• Please be aware: Kaspersky Anti-Virus has been deprecated
    With the upgrade to Plesk Obsidian 18.0.64, "Kaspersky Anti-Virus for Servers" will be automatically removed from the servers it is installed on. We recommend that you migrate to Sophos Anti-Virus for Servers.
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Question Fail2ban sqlite database huge

S

SteveITS

Basic Pleskian
We had a client's server run out of disk space last night. It looks like fail2ban had made several copies of its database for some reason until it ran out:

-rw------- 1 root root 1232522240 May 4 09:18 fail2ban.sqlite3
-rw------- 1 root root 1232522240 May 3 21:03 fail2ban.sqlite3.20210504-010217
-rw------- 1 root root 1232522240 May 3 21:04 fail2ban.sqlite3.20210504-010359
-rw------- 1 root root 1232522240 May 3 21:05 fail2ban.sqlite3.20210504-010420
-rw------- 1 root root 1232522240 May 3 21:05 fail2ban.sqlite3.20210504-010525
-rw------- 1 root root 1232522240 May 3 21:05 fail2ban.sqlite3.20210504-010548
-rw------- 1 root root 1232522240 May 3 21:06 fail2ban.sqlite3.20210504-010603
-rw------- 1 root root 1105612800 May 3 21:06 fail2ban.sqlite3.20210504-010625
-rw------- 1 root root 0 May 4 09:03 fail2ban.sqlite3.20210504-130353

We deleted it all, but in reviewing this, does Plesk not clear out the fail2ban database? Is there a way to tell it to "within Plesk?" It can be manually pruned and doing so for 90 days on a few servers removes 75-90% of the file size:
sqlite3 /var/lib/fail2ban/fail2ban.sqlite3 "delete from bans where timeofban <= strftime('%s', date('now', '-90 days'));"
sqlite3 /var/lib/fail2ban/fail2ban.sqlite3 "vacuum;"

Whenever I've looked on any server fail2ban only had around 10-20 IPs listed as banned.

I've also found at least one more with a database copy dating back to March 2020 (fail2ban.sqlite3.2020*).
 
Last edited:
The space issue caused a failed Plesk upgrade (we got the email alert 30 hours later, after the second attempt/failure) so I had to engage support. Along the way they wrote:
"Since 18.0.35 fail2ban was updated to version v0.11 which has automatic scripts for purging old fail2ban data, therefore it should not eat a lot of space anymore."
 
SteveITS said:
The space issue caused a failed Plesk upgrade (we got the email alert 30 hours later, after the second attempt/failure) so I had to engage support. Along the way they wrote:
"Since 18.0.35 fail2ban was updated to version v0.11 which has automatic scripts for purging old fail2ban data, therefore it should not eat a lot of space anymore."
Click to expand...
FYI: as far as I know since Fail2Ban version v0.11 old entries are being purged based on the dbpurgeage parameter. However the database is not being 'vacuumed'. This means that old entries are being 'flagged' as deleted, but are not actually removed from the database. So the database will still keep growing. My advice, create a cron job that vacuums the database each night. Then the old entries will be truly deleted.
 
Pleskie said:
FYI: as far as I know since Fail2Ban version v0.11 old entries are being purged based on the dbpurgeage parameter. However the database is not being 'vacuumed'. This means that old entries are being 'flagged' as deleted, but are not actually removed from the database. So the database will still keep growing. My advice, create a cron job that vacuums the database each night. Then the old entries will be truly deleted.
Click to expand...
I see, thanks for the update. I hadn't had a change to dig into it much yet but I had already scripted the two commands above, plus one to delete the extra, dated copies:
rm -f /var/lib/fail2ban/fail2ban.sqlite3.*

Also note article After update to Plesk 18.0.35 disk space usage increases drastically or disk is already full: /var/lib/fail2ban/ taking all the space was just created. "The issue is confirmed as the bug PPPM-12981. Fail2Ban tries to upgrade its database and fails, continually creating files in an endless loop." Workaround is to stop the service and delete the files. When I looked on all our servers at least one I know had a fail2ban.sqlite3.* file from March 2020.
 
@SteveITS

Stopping the service and deleting files is a workaround to get rid of the large files but won't prevent the new database to grow big again.

Try what I said: create a cron job to run every night which vacuums the database. That will prevent it from growing extremely large.
 
Pleskie said:
create a cron job
Click to expand...
Already did per the above but thanks. :)
I looked at the servers that upgraded to 18.0.35 since I did this last Thursday and all had one extra fail2ban.sqlite3.* file. So not an infinite number nor enough to run out of space as the Plesk KB describes, thankfully, but if the database is (used to be) a few GB or more, any copies use a lot of space.

Edit: note Plesk's example in their KB is a 26 GB database with multiple 13 GB files.
 
Last edited:
You must log in or register to reply here.

Similar threads

Dork
Resolved fail2ban issue
Replies
16
Views
2K
Dork
Dork
A
Question Some security questions
Replies
2
Views
683
amba1980
A
Oscar Segura
Issue Upgrading from Ubuntu 20.04 to 22.04: failed reboot
Replies
0
Views
2K
Oscar Segura
Oscar Segura
A
Question Upgrade Almalinux 8 to 9 with Plesk installed
Replies
2
Views
2K
ansgar
A
L
Issue Server backup fails after moving domain to subscription
Replies
6
Views
641
Kaspar@Plesk
Kaspar@Plesk
Back
Top