail   : INFO   Jail 'SynDDOS' stopped
2011-01-14 12:55:44,278 fail2ban.jail   : INFO   Jail 'ssh' stopped
2011-01-14 12:55:45,277 fail2ban.jail   : INFO   Jail 'httpDDOS' stopped
2011-01-14 12:55:50,214 fail2ban.server : INFO   Changed logging target to /var/log/fail2ban.log for Fail2ban v0.8.3
2011-01-14 12:55:50,217 fail2ban.jail   : INFO   Creating new jail 'httpDDOS'
2011-01-14 12:55:50,218 fail2ban.jail   : INFO   Jail 'httpDDOS' uses poller
2011-01-14 12:55:50,333 fail2ban.filter : INFO   Added logfile = /var/log/nginx/reverse.log
2011-01-14 12:55:50,335 fail2ban.filter : INFO   Set maxRetry = 50
2011-01-14 12:55:50,338 fail2ban.filter : INFO   Set findtime = 600
2011-01-14 12:55:50,340 fail2ban.actions: INFO   Set banTime = 3600
2011-01-14 12:55:50,368 fail2ban.jail   : INFO   Creating new jail 'ssh'
2011-01-14 12:55:50,369 fail2ban.jail   : INFO   Jail 'ssh' uses poller
2011-01-14 12:55:50,371 fail2ban.filter : INFO   Added logfile = /var/log/auth.log
2011-01-14 12:55:50,373 fail2ban.filter : INFO   Set maxRetry = 5
2011-01-14 12:55:50,376 fail2ban.filter : INFO   Set findtime = 600
2011-01-14 12:55:50,378 fail2ban.actions: INFO   Set banTime = 604800
2011-01-14 12:55:50,553 fail2ban.jail   : INFO   Creating new jail 'SynDDOS'
2011-01-14 12:55:50,554 fail2ban.jail   : INFO   Jail 'SynDDOS' uses poller
2011-01-14 12:55:50,556 fail2ban.filter : INFO   Added logfile = /var/log/nginx/reverse.log
2011-01-14 12:55:50,558 fail2ban.filter : INFO   Set maxRetry = 50
2011-01-14 12:55:50,561 fail2ban.filter : INFO   Set findtime = 600
2011-01-14 12:55:50,562 fail2ban.actions: INFO   Set banTime = 3600
2011-01-14 12:55:50,588 fail2ban.jail   : INFO   Creating new jail 'proftpd'
2011-01-14 12:55:50,588 fail2ban.jail   : INFO   Jail 'proftpd' uses poller
2011-01-14 12:55:50,590 fail2ban.filter : INFO   Added logfile = /var/log/proftpd/proftpd.log
2011-01-14 12:55:50,592 fail2ban.filter : INFO   Set maxRetry = 6
2011-01-14 12:55:50,595 fail2ban.filter : INFO   Set findtime = 600
2011-01-14 12:55:50,596 fail2ban.actions: INFO   Set banTime = 600
2011-01-14 12:55:50,628 fail2ban.jail   : INFO   Jail 'httpDDOS' started
2011-01-14 12:55:50,658 fail2ban.jail   : INFO   Jail 'ssh' started
2011-01-14 12:55:50,708 fail2ban.jail   : INFO   Jail 'SynDDOS' started
2011-01-14 12:55:50,832 fail2ban.jail   : INFO   Jail 'proftpd' started

Fail2ban neustarten oder neuinstallieren bringt leider keinen positiven Erfolg, auch das deinstallieren mit --purge bringt nichts. Nach der Installation rennt Fail2ban wieder mit der gleichen hohen Auslastung.

Wie kann ich das Problem lösen?

Gruß
Julian

blocklist · Jan 14, 2011

Hi,

prüfe einmal die Größe der Logs, welche fail2ban überwacht und deaktivieren temporär die größten oder verkleinere die. Dann sollte es schon mal besser laufen, ansonsten kann das herunter setzen den "findtime" auch helfen.

Deleted member 10028 · Jan 14, 2011

Also die Logs scheinen "normal groß" zu sein.

Code:

-rw-r----- 1 root  adm   26K 2011-01-14 12:55 fail2ban.log
-rw-r----- 1 root  adm  6.4K 2010-12-05 06:28 fail2ban.log.1
-rw-r----- 1 root  adm  2.2K 2010-11-28 06:29 fail2ban.log.2.gz
-rw-r----- 1 root  adm  1.1K 2010-11-21 06:27 fail2ban.log.3.gz
-rw-r----- 1 root  adm  1.3K 2010-11-14 06:27 fail2ban.log.4.gz
-rw-r--r-- 1 root  root  49K 2011-01-13 23:56 faillog

blocklist · Jan 14, 2011

Und die Logfiles von den Dienste, welche Fail2Ban überwacht?
access.log, mail.log........ wenn dies groß sind, kann es Last machen (vor allem bei einer hohen findtime).

Deleted member 10028 · Jan 14, 2011

Wow, die Logs vom nginx waren extrem Groß:

Code:

-rw-r--r-- 1 root root 3.3G 2011-01-14 18:29 errorreverse.log
-rw-r--r-- 1 root root  17G 2011-01-14 20:44 reverse.log

Dann fielen mir unter /var/log/apache2 noch folgende Logs auf:

Code:

-rw-r----- 1 root     adm       2.4G 2011-01-14 20:46 ^[[0mother_vhosts_access.log^[[0m
-rw-r----- 1 root     adm       635M 2010-12-05 06:28 ^[[0mother_vhosts_access.log.1^[[0m

Seitdem ich diese Logs umbenannt/verschoben und die betroffenen Prozesse neugestartet habe, läuft der Server wieder "ruhig".
Übrigens war der Indianer wohl der Übeltäter, da die Änderung vom nginx erst nichts gebracht hatte.

Danke für deine Hilfe

Gruß
Julian

dev · Jan 16, 2011

Kein Wunder, dass fail2ban auf Last kommt, wenn gleich mehrere GB-grosse Logs geparst werden müssen.

Du solltest mal nachschauen, ob mit Deiner Logrotation vom Apache alles stimmt, dann werden die Dateien gar nicht erst so gross...

Fail2ban - Sehr hohe CPU-Auslastung

Deleted member 10028

Guest

blocklist

New Member

Deleted member 10028

Guest

blocklist

New Member

Deleted member 10028

Guest

dev

Registered User

We value your privacy