2017-08-26 02:42:07 +08:00
|
|
|
# Fail2ban Input Plugin
|
2017-06-22 03:42:13 +08:00
|
|
|
|
2019-08-03 03:34:19 +08:00
|
|
|
The fail2ban plugin gathers the count of failed and banned ip addresses using
|
|
|
|
|
[fail2ban](https://www.fail2ban.org).
|
2017-06-22 03:42:13 +08:00
|
|
|
|
2022-06-08 05:37:08 +08:00
|
|
|
This plugin runs the `fail2ban-client` command which generally requires root
|
|
|
|
|
access. Acquiring the required permissions can be done using several methods:
|
2017-06-22 03:42:13 +08:00
|
|
|
|
2019-08-03 03:34:19 +08:00
|
|
|
- [Use sudo](#using-sudo) run fail2ban-client.
|
2017-08-26 02:42:07 +08:00
|
|
|
- Run telegraf as root. (not recommended)
|
2017-06-22 03:42:13 +08:00
|
|
|
|
2022-10-27 03:58:36 +08:00
|
|
|
## Global configuration options <!-- @/docs/includes/plugin_config.md -->
|
|
|
|
|
|
|
|
|
|
In addition to the plugin-specific configuration settings, plugins support
|
|
|
|
|
additional global and plugin configuration settings. These settings are used to
|
|
|
|
|
modify metrics, tags, and field or create aliases and configure ordering, etc.
|
|
|
|
|
See the [CONFIGURATION.md][CONFIGURATION.md] for more details.
|
|
|
|
|
|
2023-01-12 23:55:21 +08:00
|
|
|
[CONFIGURATION.md]: ../../../docs/CONFIGURATION.md#plugins
|
2022-10-27 03:58:36 +08:00
|
|
|
|
2021-11-25 02:56:26 +08:00
|
|
|
## Configuration
|
2017-06-22 03:42:13 +08:00
|
|
|
|
2022-05-24 21:49:47 +08:00
|
|
|
```toml @sample.conf
|
2019-08-03 03:34:19 +08:00
|
|
|
# Read metrics from fail2ban.
|
2019-01-25 02:54:25 +08:00
|
|
|
[[inputs.fail2ban]]
|
2019-08-03 03:34:19 +08:00
|
|
|
## Use sudo to run fail2ban-client
|
2023-06-16 02:34:59 +08:00
|
|
|
# use_sudo = false
|
|
|
|
|
|
|
|
|
|
## Use the given socket instead of the default one
|
|
|
|
|
# socket = "/var/run/fail2ban/fail2ban.sock"
|
2019-01-25 02:54:25 +08:00
|
|
|
```
|
2017-06-22 03:42:13 +08:00
|
|
|
|
2021-11-25 02:56:26 +08:00
|
|
|
## Using sudo
|
2019-08-03 03:34:19 +08:00
|
|
|
|
|
|
|
|
Make sure to set `use_sudo = true` in your configuration file.
|
|
|
|
|
|
|
|
|
|
You will also need to update your sudoers file. It is recommended to modify a
|
|
|
|
|
file in the `/etc/sudoers.d` directory using `visudo`:
|
|
|
|
|
|
2019-01-25 02:54:25 +08:00
|
|
|
```bash
|
2021-11-25 02:56:26 +08:00
|
|
|
sudo visudo -f /etc/sudoers.d/telegraf
|
2019-08-03 03:34:19 +08:00
|
|
|
```
|
|
|
|
|
|
|
|
|
|
Add the following lines to the file, these commands allow the `telegraf` user
|
|
|
|
|
to call `fail2ban-client` without needing to provide a password and disables
|
|
|
|
|
logging of the call in the auth.log. Consult `man 8 visudo` and `man 5
|
|
|
|
|
sudoers` for details.
|
2021-11-25 02:56:26 +08:00
|
|
|
|
|
|
|
|
```text
|
2019-01-25 02:54:25 +08:00
|
|
|
Cmnd_Alias FAIL2BAN = /usr/bin/fail2ban-client status, /usr/bin/fail2ban-client status *
|
|
|
|
|
telegraf ALL=(root) NOEXEC: NOPASSWD: FAIL2BAN
|
|
|
|
|
Defaults!FAIL2BAN !logfile, !syslog, !pam_session
|
2017-06-22 03:42:13 +08:00
|
|
|
```
|
|
|
|
|
|
2021-11-25 02:56:26 +08:00
|
|
|
## Metrics
|
2017-06-22 03:42:13 +08:00
|
|
|
|
|
|
|
|
- fail2ban
|
2019-08-03 03:34:19 +08:00
|
|
|
- tags:
|
|
|
|
|
- jail
|
|
|
|
|
- fields:
|
|
|
|
|
- failed (integer, count)
|
|
|
|
|
- banned (integer, count)
|
2017-08-26 02:42:07 +08:00
|
|
|
|
2022-06-08 05:37:08 +08:00
|
|
|
## Example Output
|
2017-06-22 03:42:13 +08:00
|
|
|
|
2023-04-04 19:43:49 +08:00
|
|
|
```text
|
|
|
|
|
fail2ban,jail=sshd failed=5i,banned=2i 1495868667000000000
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
### Execute the binary directly
|
|
|
|
|
|
2021-11-25 02:56:26 +08:00
|
|
|
```shell
|
2017-06-22 03:42:13 +08:00
|
|
|
# fail2ban-client status sshd
|
|
|
|
|
Status for the jail: sshd
|
|
|
|
|
|- Filter
|
|
|
|
|
| |- Currently failed: 5
|
|
|
|
|
| |- Total failed: 20
|
|
|
|
|
| `- File list: /var/log/secure
|
|
|
|
|
`- Actions
|
|
|
|
|
|- Currently banned: 2
|
|
|
|
|
|- Total banned: 10
|
|
|
|
|
`- Banned IP list: 192.168.0.1 192.168.0.2
|
|
|
|
|
```
|
