Fail2ban-logo

Fail2ban Monitoring Template

Template built by

Telegraf Plugins used:

  • Fail2ban
  • InfluxDB Output plugin
  • CPU Input Plugin
  • Disk Input Plugin
  • DiskIO Input Plugin
  • Kernel Input Plugin
  • Mem Input Plugin
  • Net Input Plugin
  • Processes Input Plugin
  • System Input Plugin

Included Resources:

  • 1 label: fail2ban
  • 1 Dashboard: Fail2Ban Metrics
  • 3 Variables: bucket, host, jail
  • 1 Telegraf Configuration:

Quick Install

If you have your InfluxDB credentials configured in the CLI, you can install this template with:

https://raw.githubusercontent.com/influxdata/community-templates/master/fail2ban/fail2ban-template.yml

Fail2Ban monitoring dashboard

Fail2Ban is an intrusion prevention software framework that protects computer servers from brute-force attacks. It is written in Python and able to run on POSIX systems that have an interface to a packet-control system or firewall installed locally. It operates by monitoring log files for selected entries and running scripts based on them. This is used to block selected IP addresses that may belong to hosts that are trying to breach the system's security.

Why Fail2Ban monitoring?

Fail2Ban is a useful tool to block IP addresses that might be trying to breach your system’s security. Using a monitoring solution to watch how well your system is doing helps you to determine if there are more (or less) IP addresses that you might want to add to your block list.

How to use Fail2Ban Monitoring Template

Once your InfluxDB credentials have been properly configured in the CLI, you can install the Fail2Ban monitoring template using the Quick Install command. Once installed, the data for the dashboard will be populated by the included Telegraf configuration, which includes the relevant Input. Note that you might need to customize the input configuration to better serve your needs, including by specifying a new input value. All of this will depend on how your organization is currently running Fail2Ban.

To find out more information about environmental variables within the Telegraf configuration, consult the following link.

Once installed, you'll need to start up Telegraf to pull metrics from your Fail2Ban client. Check out Telegraf docs for installing and starting Telegraf.

Telegraf Configuration requires the following environment variables:

  • INFLUX_ORG
  • INFLUX_TOKEN
  • INFLUX_HOST
  • INFLUX_BUCKET

To start Telegraf with the template-provided configuration, follow setup instructions:

Setup Fail2Ban

You can use Fail2Ban that is packed in your favorite Linux Distribution. On Debian-based distributions, you can use apt install fail2ban.

Telegraf uses fail2ban-client commandline tool to read metrics. Telegraf needs to have a permission to access /var/run/fail2ban/fail2ban.sock to execute fail2ban-client.

To check this, try running fail2ban-client status under telegraf user account. If you see:

fail2ban-client status
Permission denied to socket:  /var/run/fail2ban/fail2ban.sock, (you must be root)

You can fix the socket permission issue like this:

Add new group fail2ban

[email protected]:~$ addgroup --group fail2ban

Add user telegraf to fail2ban group

[email protected]:~$ usermod -a -G fail2ban telegraf

Set permissions

[email protected]:~$ chown root:fail2ban /var/run/fail2ban/fail2ban.sock
[email protected]:~$ chmod g+rwx /var/run/fail2ban/fail2ban.sock

Now you can run fail2ban-client status again, and you should see:

[email protected]:~$ fail2ban-client status
Status
|- Number of jail: 1
`- Jail list: sshd

Note that this permission fix can be reset by systemd.

Systemd fail2ban.service settings

To make permissions permanent, you can append them into systemd /lib/systemd/system/fail2ban.service configuration:

[Service]
...
ExecStartPost=/bin/sh -c "while ! [ -S
/run/fail2ban/fail2ban.sock ]; do sleep 1; done"
ExecStartPost=/bin/chgrp fail2ban
/run/fail2ban/fail2ban.sock
ExecStartPost=/bin/chmod g+w
/run/fail2ban/fail2ban.sock

Then restart the service:

[email protected]:~$ systemctl restart fail2ban.service

Key Fail2Ban monitoring metrics to monitor

Some of the most important Fail2Ban monitoring metrics that you should proactively monitor include:

  • Banned IP addresses
  • CPU usage
  • System Load
  • Processes
  • Memory Usage
  • Disk Usage
  • Network Usage

Related Resources

Endpoint Security State Template

Monitoring the security state of endpoints helps you to understand the effectiveness of the endpoint detection and response.

x509 SSL Certificate Monitoring Template

This X.509 SSL Certificate Monitoring Template monitors SSL certificates’ expiration date on a regular basis.

X509 Cert Telegraf Plugin

This plugin provides information about X509 certificates accessible via local file or network connection.

Scroll to Top