I have been looking at dbpurgeage here recently as well. Unfortunately I don't have an answer for you, just more questions.
We've never set it to a specific value, so it is at the default of 86400. However, our sqlite data file does not seem to ever have entries purged from the bans table. On one set of machines where fail2ban was first set up in March 2015, the entries go back to then. On another set initialized about 7 months ago, they go back 7 months. Both of these setups are using recidive jails, in addition to several "normal" jails. They are all working fine. We were trying to troubleshoot why they take a very long time to shut down and start up. The months/years of cruft in the bans table seems to be the answer ... if we trim that table shutdown/startup is much faster. One set of these is running 0.9.3 on gentoo linux, the other set is running 0.9.6 on FreeBSD. I just found this thread says stock fail2ban doesn't implement the purge at all, and suggests you would need to add a cron job to do so: https://github.com/fail2ban/fail2ban/issues/1316 I think we are going to just add a cron job to purge the table periodically. Mark On Thu, Dec 14, 2017 at 03:17:59PM +0100, Admin Beckspaced wrote: > > On 14.12.2017 14:35, Patrick Shanahan wrote: > > * Admin Beckspaced <ad...@beckspaced.com> [12-14-17 04:42]: > >> Dear Fail2ban users, > >> > >> running fail2ban v.0.10.1 on an opensuse box. > >> > >> currently looking into the recidive jail to ban persistent abusers. > >> From what i understand the bans are stored in the persistent database > >> storage so the bans can be added on restart without re-scanning the logs > >> files. > >> > >> If i set a bantime of 1w in recidive jail the jail.conf informs me that i > >> should increase the dbpurgeage to 7.5 days > >> so the bans with 1w can live long enough before getting purged > >> > >> but if i do a permanent bantime -1 what value should I set the dbpurgeage? > >> what's the relation between bantime, persistent storage and dbpurgeage? > >> > >> would be nice if someone could perhaps enlighten me on the topic ;) > > man jail.conf states: > > dbpurgeage > > Database purge age in seconds. Default: 86400 (24hours) > > This sets the age at which bans should be purged from the database. > > > > you wouldn't want the subject address to be removed before bantime > > expires. and, since fail2ban complains when the dbpurgeage is less than > > bantime, it is aware and respects bantime. so if you set bantime to "-1", > > forever, dbpurgeage would never purge that address. > > > > take this for what it is worth, just my reading/understanding. > > > > personally, I add persistent ban addresses to ipset rules. > > > Hello Patrick, > thanks a lot for your reply ;) > > one thing that made me unsure how bans in database and dbpurgeage work > together is the following note from the recidive jail in jail.conf > > # Jail for more extended banning of persistent abusers > # !!! WARNINGS !!! > # 1. Make sure that your loglevel specified in fail2ban.conf/.local > #?????? is not at DEBUG level -- which might then cause fail2ban to fall into > #?????? an infinite loop constantly feeding itself with non-informative lines > # 2. Increase dbpurgeage defined in fail2ban.conf to e.g. 648000 (7.5 days) > #?????? to maintain entries for failed logins for sufficient amount of time > [recidive] > > logpath?? = /var/log/fail2ban.log > banaction = %(banaction_allports)s > bantime?? = 1w > findtime = 1d > > So if i set a bantime of 1 week they urge me to increase the dbpurgeage > to more than a week ... 7,5 days > If it works the way you understand it then there would be no need to > adjust the dbpurgeage according to bantime. > as dbpurgeage would always respect the bantime ... > > if dbpurgeage would respect the bantime then there would be no need to > add a WARNING note and increase dbpurgeage to greater than bantime? > > you see ... still not sure how this really works? > anyone else out there who could enlighten me ;) > > Thanks & greetings > Becki > > > ------------------------------------------------------------------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > _______________________________________________ > Fail2ban-users mailing list > Fail2ban-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/fail2ban-users > > -- Mark Costlow | Southwest Cyberport | Fax: +1-505-232-7975 che...@swcp.com | Web: www.swcp.com | Voice: +1-505-232-7992 ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Fail2ban-users mailing list Fail2ban-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/fail2ban-users
