Why use a Telegraf plugin for Fail2ban?

Fail2Ban is an intrusion prevention software framework that protects computer servers from brute-force attacks. Using this Fail2ban Telegraf plugin will allow you to collect and monitor the failed and banned IP addresses that you specify over time.

How to monitor Fail2ban using the Telegraf plugin

The Fail2ban Telegraf plugin gathers the count of failed and banned IP addresses using Fail2ban.

This plugin runs the fail2ban-client command which generally requires root access. Acquiring the required permissions can be done using several methods:

  • Use sudo run fail2ban-client.
  • Run telegraf as root. (not recommended)
Example output
# fail2ban-client status sshd
Status for the jail: sshd
|- Filter
|  |- Currently failed: 5
|  |- Total failed:     20
|  `- File list:        /var/log/secure
`- Actions
   |- Currently banned: 2
   |- Total banned:     10
   `- Banned IP list:   192.168.0.1 192.168.0.2

fail2ban,jail=sshd failed=5i,banned=2i 1495868667000000000

Key Fail2ban metrics to use for monitoring

Some of the important Fail2ban metrics that you should proactively monitor include:

  • tags:
    • jail
  • fields:
    • failed (integer, count)
    • banned (integer, count)

For more information, please check out the documentation.

Project URL   Documentation

Related Resources

Fail2ban Monitoring Template

Download the free Fail2ban InfluxDB Template to block IP addresses that might be trying to breach your system’s security.

x509 SSL Certificate Monitoring Template

This X.509 SSL Certificate Monitoring Template monitors SSL certificates’ expiration date on a regular basis.

Endpoint Security State Template

Monitoring the security state of endpoints helps you to understand the effectiveness of the endpoint detection and response.

Scroll to Top