Why use a Telegraf plugin for Fail2ban?
Fail2Ban is an intrusion prevention software framework that protects computer servers from brute-force attacks. Using this Fail2ban Telegraf plugin will allow you to collect and monitor the failed and banned IP addresses that you specify over time.
How to monitor Fail2ban using the Telegraf plugin
The Fail2ban Telegraf Plugin gathers the count of failed and banned IP addresses using Fail2ban.
This plugin runs the fail2ban-client command which generally requires root access. Acquiring the required permissions can be done using several methods:
- Use sudo run fail2ban-client.
- Run telegraf as root. (not recommended)
# fail2ban-client status sshd Status for the jail: sshd |- Filter | |- Currently failed: 5 | |- Total failed: 20 | `- File list: /var/log/secure `- Actions |- Currently banned: 2 |- Total banned: 10 `- Banned IP list: 192.168.0.1 192.168.0.2 fail2ban,jail=sshd failed=5i,banned=2i 1495868667000000000
Key Fail2ban metrics to use for monitoring
Some of the important Fail2ban metrics that you should proactively monitor include:
- failed (integer, count)
- banned (integer, count)