High CPU utilization by Fail2ban on Plesk server

Symptoms

• Fail2ban consumes a lot of CPU:

  

• The /var/log/secure file has a big size and gets two new records each second:

  # tail -fn0 /var/log/secure
  
  Sep 22 05:50:17 srv su: pam_unix(su-l:session): session closed for user popuser
  Sep 22 05:50:17 srv su: pam_unix(su-l:session): session opened for user popuser by (uid=0)
  Sep 22 05:50:18 srv su: pam_unix(su-l:session): session closed for user popuser
  Sep 22 05:50:18 srv su: pam_unix(su-l:session): session opened for user popuser by (uid=0)

Cause

Large size of the /var/log/secure file.

Resolution

1. Log in to Plesk.

2. Disable ssh jail in Tools & Settings > IP Address Banning (Fail2Ban) > Jails.

3. Wait until the completion of Daily Maintenance task, i.e. the output of the following command is empty:

   # ps -auxwf | grep daily | grep -v grep

4. Execute the command below to rotate syslog files:

   On CentOS/RHEL-based distributions:

   # logrotate -f /etc/logrotate.d/syslog

   On Debian/Ubuntu-based distributions:

   # logrotate -f /etc/logrotate.d/rsyslog

5. Enable ssh jail in Tools & Settings > IP Address Banning (Fail2Ban) > Jails

6. Check the CPU usage of fail2ban service:

   # top