Check fail2ban

Overview

Checks the amount of banned IP addresses for all jails in Fail2ban.

Permission denied to socket: /var/run/fail2ban/fail2ban.sock, (you must be root)

The Fail2ban client (used by this check plugin internally) works only with ùser root by default. The reasons:

Fail2ban does not have individual permission or a user privilege model.
If you would allow the Fail2ban client accessing the Fail2ban sever for non-root, you could stop the server, change runtime config, ban, unban, etc.

Preparing Fail2ban by changing permissions

Tested on Debian 11.

The communication takes place via unix-socket /var/run/fail2ban/fail2ban.sock which has the following permissions:

srwx------ 1 root root ... /var/run/fail2ban/fail2ban.sock

So you have to grant access to fail2ban.sock for a user like nagios or icinga, for example like so:

sudo groupadd fail2ban
sudo usermod --append --groups fail2ban nagios
sudo chown root:fail2ban /var/run/fail2ban/fail2ban.sock
sudo chmod g+w /var/run/fail2ban/fail2ban.sock

After that, this (and so the check plugin) should work:

sudo -u nagios /usr/bin/fail2ban-client status
sudo -u nagios /usr/lib64/nagios/plugins/fail2ban

To persist on a system where Fail2ban is managed by Systemd, add the following to the Fail2ban service override file:

sudo systemctl edit fail2ban

[Service]
ExecStartPost=/usr/bin/sh -c "while ! [ -S /var/run/fail2ban/fail2ban.sock ]; do sleep 1; done"
ExecStartPost=/usr/bin/chgrp fail2ban /var/run/fail2ban/fail2ban.sock
ExecStartPost=/usr/bin/chmod g+w /var/run/fail2ban/fail2ban.sock

Preparing Fail2ban by using sudo

Tested on RHEL 7+.

As an alternative you might add a sudoers rule, for example in /etc/sudoers.d/fail2ban:

Defaults:icinga !requiretty
icinga    ALL = NOPASSWD: /usr/lib64/nagios/plugins/fail2ban

Click this link to find a list of sudoers files for all main Linux distributions for Icinga.

Fact Sheet

Check Plugin Download	https://github.com/Linuxfabrik/monitoring-plugins/tree/main/check-plugins/fail2ban
Check Interval Recommendation	Once a minute
Can be called without parameters	Yes
Compiled for	Linux

Help

usage: fail2ban [-h] [-V] [--always-ok] [-c CRIT] [--test TEST] [-w WARN]

In fail2ban, checks the amount of banned IP addresses per jail.

options:
  -h, --help            show this help message and exit
  -V, --version         show program's version number and exit
  --always-ok           Always returns OK.
  -c CRIT, --critical CRIT
                        Set the critical threshold for banned IPs per jail.
                        Default: 10000
  --test TEST           For unit tests. Needs "path-to-stdout-file,path-to-
                        stderr-file,expected-retc".
  -w WARN, --warning WARN
                        Set the warning threshold for banned IPs per jail.
                        Default: 2500

Usage Examples

./fail2ban --warning 2500 --critical 10000

Output:

IPs banned - apache-dos: 2, portscan: 0, sshd: 5432 [WARNING]

States

WARN or CRIT if number of blocked IP addresses is above a given threshold per jail.

Perfdata / Metrics

Name	Type	Description
<jail>	Number	Number of blocked IP addresses.

Credits, License

Authors: Linuxfabrik GmbH, Zurich
License: The Unlicense, see LICENSE file.