Fail2ban Monitoring Template
Template built by
Telegraf Plugins used:
- Fail2ban
- InfluxDB Output plugin
- CPU Input Plugin
- Disk Input Plugin
- DiskIO Input Plugin
- Kernel Input Plugin
- Mem Input Plugin
- Net Input Plugin
- Processes Input Plugin
- System Input Plugin
Included Resources:
- 1 label:
fail2ban - 1 Dashboard:
Fail2Ban Metrics - 3 Variables:
bucket,host,jail - 1 Telegraf Configuration:
[[inputs.fail2ban]]- https://github.com/influxdata/telegraf/tree/master/plugins/inputs/fail2ban- basic system metrics from
[[inputs.cpu]]
[[inputs.system]],
[[inputs.kernel]],
[[inputs.mem]],
[[inputs.net]],
[[inputs.processes]],
[[inputs.disk]],
[[inputs.diskio]]plugins
Quick Install
If you have your InfluxDB credentials configured in the CLI, you can install this template with:
https://raw.githubusercontent.com/influxdata/community-templates/master/fail2ban/fail2ban-template.yml
Fail2Ban monitoring dashboard
Fail2Ban is an intrusion prevention software framework that protects computer servers from brute-force attacks. It is written in Python and able to run on POSIX systems that have an interface to a packet-control system or firewall installed locally. It operates by monitoring log files for selected entries and running scripts based on them. This is used to block selected IP addresses that may belong to hosts that are trying to breach the system's security.
Why Fail2Ban monitoring?
Fail2Ban is a useful tool to block IP addresses that might be trying to breach your system’s security. Using a monitoring solution to watch how well your system is doing helps you to determine if there are more (or less) IP addresses that you might want to add to your block list.
How to use Fail2Ban Monitoring Template
Once your InfluxDB credentials have been properly configured in the CLI, you can install the Fail2Ban monitoring template using the Quick Install command. Once installed, the data for the dashboard will be populated by the included Telegraf configuration, which includes the relevant Input. Note that you might need to customize the input configuration to better serve your needs, including by specifying a new input value. All of this will depend on how your organization is currently running Fail2Ban.
To find out more information about environmental variables within the Telegraf configuration, consult the following link.
Once installed, you'll need to start up Telegraf to pull metrics from your Fail2Ban client. Check out Telegraf docs for installing and starting Telegraf.
Telegraf Configuration requires the following environment variables:
INFLUX_ORGINFLUX_TOKENINFLUX_HOSTINFLUX_BUCKET
To start Telegraf with the template-provided configuration, follow setup instructions:
Setup Fail2Ban
You can use Fail2Ban that is packed in your favorite Linux Distribution. On Debian-based distributions, you can use apt install fail2ban.
Telegraf uses fail2ban-client commandline tool to read metrics. Telegraf needs to have a permission to access /var/run/fail2ban/fail2ban.sock to execute fail2ban-client.
To check this, try running fail2ban-client status under telegraf user account. If you see:
fail2ban-client status Permission denied to socket: /var/run/fail2ban/fail2ban.sock, (you must be root)
You can fix the socket permission issue like this:
Add new group fail2ban
[email protected]:~$ addgroup --group fail2ban
Add user telegraf to fail2ban group
[email protected]:~$ usermod -a -G fail2ban telegraf
Set permissions
[email protected]:~$ chown root:fail2ban /var/run/fail2ban/fail2ban.sock [email protected]:~$ chmod g+rwx /var/run/fail2ban/fail2ban.sock
Now you can run fail2ban-client status again, and you should see:
[email protected]:~$ fail2ban-client status Status |- Number of jail: 1 `- Jail list: sshd
Note that this permission fix can be reset by systemd.
Systemd fail2ban.service settings
To make permissions permanent, you can append them into systemd /lib/systemd/system/fail2ban.service configuration:
[Service] ... ExecStartPost=/bin/sh -c "while ! [ -S /run/fail2ban/fail2ban.sock ]; do sleep 1; done" ExecStartPost=/bin/chgrp fail2ban /run/fail2ban/fail2ban.sock ExecStartPost=/bin/chmod g+w /run/fail2ban/fail2ban.sock
Then restart the service:
[email protected]:~$ systemctl restart fail2ban.service
Key Fail2Ban monitoring metrics to monitor
Some of the most important Fail2Ban monitoring metrics that you should proactively monitor include:
- Banned IP addresses
- CPU usage
- System Load
- Processes
- Memory Usage
- Disk Usage
- Network Usage
Related Resources
Endpoint Security State Template
Monitoring the security state of endpoints helps you to understand the effectiveness of the endpoint detection and response.
x509 SSL Certificate Monitoring Template
This X.509 SSL Certificate Monitoring Template monitors SSL certificates’ expiration date on a regular basis.
X509 Cert Telegraf Plugin
This plugin provides information about X509 certificates accessible via local file or network connection.