Check fail2ban
Overview
Checks the amount of banned IP addresses for all jails in Fail2ban.
Permission denied to socket: /var/run/fail2ban/fail2ban.sock, (you must be root)
The Fail2ban client (used by this check plugin internally) works only with ùser root
by default. The reasons:
Fail2ban does not have individual permission or a user privilege model.
If you would allow the Fail2ban client accessing the Fail2ban sever for non-root, you could stop the server, change runtime config, ban, unban, etc.
Preparing Fail2ban by changing permissions
Tested on Debian 11.
The communication takes place via unix-socket /var/run/fail2ban/fail2ban.sock
which has the following permissions:
srwx------ 1 root root ... /var/run/fail2ban/fail2ban.sock
So you have to grant access to fail2ban.sock
for a user like nagios
or icinga
, for example like so:
sudo groupadd fail2ban
sudo usermod --append --groups fail2ban nagios
sudo chown root:fail2ban /var/run/fail2ban/fail2ban.sock
sudo chmod g+w /var/run/fail2ban/fail2ban.sock
After that, this (and so the check plugin) should work:
sudo -u nagios /usr/bin/fail2ban-client status
sudo -u nagios /usr/lib64/nagios/plugins/fail2ban
To persist on a system where Fail2ban is managed by Systemd, add the following to the Fail2ban service override file:
sudo systemctl edit fail2ban
[Service]
ExecStartPost=/usr/bin/sh -c "while ! [ -S /var/run/fail2ban/fail2ban.sock ]; do sleep 1; done"
ExecStartPost=/usr/bin/chgrp fail2ban /var/run/fail2ban/fail2ban.sock
ExecStartPost=/usr/bin/chmod g+w /var/run/fail2ban/fail2ban.sock
Preparing Fail2ban by using sudo
Tested on RHEL 7+.
As an alternative you might add a sudoers rule, for example in /etc/sudoers.d/fail2ban
:
Defaults:icinga !requiretty
icinga ALL = NOPASSWD: /usr/lib64/nagios/plugins/fail2ban
Click this link to find a list of sudoers files for all main Linux distributions for Icinga.
Fact Sheet
Check Plugin Download |
https://github.com/Linuxfabrik/monitoring-plugins/tree/main/check-plugins/fail2ban |
Check Interval Recommendation |
Once a minute |
Can be called without parameters |
Yes |
Available for |
Python 2, Python 3 |
Requirements |
None |
Help
usage: fail2ban [-h] [-V] [--always-ok] [-c CRIT] [-w WARN]
In fail2ban, checks the amount of banned IP addresses (for a list of jails).
optional arguments:
-h, --help show this help message and exit
-V, --version show program's version number and exit
--always-ok Always returns OK.
-c CRIT, --critical CRIT
Set the critical threshold for banned IPs. Default:
10000
-w WARN, --warning WARN
Set the warning threshold for banned IPs. Default:
1000
Usage Examples
./fail2ban --warning 1000 --critical 10000
Output:
787 IPs banned in jail "linuxfabrik-portscan" (acting on /var/log/messages), 0 IPs banned in jail "sshd"
States
WARN or CRIT if number of blocked IP addresses is above a given threshold.
Perfdata / Metrics
Per jail:
Number of blocked IP addresses.
Credits, License
Authors: Linuxfabrik GmbH, Zurich
License: The Unlicense, see LICENSE file.