Template built by
Telegraf Plugins used:
- 1 label:
- 1 Dashboard:
- 3 Variables:
- 1 Telegraf Configuration:
- basic system metrics from
If you have your InfluxDB credentials configured in the CLI, you can install this template with:
Fail2Ban monitoring dashboard
Fail2Ban is an intrusion prevention software framework that protects computer servers from brute-force attacks. It is written in Python and able to run on POSIX systems that have an interface to a packet-control system or firewall installed locally. It operates by monitoring log files for selected entries and running scripts based on them. This is used to block selected IP addresses that may belong to hosts that are trying to breach the system's security.
Why Fail2Ban monitoring?
Fail2Ban is a useful tool to block IP addresses that might be trying to breach your system’s security. Using a monitoring solution to watch how well your system is doing helps you to determine if there are more (or less) IP addresses that you might want to add to your block list.
How to use Fail2Ban Monitoring Template
Once your InfluxDB credentials have been properly configured in the CLI, you can install the Fail2Ban monitoring template using the Quick Install command. Once installed, the data for the dashboard will be populated by the included Telegraf configuration, which includes the relevant Input. Note that you might need to customize the input configuration to better serve your needs, including by specifying a new input value. All of this will depend on how your organization is currently running Fail2Ban.
To find out more information about environmental variables within the Telegraf configuration, consult the following link.
Once installed, you'll need to start up Telegraf to pull metrics from your Fail2Ban client. Check out Telegraf docs for installing and starting Telegraf.
Telegraf Configuration requires the following environment variables:
To start Telegraf with the template-provided configuration, follow setup instructions:
You can use Fail2Ban that is packed in your favorite Linux Distribution. On Debian-based distributions, you can use
apt install fail2ban.
fail2ban-client commandline tool to read metrics. Telegraf needs to have a permission to access
/var/run/fail2ban/fail2ban.sock to execute
To check this, try running
fail2ban-client status under telegraf user account. If you see:
fail2ban-client status Permission denied to socket: /var/run/fail2ban/fail2ban.sock, (you must be root)
You can fix the socket permission issue like this:
Add new group fail2ban
[email protected]:~$ addgroup --group fail2ban
Add user telegraf to fail2ban group
[email protected]:~$ usermod -a -G fail2ban telegraf
[email protected]:~$ chown root:fail2ban /var/run/fail2ban/fail2ban.sock [email protected]:~$ chmod g+rwx /var/run/fail2ban/fail2ban.sock
Now you can run
fail2ban-client status again, and you should see:
[email protected]:~$ fail2ban-client status Status |- Number of jail: 1 `- Jail list: sshd
Note that this permission fix can be reset by systemd.
Systemd fail2ban.service settings
To make permissions permanent, you can append them into systemd
[Service] ... ExecStartPost=/bin/sh -c "while ! [ -S /run/fail2ban/fail2ban.sock ]; do sleep 1; done" ExecStartPost=/bin/chgrp fail2ban /run/fail2ban/fail2ban.sock ExecStartPost=/bin/chmod g+w /run/fail2ban/fail2ban.sock
Then restart the service:
[email protected]:~$ systemctl restart fail2ban.service
Key Fail2Ban monitoring metrics to monitor
Some of the most important Fail2Ban monitoring metrics that you should proactively monitor include:
- Banned IP addresses
- CPU usage
- System Load
- Memory Usage
- Disk Usage
- Network Usage