Check_MK plugin: fail2ban
by BenV on Nov.03, 2014, under Check MK
This one has been on my todo list for a while, so today I took a stab at it: a fail2ban plugin for Check_MK.
My previous plugin (LMSensors plugin for Check_MK) still gets quite a few hits, so I figured you guys might like this one as well.
Why? Pretty graphs of course π
Another reason might be that you want to keep an eye on how many ssh bots etc fail2ban keeps out.
Without further delay, here’s the latest package:
fail2ban-1.3.mkp (10473 downloads)
SHA1: 22be3179e56c268ad9408e97da76fa1e9814e79d MD5: 3c3597e9da7141ca5df7791943e4d443
Installation:
There are two parts to installing a Check MK plugin. First on the host that actually runs CheckMK we need to install the package. This is quickly done:
root@checkmk# wget http://notes.benv.junerules.com/wp-content/uploads/2014/11/fail2ban-1.1.mkp
root@checkmk# md5sum fail2ban-1.1.mkp
378fe0b5ada335f91d4fde4033cabf1e fail2ban-1.0.mkp
root@checmk# check_mk -vP install fail2ban-1.1.mkp
Installing fail2ban version 1.1.
Checks:
fail2ban
Checks' man pages:
fail2ban
Agents:
fail2ban
Multisite extensions:
plugins/perfometer/fail2ban.py
PNP4Nagios templates:
check_mk-fail2ban.php
root@checkmk# check_mk -II
fail2ban 2 new checks
root@checkmk# check_mk -O
Done. After a short wait you’ll see your new checks show up in the check_mk multisite overview of your host, one check per fail2ban jail.
For example I have a host with the usual ssh-blocking jail, looks like this:
BenV’s Check_MK plugin for fail2ban
For a remote machine you will need to put the agent in place. Since this is only a single file it’s trivial to do:
benv@checkmk$ scp /usr/share/check_mk/agents/fail2ban root@othermachine:/usr/share/check_mk/agents
Note that the place you want to put that thing in is the $MK_LIBDIR/plugins directory. In my case, this was /usr/lib/check_mk_agent/plugins, but it could very well be somewhere else on your system. You can find it in the check_mk_agent script if you don’t know:
benv@somemachine$ grep MK_LIBDIR `which check_mk_agent`
export MK_LIBDIR="/usr/lib/check_mk_agent"
PLUGINSDIR=$MK_LIBDIR/plugins
Let Check_MK do an inventory on your remote machine [check_mk -II $machine] and the rest goes automagically! π
Version 1.2 and newer:
Configuration can be done through the new dict style parameter support, easiest to do this is from WATO. For example if I want to set a specific jail to different levels, I go to the service and hit the view/edit parameters button, like you can see here (red box around the button):
Fail2ban service, edit parameters
Here you see the applied parameters, which are probably set to default parameters. Click Fail2Ban to edit this (see the red box in the screenshot):
Check MK WATO – edit fail2ban parameters
Now you get a page that shows the existing rules that are applied to fail2ban. You can create rules to customize the parameters per host, jail or combination. Here’s an overview of my rules which for this host only have a pure-ftpd override rule.
Overview of WATO rules that apply to my fail2ban plugin
Press the red button if you want to create a specific rule for just this service (specific host+jail combo).
After that you get a screen with lots of options, the ones you care about are in the parameters section:
Changing the fail2ban crit and warning levels
Note that after changing/creating rules you first need to apply them (big orange button in the left top corner that says X Changes!).
Done! π
Version 1.1 and older:
Note that this check_mk fail2ban plugin currently supports setting the warn and crit level for current fails and current bans if you like, defaults are at 50/100 for fail and 25/50 for ban.
You can adjust these levels by editing your Check_MK’s main.mk, add a line like this where you enter your wanted levels:
fail2ban_default_params = (50, 100, 25, 50)
Have fun with this new plugin! π
ChangeLog:
V1.3: Compatibility with newer Check_MK / OMD versions, thanks to Erdo King for the report!
V1.2: WATO support for configuring parameters, changed to dict style. NOTE: Due to config style change you might need to re-inventarize.
When params are set to 0 they will no longer alert.
V1.1: Multiple jails on the same machine ended up with the same counters, fixed.
Older versions:
fail2ban-1.3.mkp (10473 downloads)
SHA1: 22be3179e56c268ad9408e97da76fa1e9814e79d MD5: 3c3597e9da7141ca5df7791943e4d443
[Download not found]
[Download not found]
[Download not found]
17 Comments for this entry
1 Trackback or Pingback for this entry
-
BibSonomy :: url :: Check_MK plugin: fail2ban Β« BenV's notes
November 27th, 2015 on 16:56[…] Β 1Check_MK plugin: fail2ban Β« BenV's notesΒ […]
September 30th, 2015 on 09:10
Hi BenV,
your plugin works nearly perfectly!
Is there any way to set threshold per Jail?
Every day I import ips from blocklist. Nearly ~200 IP…
At the moment i have completely disabled the Jail-services for blocklist and fail2ban …
Is there any way to extend your plugin?
Regards
erdo
September 30th, 2015 on 12:42
Update: just posted version 1.2 which allows the new rules, see my update in the post π
September 30th, 2015 on 09:17
Hello Erdo,
At the moment there’s no such option, but I will look into it. One of my machines gets a ton of ftp scanners so I’d like to be able to change those tresholds per jail myself as well.
I’ll update this page once I’ve tinkered in a solution.
October 1st, 2015 on 12:01
Hi BenV,
wow very, very! fast solution π ( I don’t think you work for an service hotline π )
It’s works very well, thank you!
Regards
erdo
March 22nd, 2016 on 09:19
Hi BenV,
your plugin stopped working after update to “OMD 1.2.8”.
It seems that get_regex doesn’t exixt anymore in Python 1.2.7.
Rename get_regex to regex helps!
You can read more in the german mailing-list:
http://comments.gmane.org/gmane.network.nagios.checkmk.german/6179
Regards
erdo
March 22nd, 2016 on 09:52
Hej Erdo,
Thanks for the report, I’ll look into it and release and updated version π
Update: just released V1.3 with this fix – thanks for the report Erdo!
BenV
March 22nd, 2016 on 14:01
Hi BenV,
really fast update again π
I removed the plugin and installed again, works for me very well on 1.2.8b6.cre (CentOS 7.2.1511)
Thank you!
Regards
erdo
June 13th, 2016 on 11:07
i got an error when running the check on my server … (related to line 68 on the check file into my OMD 1.3 installation)
Check_MK Version: 1.2.6p12
NameError: global name ‘regex’ is not defined
June 13th, 2016 on 11:14
@zehunter: What version of the plugin are you running? If you’ve tried v1.3, can you see if v1.2 is working?
August 25th, 2016 on 18:48
same problem , but it seems the link for 1.2 is bad?
Check output: check failed – please submit a crash report!
Check_MK Version: 1.2.6p12
Date: 2016-25-08 12:41:55
Host: ###############################
Service: Jail ssh
Check type: fail2ban
Item: ‘ssh’
Parameters: {‘levels_ban’: (1, 1), ‘levels_fail’: (1, 1)}
Traceback (most recent call last):
File “/omd/sites/thg/var/check_mk/precompiled/##############”, line 1115, in do_all_checks_on_host
jod}*|)dGt |
File “/omd/sites/thg/var/check_mk/precompiled/#################”, line 4171, in check_fail2ban
NameError: global name ‘regex’ is not defined
August 25th, 2016 on 22:26
my fix ..
local/share/check_mk/checks/fail2ban
i added
import re
commented out this
#cfreg = regex(r’Currently failed:\s*(\d+)’)
#cbreg = regex(r’Currently banned:\s*(\d+)’)
#tfreg = regex(r’Total failed:\s*(\d+)’)
#tbreg = regex(r’Total banned:\s*(\d+)’)
and changed the foloowing to look like ..
elif ourstatus == 1:
l = ” “.join(line)
cfm = re.search(r’Currently failed:\s*(\d+)’,l)
if cfm:
curfail = int(cfm.group(1))
continue
tfm = re.search(r’Total failed:\s*(\d+)’,l)
if tfm:
totfail = int(tfm.group(1))
continue
cbm = re.search(r’Currently banned:\s*(\d+)’,l)
if cbm:
curban = int(cbm.group(1))
continue
tbm = re.search(r’Total banned:\s*(\d+)’,l)
if tbm:
totban = int(tbm.group(1))
continue
February 2nd, 2018 on 18:46
Does this still work with check_mk 1.4? I tried to install latest version of the plugin, but the docs do not fit with check_mk easily.
Any updates to code or documentation, please?
February 2nd, 2018 on 19:58
Hi @memyselfandi,
I haven’t tried check_mk 1.4 myself yet since they dropped support for the raw edition on my platform and I haven’t had the time to figure it out how to circumvent that yet.
In other words: I have no clue whether or not it still works, but if it doesn’t I’d like to know where it breaks and why so I can fix it π
I’ll post an update as soon as I get CMK 1.4 running somewhere.
February 5th, 2018 on 09:32
I am using the fail2ban plugin V1.3 with CheckMK 1.4.0p24 (RAW) and it works like a charm.
Graphs and configuration working for me. Including perf-o-meter π 5 jails at the moment.
February 9th, 2018 on 15:26
good to hear that, @erdo_king! It is probably my fault, then. I have experience with Nagios but I am rather new with check_mk and this was my first plugin.
I cannot follow the instructions. The server part works after issuing a omd su , but the scp to the remote machines does not work, because the origin is not there. I searched the server and copied it from another location.
My problem is, I am getting “Missing agent sections: fail2ban” on every host.
Any ideas??
May 7th, 2018 on 20:24
I am using fail2ban plugin 1.3 with CheckMK 1.4.0p23 (RAW). It is working great for some hosts.
If the “agent” plugin is installed on the target host, but the fail2ban linux package is not installed. The following message is displayed in WATO.
WARN – Discovery failed: Exception in check plugin ‘fail2ban’: list index out of range
Do you have a solution besides not adding the agent plugin or creating a rule to disable the check for the host that doesn’t have the fail2ban package installed.
Thanks!
May 8th, 2018 on 10:37
This is probably due to the check actually expecting lines, I should fix that.
You can try manually patching this, in the check_mk/checks/fail2ban file there is an inventory function that has:
line = info[0]
before that, add something like:
if len(info) == 0:
return
See if that helps π
I’ll try it out myself soon, but am at work right now, hopefully I can fix it tomorrow.