“top” 显示 fail2ban 和 sshd 位于最顶部，占用大量 CPU 使用率

top显示 fail2ban 和 sshd 位于最顶部并占用大量 CPU 使用率。

top - 19:30:57 up 1 day,  9:44,  1 user,  load average: 41.03, 41.02, 41.02
Tasks: 738 total,   1 running, 737 sleeping,   0 stopped,   0 zombie
%Cpu(s): 51.2 us,  0.1 sy,  0.0 ni, 48.8 id,  0.0 wa,  0.0 hi,  0.0 si,  0.0 st
KiB Mem : 52827577+total, 51446102+free,  7173552 used,  6641224 buff/cache
KiB Swap:        0 total,        0 free,        0 used. 51941568+avail Mem

  PID USER      PR  NI    VIRT    RES    SHR S  %CPU %MEM     TIME+ COMMAND
 2207 root      20   0 4656340   9756      4 S  4035  0.0  80861:59 sshd
35047 root      20   0  218824  15948   6044 S 100.0  0.0   0:54.47 fail2ban-server
35054 root      20   0   48688   4452   3396 R   5.9  0.0   0:00.03 top
    1 root      20   0   38136   6120   4016 S   0.0  0.0   0:54.93 systemd
    2 root      20   0       0      0      0 S   0.0  0.0   0:00.28 kthreadd
    3 root      20   0       0      0      0 S   0.0  0.0   0:00.07 ksoftirqd/0
    5 root       0 -20       0      0      0 S   0.0  0.0   0:00.00 kworker/0:0H
    8 root      20   0       0      0      0 S   0.0  0.0   0:27.60 rcu_sched
    9 root      20   0       0      0      0 S   0.0  0.0   0:00.00 rcu_bh
   10 root      rt   0       0      0      0 S   0.0  0.0   0:00.76 migration/0
   11 root      rt   0       0      0      0 S   0.0  0.0   0:00.22 watchdog/0

after that...
A lot of migration, watchdog, kworker...     

当我来到现场的时候，系统已经在那儿了（意思是我没有配置任何东西），我害怕随意更改文件，即使我知道从哪里开始。

我从 fail2ban 开始。

/var/log/fail2ban.log似乎每分钟都在重复这些台词。

timestamp,669 fail2ban.jail           [52316]: INFO    Jail 'sshd' started
timestamp,997 fail2ban.server         [52402]: INFO    Changed logging target to /var/log/fail2ban.log for Fail2ban v0.9.3
timestamp,997 fail2ban.database       [52402]: INFO    Connected to fail2ban persistent database '/var/lib/fail2ban/fail2ban.sqlite3'
timestamp,001 fail2ban.jail           [52402]: INFO    Creating new jail 'sshd'
timestamp,005 fail2ban.jail           [52402]: INFO    Jail 'sshd' uses poller
timestamp,022 fail2ban.filter         [52402]: INFO    Set jail log file encoding to UTF-8
timestamp,022 fail2ban.jail           [52402]: INFO    Initiated 'polling' backend
timestamp,035 fail2ban.actions        [52402]: INFO    Set banTime = 600
timestamp,036 fail2ban.filter         [52402]: INFO    Set maxRetry = 5
timestamp,037 fail2ban.filter         [52402]: INFO    Set findtime = 600
timestamp,039 fail2ban.filter         [52402]: INFO    Added logfile = /var/log/auth.log
timestamp,039 fail2ban.filter         [52402]: INFO    Set jail log file encoding to UTF-8
timestamp,040 fail2ban.filter         [52402]: INFO    Set maxlines = 10
timestamp,114 fail2ban.server         [52402]: INFO    Jail sshd is not a JournalFilter instance
timestamp,128 fail2ban.jail           [52402]: INFO    Jail 'sshd' started
timestamp,330 fail2ban.server         [52528]: INFO    Changed logging target to /var/log/fail2ban.log for Fail2ban v0.9.3
timestamp,330 fail2ban.database       [52528]: INFO    Connected to fail2ban persistent database '/var/lib/fail2ban/fail2ban.sqlite3'
timestamp,333 fail2ban.jail           [52528]: INFO    Creating new jail 'sshd'
timestamp,337 fail2ban.jail           [52528]: INFO    Jail 'sshd' uses poller
timestamp,355 fail2ban.filter         [52528]: INFO    Set jail log file encoding to UTF-8
timestamp,355 fail2ban.jail           [52528]: INFO    Initiated 'polling' backend
timestamp,368 fail2ban.filter         [52528]: INFO    Set maxRetry = 5
timestamp,369 fail2ban.filter         [52528]: INFO    Set jail log file encoding to UTF-8
timestamp,371 fail2ban.filter         [52528]: INFO    Added logfile = /var/log/auth.log
timestamp,371 fail2ban.filter         [52528]: INFO    Set findtime = 600
timestamp,372 fail2ban.actions        [52528]: INFO    Set banTime = 600
timestamp,372 fail2ban.filter         [52528]: INFO    Set maxlines = 10
timestamp,447 fail2ban.server         [52528]: INFO    Jail sshd is not a JournalFilter instance
timestamp,462 fail2ban.jail           [52528]: INFO    Jail 'sshd' started

syslog 文件反复显示以下错误：

timestamp myserver fail2ban-client[29267]: ERROR  Unable to contact server. Is it running?
timestamp myserver systemd[1]: fail2ban.service: Control process exited, code=exited status=255
timestamp myserver systemd[1]: fail2ban.service: Unit entered failed state.
timestamp myserver systemd[1]: fail2ban.service: Failed with result 'exit-code'.
timestamp myserver systemd[1]: fail2ban.service: Service hold-off time over, scheduling restart.
timestamp myserver systemd[1]: Stopped Fail2Ban Service.
timestamp myserver systemd[1]: Starting Fail2Ban Service...
timestamp myserver fail2ban-client[29279]: timestamp,179 fail2ban.server         [29283]: INFO    Starting Fail2ban v0.9.3
timestamp myserver fail2ban-client[29279]: timestamp,180 fail2ban.server         [29283]: INFO    Starting in daemon mode
timestamp myserver systemd[1]: Started Fail2Ban Service.

另外，还fail2ban-client status显示了这一点：

root@myserver:/var/log# fail2ban-client status
Status
|- Number of jail:      1
`- Jail list:   sshd

我的服务器被入侵了吗？或者一些不法分子试图入侵，虽然 fail2ban 奏效了，但效果太好，导致出现问题？

我在这篇文章中读到，如何减少 fail2ban 内存使用量我可能想ulimit在 中使用参数/etc/default/fail2ban。该文件是默认文件；似乎没有人动过该文件。我不知道我是否应该这样做——即使没有ulimit -s 256该文件，它也能正常工作。

我如何从‘顶部’移除 fail2ban-server 和 sshd？

只有两个人具有 root 访问权限，并且我们都没有更改文件或安装任何东西。

正如我在评论部分所写，我停止了 sshd 和 fail2ban，然后启动，但结果没有改变。当我停止这两项服务时，它们从 的输出中消失了top。一旦我启动它们，它们又回来了！

请您指点一下。

谢谢。

PS：服务器最近重启了，这些问题就浮出水面了。我现在使用基于密钥的身份验证，但系统使用密码身份验证时有 4-5 天的窗口期。在此期间，系统会受到攻击吗？

sudo grep sshd.\*Failed /var/log/auth.log | less

显示该期间内大约有一百到四百次失败尝试，具体次数取决于当天的情况，但该last命令不会显示任何不在我们的授权列表中的人，因此我想相信服务器没有受到攻击。我希望我是对的 :)

PPS：我们（仍然）使用 Ubuntu 16.04.6 LTS（GNU/Linux 4.4.0-138-generic x86_64）！