hermanekt / zabbix-fail2ban-discovery- Goto Github PK

zabbix-fail2ban-discovery-'s Introduction

Fail2Ban template for Zabbix

Features:

Automatic discovery of jails
Monitor service status
Monitor jails
Jails graph

Installation

1. Set configuration file

Download the latest version of configuration file fail2ban.conf from the repo. Put the file here /etc/zabbix/zabbix_agentd.d/fail2ban.conf or here for zabbix agent 2 /etc/zabbix/zabbix_agentd2.d/fail2ban.conf

Zabbix Agent

wget https://raw.githubusercontent.com/hermanekt/zabbix-fail2ban-discovery-/master/fail2ban.conf -O /etc/zabbix/zabbix_agentd.d/fail2ban.conf

Zabbix Agent 2

wget https://raw.githubusercontent.com/hermanekt/zabbix-fail2ban-discovery-/master/fail2ban.conf -O /etc/zabbix/zabbix_agent2.d/fail2ban.conf

2. Grant access to Fail2Ban

Fail2ban works only with root by default. We need to grant permission to Zabbix to access the Fail2ban by adding this 2 lines to /etc/sudoers:

zabbix ALL=NOPASSWD: /usr/bin/fail2ban-client status
zabbix ALL=NOPASSWD: /usr/bin/fail2ban-client status *

Then apply new sudoers and zabbix agent setting

/etc/init.d/sudo restart
/etc/init.d/zabbix-agent restart

/etc/init.d/sudo restart
/etc/init.d/zabbix-agend restart

If you have systemd, please use this correct command.

systemctl restart zabbix-agent

systemctl restart zabbix-agent2

3. Test Zabbix Agent setting

Zabbix Agent

root@server:~$ sudo -u zabbix zabbix_agent -c /etc/zabbix/zabbix_agent.conf -t fail2ban.discovery
fail2ban.discovery [s|{"data":[{"{#JAIL}":"imapd"}, {"{#JAIL}":"sendmail-reject"}, {"{#JAIL}":"sshd"}, {"{#JAIL}":"wordpress"}]}]

root@server:~$ sudo -u zabbix zabbix_agent -c /etc/zabbix/zabbix_agent.conf -t fail2ban.status['sshd']
fail2ban.status[sshd]                         [s|191]

Zabbix Agent 2

root@server:~$ sudo -u zabbix zabbix_agent2 -c /etc/zabbix/zabbix_agent2.conf -t fail2ban.discovery
fail2ban.discovery [s|{"data":[{"{#JAIL}":"imapd"}, {"{#JAIL}":"sendmail-reject"}, {"{#JAIL}":"sshd"}, {"{#JAIL}":"wordpress"}]}]

root@server:~$ sudo -u zabbix zabbix_agent2 -c /etc/zabbix/zabbix_agent2.conf -t fail2ban.status['sshd']
fail2ban.status[sshd]                         [s|191]

The response above with list of jails means that everything works fine.

Configure the Zabbix Server

Import the template file into Zabbix Server (this operation is done only once).

There is 2 verisons, for Ubuntu/Debian and for other systems!

Change the update Interval to what pleases you (default is 1 minute).
Add the template to your hosts.

zabbix-fail2ban-discovery-'s People

Contributors

Stargazers

Watchers

zabbix-fail2ban-discovery-'s Issues

Ubuntu 22.04 and Zabbix 6 are not reporting correct f2b status

Seems that Ubuntu 22.04 and Zabbix 6 are not reporting correct f2b status. Zabbix shows the service as "Down" when in fact it is confirmed as Up.

root@aaaaaa:~# systemctl status fail2ban
● fail2ban.service - Fail2Ban Service
     Loaded: loaded (/lib/systemd/system/fail2ban.service; enabled; vendor preset: enabled)
     Active: active (running) since Thu 2022-12-01 18:52:51 PST; 7min ago
       Docs: man:fail2ban(1)
   Main PID: 4077 (fail2ban-server)
      Tasks: 17 (limit: 19118)
     Memory: 14.1M
        CPU: 3.243s
     CGroup: /system.slice/fail2ban.service
             └─4077 /usr/bin/python3 /usr/bin/fail2ban-server -xf start

Dec 01 18:52:51 aaaaa.com systemd[1]: Started Fail2Ban Service.
Dec 01 18:52:51 aaaaa.com fail2ban-server[4077]: Server ready

Zabbix:

Timestamp | Fail2Ban service is running
-- | --
2022-12-01 19:01:38 | Down (0)
2022-12-01 19:00:38 | Down (0)
2022-12-01 18:59:38 | Down (0)

zabbix_server (Zabbix) 6.2.3
Ubuntu version: 22.04.1

Error during import of template file on Zabbix 4.2

Hi
I'm having issues importing the template in a freshly installed zabbix 4.2 system. When I import the file the following message appears:

Invalid tag "/zabbix_export/templates/template(1)/discovery_rules/discovery_rule(1)": the tag "master_item" is missing.

Since I'm really new to zabbix I don't know how to debug this problem.

Not work (Zabbix 4.0)

Hi.
On a host with debian 9 in the detection rules: Unsupported item key.
What could be the problem?
p.s. zabbix 4.0

Use without root

For security it's better to use the template without granting root for the Zabbix agent

Detect malformed fail2ban database

I've had a quick look at this template and I don't think it will detect the main error I'm looking to avoid with fail2ban.

Today I discovered f2b had stopped working on one of our servers. When I requested the status of the service I saw an error like this:

# systemctl status fail2ban
● fail2ban.service - Fail2Ban Service
   Loaded: loaded (/lib/systemd/system/fail2ban.service; enabled; vendor preset: enabled)
   Active: active (running) since Tue 2020-10-20 19:53:17 BST; 14h ago
     Docs: man:fail2ban(1)
 Main PID: 3181 (fail2ban-server)
    Tasks: 3
   Memory: 34.8M
      CPU: 40.139s
   CGroup: /system.slice/fail2ban.service
           └─3181 /usr/bin/python3 /usr/bin/fail2ban-server -s /var/run/fail2ban/fail2ban.sock -p /var/run/fail2ban/fail2ban.pid -x -b

Oct 20 19:53:14 OURSERVER systemd[1]: Starting Fail2Ban Service...
Oct 20 19:53:17 OURSERVER fail2ban-client[2645]: 2020-10-20 19:53:17,313 fail2ban.server         [3175]: INFO    Starting Fail2ban v0.
Oct 20 19:53:17 OURSERVER fail2ban-client[2645]: 2020-10-20 19:53:17,313 fail2ban.server         [3175]: INFO    Starting in daemon mo
Oct 20 19:53:17 OURSERVER fail2ban-client[2645]: ERROR  NOK: ('database disk image is malformed',)
Oct 20 19:53:17 OURSERVER systemd[1]: Started Fail2Ban Service.

As you can see, systemd thought the service was still active and running when really it wasn't due to the corrupted database. It seems the current template only checks to see if fail2ban-server is running and I suspect that in my case the template would not have detected.

Does fail2ban-server stop running when the database is corrupted? It doesn't seem to stop the systemd service.

New Trigger / Alerts on problems

Hello guys, first of all congratulations for this good work!

I wanna ask you if it is possible to have a trigger to create an alert under Problems once a new IP is banned, perhaps a grep on the /var/log/fail2ban.log log.

Thanks in advance! :)

Zabbix 5.0

Hello!
Do you plan to support Zabbix 5.0? Do you need help with this?

Fail2ban server is Down

hi, all the data about the banned ip is received successfully, but the system always sends that Fail2ban server is Down
CentOS 7
Zabbix 5.2

Persist socket permission changes

The installation instructions cover changing the fail2ban socket permissions for access as a non root user, however these changes are lost the next time the socket is created.

To persist on a system where fail2ban is managed by systemd, add the following to the fail2ban service override file

systemctl edit fail2ban

[Service]
ExecStartPost=/bin/sh -c "while ! [ -S /run/fail2ban/fail2ban.sock ]; do sleep 1; done"
ExecStartPost=/bin/chgrp fail2ban /run/fail2ban/fail2ban.sock
ExecStartPost=/bin/chmod g+w /run/fail2ban/fail2ban.sock

delete

Seems that Ubuntu 22.04 and Zabbix 6 are not reporting correct f2b status. Zabbix shows the service as "Down" when in fact it is confirmed as Up.

root@aaaaaa:~# systemctl status fail2ban
● fail2ban.service - Fail2Ban Service
     Loaded: loaded (/lib/systemd/system/fail2ban.service; enabled; vendor preset: enabled)
     Active: active (running) since Thu 2022-12-01 18:52:51 PST; 7min ago
       Docs: man:fail2ban(1)
   Main PID: 4077 (fail2ban-server)
      Tasks: 17 (limit: 19118)
     Memory: 14.1M
        CPU: 3.243s
     CGroup: /system.slice/fail2ban.service
             └─4077 /usr/bin/python3 /usr/bin/fail2ban-server -xf start

Dec 01 18:52:51 aaaaa.com systemd[1]: Started Fail2Ban Service.
Dec 01 18:52:51 aaaaa.com fail2ban-server[4077]: Server ready

Zabbix:

Timestamp | Fail2Ban service is running
-- | --
2022-12-01 19:01:38 | Down (0)
2022-12-01 19:00:38 | Down (0)
2022-12-01 18:59:38 | Down (0)

zabbix_server (Zabbix) 6.2.3
Ubuntu version: 22.04.1

Several XML-errors on import of Template-Fail2ban50-UBUNTU20.xml

I tried to use the template file with Ubuntu 20.04 and Zabbix 5.0.6, but it shows several issues within the XML-file, e.g.:

In line 69 sth. like <meta name="hovercard-subject-tag" content="repository:161399386" data-pjax-transient="true" >

instead of just <meta name="hovercard-subject-tag" content="repository:161399386" data-pjax-transient> and several similar ones.

Thx
Andreas

Template improove

Hi,

its better to use in template's trigger definition this expression:

<items> <item> <name>Fail2Ban service is running</name> <type>0</type> <snmp_community/> <snmp_oid/> <key>proc.num[,,,fail2ban-server]</key> ....
It is more flexible when you have server with different version of python...

proc.num[fail2ban-server] returns 0 on Ubuntu 20.04.1 LTS

Hi,

This is the second box with Ubuntu 20.04 that I'm deploying with this template, I got this behavior on both of them.
zabbix_agentd -t proc.num[fail2ban-server] returns zero even when fail2ban is running and the autodiscovery rule is working fine, so no misconfiguration here. I have used this template a lot in the past (thank you BTW).

This in the environment:

Running the item

zabbix_agentd -t proc.num[fail2ban-server]
proc.num[fail2ban-server]                     [u|0]

Workaround 1:

zabbix_agentd -t proc.num[,,,fail2ban-server]
proc.num[,,,fail2ban-server]                  [u|2]

Workaround 2 (more precise):

zabbix_agentd -t proc.num[python3,,,fail2ban-server]
proc.num[python3,,,fail2ban-server]           [u|1]

fail2ban-server -V
0.11.1

zabbix_agentd -V
zabbix_agentd (daemon) (Zabbix) 4.0.17
Revision a528a0a4bc 28 January 2020, compilation time: Feb  4 2020 04:03:41

Copyright (C) 2020 Zabbix SIA
License GPLv2+: GNU GPL version 2 or later <http://gnu.org/licenses/gpl.html>.
This is free software: you are free to change and redistribute it according to
the license. There is NO WARRANTY, to the extent permitted by law.

Compiled with GnuTLS 3.6.11
Running with GnuTLS 3.6.13

Ubuntu 20.04.1 LTS

How does the output of a ps -Af|grep fail2ban look? :

/usr/bin/python3 /usr/bin/fail2ban-server -xf start

How does the output use to be under Fail2Ban v0.10.2:

/usr/bin/python /usr/bin/fail2ban-server -b -s /var/run/fail2ban/fail2ban.sock -p /var/run/fail2ban/fail2ban.pid

Simplified setup

The doc seems to recommend a convoluted setup.
One can simply setup this template by following the below steps:

Add following line at sudoers file
zabbix ALL= (ALL) NOPASSWD: /usr/bin/fail2ban-client
Edit fail2ban.conf, and prepend sudo at the used commands. Example:

UserParameter=fail2ban.status[*],sudo fail2ban-client status '$1' | grep 'Currently banned:' | grep -E -o '[0-9]+'
UserParameter=fail2ban.discovery,sudo fail2ban-client status | grep 'Jail list:' | sed -e 's/^.*:\W\+//' -e 's/\(\(\w\|-\)\+\)/{"{#JAIL}":"\1"}/g' -e 's/.*/{"data":[\0]}/'

Copy fail2ban.conf at /etc/zabbix/zabbix_agentd.d
Restart zabbix-agent:
systemctl restart zabbix-agent

Note:

I had to amend the template to correctly detect status of fail2ban-server as following:
proc.num[python2,root,,fail2ban-server]

In case your fail2ban is running with another user then root, then replace root with your user.

Unsupported item key in Zabbix 5.0

I'm getting the error Unsupported item key in Zabbix 5.0. I have the following configuration:

root@server:~# dpkg -l | grep fail2ban
ii fail2ban 0.11.1-1 all ban hosts that cause multiple authentication errors

root@server:~# fail2ban-client status
Status
|- Number of jail: 9
`- Jail list: apache-badbots, apache-botsearch, apache-fakegooglebot, apache-modsecurity, apache-nohome, apache-noscript, apache-overflows, apache-shellshock, sshd

root@server:~# lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 20.04.2 LTS
Release: 20.04
Codename: focal

root@server:~# dpkg -l | grep zabbix
ii zabbix-agent 1:5.0.8-1+focal amd64 Zabbix network monitoring solution - agent
ii zabbix-release 1:5.0-1+focal all Zabbix official repository configuration

I downloaded the Version 5.0 template from the zabbix share. I followed all of the installation steps.

fail2ban.discovery sed not working for non root user

Hi,

I try to use your template on a Zabbix 4.4 on Ubuntu 18.04 with zabbix-agent2.

With root your command fail2ban.discovery work :

fail2ban-client status | grep 'Jail list:' | sed -e 's/^.*:\W\+//' -e 's/\(\(\w\|-\)\+\)/{"{#JAIL}":"\1"}/g' -e 's/.*/{"data":[\0]}/'
{"data":[{"{#JAIL}":"postfix-auth"}, {"{#JAIL}":"sshd"}]}

But with the user zabbix the return is not the same :

su - zabbix -s /bin/bash -c "fail2ban-client status | grep 'Jail list:' | sed -e 's/^.*:\W\+//' -e 's/\(\(\w\|-\)\+\)/{"{#JAIL}":"\1"}/g' -e 's/.*/{"data":[\0]}/'"
NOT root user
{data:[{{#JAIL}:1}, {{#JAIL}:1}]}

I follow your how to

ls -l /var/run/fail2ban/fail2ban.sock
srwx-w---- 1 root fail2ban 0 mai   11 15:21 /var/run/fail2ban/fail2ban.sock

if i remove the sed part :

su - zabbix -s /bin/bash -c "fail2ban-client status | grep 'Jail list:'"
NOT root user
`- Jail list:	postfix-auth, sshd

I missed something?

Thanks!

40-ubuntu template does not import in zabbix 4

I get this error:

    Cannot find item "fail2ban.status[{#JAIL}]" on "Template Fail2ban" used in graph prototype "Count of banned IPs on jail {#JAIL}" of discovery rule "Fail2ban discovery" on "Template Fail2ban Ubuntu 20.04".

Once I remove the graph section from the template, it imports just fine.

Error when installing template Version 4.0: unsupported version number

When trying to import the template (for version 4.0), I get the following error within zabbix version 4.0.3 on Ubuntu 18.04:
Invalid tag "/zabbix_export/version": unsupported version number.
Installation of template version 3.4 worked just fine.