Menu
Index

Contact
Atom Feed
Comments Atom Feed

Similar Articles

2009-10-31 14:46
SMART stats on Cacti (via SNMP)
2009-10-31 11:03
Linux (Debian, Ubuntu) SNMP basics
2012-04-26 16:59
MySQL Performance Graphs on Cacti via SNMP
2012-10-16 20:07
iostat on Cacti via SNMP
2012-10-16 19:23
vmstat on Cacti via SNMP

Recent Articles

2019-07-28 16:35
git http with Nginx via Flask wsgi application (git4nginx)
2018-05-15 16:48
Raspberry Pi Camera, IR Lights and more
2017-04-23 14:21
Raspberry Pi SD Card Test
2017-04-07 10:54
DNS Firewall (blackhole malicious, like Pi-hole) with bind9
2017-03-28 13:07
Kubernetes to learn Part 4

Glen Pitt-Pladdy :: Blog

fail2ban on Cacti via SNMP

fail2ban is a popular intrusion (and abuse) protection tool that is normally used to update firewall rules based on failed authentication attempts logged.

For example if there are repeated failed attempts on your ssh port then that IP will be banned for several minutes, even hours. That means that brute force attacks from one source are practically impossible. More often than not attacks are on SMTP servers (spammers looking for a relay) or web forms / forums and it can be used equally well there.

fail2ban to SNMP

This is based on my SNMP Basics article with my my Universal Log Analyser providing the basis of processing fail2ban log files for stats to ship via snmpd. First up ensure you get to grips with those first then you will need the universal log analyser plugin (see below).

Place that where you keep the plugins and add to /etc/snmp/local-snmp/cronjob:

# run fail2ban stats
/etc/snmp/uloganalyser \
    /var/log/fail2ban.log.1 \
    /var/log/fail2ban.log \
    /var/local/snmp/fail2ban \
    fail2ban

That tells uloganalyser to process fail2ban logs with the fail2ban plugin, putting the results in /var/local/snmp/fail2ban. From there a snmpd extension script (fail2ban-stats) picks up the data.

Place that in a suitable place (eg. /etc/snmp) and add the following config to your /etc/snmp/snmpd.conf, restarting snmpd after:

extend fail2ban /etc/snmp/fail2ban-stats

SNMP to Cacti

At this point your Cacti host definition needs to be working for SNMP and you should be able to simply import the template and add the graph.

Download: Universal Log Analyser plugin and Cacti template for fail2ban on GitHub

Extending

This is only a very small template as I only expose very limited services to the outside world, but it's easy to add more categories:

  • In fail2ban.pm add classifications mapping the definitions in jail.conf and jail.local to a classification. These look for things like "... fail2ban.actions: WARNING [postfix] Ban ***.***.***.*** ..." in fail2ban logs to determine what classes of service are being banned.
  • If you add a new classification then:
    • add it to the fail2ban-stats script so it's also available to snmpd
    • create a new data template in Cacti for that classification
    • add that to the graph template

What it looks like

fail2ban statistics on Cacti

Comments:

voytek Image  2013-12-06 05:59 :: voytek

I've got a new server pre-config with fail2ban with from iredmail postfix server setup; in the fail2ban it uses 'service-iredmail' convention as below, do i need to modify  fail2ban.pm, or what else as well ?

/etc/snmp/uloganalyser-plugin/fail2ban.pm 20130331:110 /var/log/messages:160530
unknown class "ssh-iredmail" fail2ban: Dec  6 14:21:53 emu fail2ban.actions: WARNING
[ssh-iredmail] Unban 183.129.249.98

/etc/snmp/uloganalyser-plugin/fail2ban.pm 20130331:83 /var/log/messages:159122
unknown fail2ban: Dec  6 13:15:29 emu fail2ban.actions: INFO   [postfix-iredmail]
50.70.125.250 already banned
-------------------------------------
# cat jail.local
# File generated by iRedMail (2013.11.05.17.36.10):
[ssh-iredmail]
..
[roundcube-iredmail]
..
[dovecot-iredmail]
..
[postfix-iredmail]

Glen Pitt-Pladdy Image  2013-12-08 22:35 :: Glen Pitt-Pladdy

These tools are build for my needs which is to run on Debian based systems. You are welcome to extend them for your needs. In the case of what classes things are logged in, see the %CLASSES hash in fail2ban.pm which defines what log items are classified to what class of service for graphing.

SadUsr Image  2014-12-15 12:16 :: SadUsr

This script looks good on debian but i`m trying to fix some problems with fail2ban.pm on Centos. After start uloganalyser with fail2ban plugin some informations are missing inside exit file:
On Centos i have

lastrun=1418645581
lastline=533
lastposition=48288
repeatline=2014-12-14 02:55:17,837 fail2ban.actions[28205]: WARNING [ssh-iptables] Ban 96.36.12.142
lastinode=195267

as you see lines started with fail2ban (fail2ban:banned:mail fail2ban:banned:other fail2ban:banned:ssh) are missing.

Any ide or clue how to fix this problem?

Glen Pitt-Pladdy Image  2014-12-15 20:53 :: Glen Pitt-Pladdy

I'm guessing from the "repeatline" that Centos is using different labels from Debian. In Debian "ssh" is used, where your line above "ssh-iptables" is used. The %CLASSES hash provides the mappings from jail names to service classifications. It's likely you need something like:

    'ssh-iptables' => 'ssh',

... and likewise for any other names Centos that need mapping onto generic service classes.

SadUsr Image  2014-12-16 06:30 :: SadUsr

It was first thing what i added to filter but still not results.

Maybe something wrong is inside log file because from my observation Centos add process PID to fail2ban.actions:

2014-12-15 01:49:07,482 fail2ban.actions[28205]: WARNING [ssh-iptables] Ban 61.174.51.232
2014-12-15 03:07:38,474 fail2ban.actions[28205]: WARNING [ssh-iptables] Ban 23.253.97.132

Unfortunatelly there is no option to disable adding PID in config file.

Glen Pitt-Pladdy Image  2014-12-16 07:11 :: Glen Pitt-Pladdy

Ok - then if the service classes are correct, then you will have to update the regular expressions to match any other format differences. The line prefix is taken care of in the 4th line of the "analyse" sub, and then the type of message and details in the if/elsif statements below that.

Essentially all this script does is match the lines with a regex, and then count up or down depending on Ban/Unban for the matching service class.

SadUsr Image  2014-12-16 10:45 :: SadUsr

PERL is to complicate for me so together with my colleague we found different solution. He wrote small log parser to modify Centos logs and remove all information about PID. Now your script works fine :)

One more question - how often should be start cronjob?

SadUsr Image  2014-12-17 07:45 :: SadUsr

Unfortunatelly PERL is too difficult for me, and sorry to say i have no idea how to fix it. I`ll try to find different solution.

Glen Pitt-Pladdy Image  2014-12-22 16:00 :: Glen Pitt-Pladdy

Typically the sample period of Cacti is 5 minutes, so harvesting the data every 5 minutes would be the practical minimum. See the SNMP basics article for more information on the cronjob.




Note: Identity details will be stored in a cookie. Posts may not appear immediately
Disclaimer: This is a load of random thoughts, ideas and other nonsense and is not intended to be taken seriously. I have no idea what I am doing with most of this so if you are stupid and naive enough to believe any of it, it is your own fault and you can live with the consequences. More importantly this blog may contain substances such as humor which have not yet been approved for human (or machine) consumption and could seriously damage your health if taken seriously. If you still feel the need to litigate (or whatever other legal nonsense people have dreamed up now), then please address all complaints and other stupidity to yourself as you clearly "don't get it".