High CPU usage issues (pt 2)

The old one is locked, and while this isn’t necessarily a permanent solution for this, just turning off the intrusion detection / firewall sync fixed the CPU usage issue. Firewall → Advanced → Advanced Settings.

Old thread
High cpu usage issues - General Help - FreePBX Community Forums

1 Like

I’m thinking there’s some other configuration issue at play here. I moved the server to a new VM, did a restore of a backup (not a snapshot) and registered it under a new zend ID without any paid modules. The issue started immediately.

I also compared the files in /etc/fail2ban to a working one (did not go into the sub directories) and saw no difference. FIrewall module looked very similar as well.

Is this with intrusion detection sync OFF or ON that the high CPU is happening on the new server?

If sync is on, are you syncing items from the Trusted Zone? Do you have any items in the Trusted zone that are a FQDN as opposed to an IP address?

Sync ON = high CPU usage

Yes there are URLs in the trusted zones, a couple things that freepbx put there like outbound1.letsencrypt.org

It would be interesting to know if you disable the sync of Trusted IPs in Intrusion Detection if that cures your CPU load issue

Isn’t that the point of that feature? Or does it do anything else besides put the trusted IPs into the white list?

Heres the second server this was happening on, instant fix

In the Intrusion Detection settings, you can enable/disable multiple synchronization types - Trusted IPs, Registered IPs, etc.

What I believe might be happening is that when you synchronize trusted IPs, and the Trusted Zone includes FQDNs, this is causing fail2ban to use a lot of CPU. I don’t know why, but I’ve noticed it a few times before on some of the servers I manage.

Obviously it’s not ideal, but if you want to get to the bottom of it, testing these things will help provide a better description to Sangoma Support when opening a commercial module support ticket.

You should try launching Asterisk with the -f (do not fork) option.

FreePBX (fwconsole start) takes care of launching Asterisk, so in FreePBX (at least the distro) there is no “launching asterisk” per se.

This seems to be a fail2ban issue, not a Asterisk one

Have you tried a current version of fail2ban?, it fixes a lot of problems with 0.8

The FreePBX Distro ships with 0.11.1 It would be up to Sangoma to push a newer version to their repos, we won’t install anything else.

All I am trying to do is ascertain if the OP is having an issue as a result of fail2ban sync trying to handle trusted zone entries with a FQDN which is the issue we have seen a few times before.

11 is good, works better with pyinotify as the backend though.

Where is this configured? In the GUI all I see is this

If the question is are there URLs in the trusted zones, then yes, as mentioned before there are a few


dumb question, but whats the command to update fail2ban?

fail2ban-client --version

Fail2Ban v0.8.14

yum upgrade fail2ban

Loaded plugins: fastestmirror, versionlock
Loading mirror speeds from cached hostfile
sng-base | 3.6 kB 00:00
sng-epel | 2.9 kB 00:00
sng-extras | 2.9 kB 00:00
sng-pkgs | 3.4 kB 00:00
sng-sng7php74 | 3.4 kB 00:00
sng-updates | 2.9 kB 00:00
Package(s) fail2ban available, but not installed.
No packages marked for update

If you are using the “distro” you will need someone else to answer that.

1 Like

The latest version of F2B is not yet compatible with the FreePBX distribution.
Don’t update it.
The FreePBX system uses its own F2B rpm.
I think the next distribution will include a new version of F2B.

It would be interesting to know what the incompatibilities are and why it’s taken +6 years to ponder them :wink:

i can assure folks that current versions work fine with FreePBX open source and have done so ever since 0.8 was put out to pasture, it’s all in the regexes, the backend and moving to sqlite3 to make it work ‘better’ and faster.

1 Like

This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.