0

Since my server is under a sustain DNS amplification attack (DDOS), I configured fail2ban and initially my outgoing traffic dropped markedly.

Anyway, after a few hours (mostly +10), fail2ban uses about 75% ram and seems to be crashed in some way, because the outgoing traffic raises imediatly after. When I searched the web for the memory problem, I found some people complaining about high fail2ban memory usages as well. But the recommended solution, to insert an ulimit command into a fail2ban config file, did not change that much for me.

ltsstar
  • 111
  • 1
  • 4
  • Can you paste us the evidence you gathered that shows that something is actually wrong? Your statements are pure conclusions that, in my experience, are often reached erroneously. (For example, you might have confused virtual memory usage with RAM usage. And the increase in traffic may just be a symptom of an increased attack.) – David Schwartz Dec 18 '12 at 04:33
  • The incoming traffic keeps amazingly constant! The 75% memory usage have been taken from the top command. By the way, it seems that the memory consumption raises constantly until it reaches the around 75% limit and fail2ban crashes after.The server we speak about is a vServer with 512Mb RAM. – ltsstar Dec 18 '12 at 10:26
  • By "memory usage", do you mean resident set size? Can you paste the line from top? If you mean the `VSZ` column, then it's not measuring RAM but just address space and you've misanalyzed the problem. – David Schwartz Dec 18 '12 at 10:27

1 Answers1

2

You're misunderstanding what top is telling you. For example:

F   UID   PID  PPID PRI  NI    VSZ   RSS WCHAN  STAT TTY        TIME COMMAND
5     0  1230     1  20   0 351220  9284 poll_s Sl   ?          0:14 /usr/bin/python /usr/bin/fail2ban-server -b -s /var/run/fail2ban/fail2ban.sock -x

You're probably seeing the huge entry under VSZ and thinking it's using lots of RAM. That is incorrect. The RSS column measures RAM usage. VSZ just measures address space, which is essentially an unlimited resource.

You have latched onto something normal and are incorrectly associating it with whatever actual problem you are having.

If it really bothers you, create a file named /etc/default/fail2ban containing just ulimit -s 256 (or add that to the end of the file if it already exists) and restart fail2ban.

To be safe, check to make sure your system doesn't have absurdly low virtual memory limits. Sometimes people confuse virtual memory with RAM and think that they need to limit virtual memory usage. Hopefully, your system isn't administered by someone who doesn't know what they're doing and isn't using brain-damaged software like OpenVZ.

David Schwartz
  • 31,449
  • 2
  • 55
  • 84