BenV's notes

Check_MK plugin: fail2ban

by on Nov.03, 2014, under Check MK

This one has been on my todo list for a while, so today I took a stab at it: a fail2ban plugin for Check_MK.
My previous plugin (LMSensors plugin for Check_MK) still gets quite a few hits, so I figured you guys might like this one as well.

Why? Pretty graphs of course πŸ˜‰
Another reason might be that you want to keep an eye on how many ssh bots etc fail2ban keeps out.

Without further delay, here’s the latest package:
fail2ban-1.3.mkp (646 downloads)      SHA1: 22be3179e56c268ad9408e97da76fa1e9814e79d  MD5: 3c3597e9da7141ca5df7791943e4d443

Installation:
There are two parts to installing a Check MK plugin. First on the host that actually runs CheckMK we need to install the package. This is quickly done:

root@checkmk# wget http://notes.benv.junerules.com/wp-content/uploads/2014/11/fail2ban-1.1.mkp
root@checkmk# md5sum fail2ban-1.1.mkp
378fe0b5ada335f91d4fde4033cabf1e fail2ban-1.0.mkp
root@checmk# check_mk -vP install fail2ban-1.1.mkp
Installing fail2ban version 1.1.
Checks:
fail2ban
Checks' man pages:
fail2ban
Agents:
fail2ban
Multisite extensions:
plugins/perfometer/fail2ban.py
PNP4Nagios templates:
check_mk-fail2ban.php
root@checkmk# check_mk -II
fail2ban 2 new checks
root@checkmk# check_mk -O

Done. After a short wait you’ll see your new checks show up in the check_mk multisite overview of your host, one check per fail2ban jail.
For example I have a host with the usual ssh-blocking jail, looks like this:

BenV's Check_MK plugin for fail2ban

BenV’s Check_MK plugin for fail2ban

For a remote machine you will need to put the agent in place. Since this is only a single file it’s trivial to do:

benv@checkmk$ scp /usr/share/check_mk/agents/fail2ban root@othermachine:/usr/share/check_mk/agents

Note that the place you want to put that thing in is the $MK_LIBDIR/plugins directory. In my case, this was /usr/lib/check_mk_agent/plugins, but it could very well be somewhere else on your system. You can find it in the check_mk_agent script if you don’t know:

benv@somemachine$ grep MK_LIBDIR `which check_mk_agent`
export MK_LIBDIR="/usr/lib/check_mk_agent"
PLUGINSDIR=$MK_LIBDIR/plugins

Let Check_MK do an inventory on your remote machine [check_mk -II $machine] and the rest goes automagically! πŸ™‚

Version 1.2 and newer:
Configuration can be done through the new dict style parameter support, easiest to do this is from WATO. For example if I want to set a specific jail to different levels, I go to the service and hit the view/edit parameters button, like you can see here (red box around the button):

Fail2ban service, edit parameters

Fail2ban service, edit parameters


Here you see the applied parameters, which are probably set to default parameters. Click Fail2Ban to edit this (see the red box in the screenshot):
Check MK WATO - edit fail2ban parameters

Check MK WATO – edit fail2ban parameters


Now you get a page that shows the existing rules that are applied to fail2ban. You can create rules to customize the parameters per host, jail or combination. Here’s an overview of my rules which for this host only have a pure-ftpd override rule.
Check_MK WATO Rule overview

Overview of WATO rules that apply to my fail2ban plugin


Press the red button if you want to create a specific rule for just this service (specific host+jail combo).
After that you get a screen with lots of options, the ones you care about are in the parameters section:
Check MK WATO Fail2ban parameters

Changing the fail2ban crit and warning levels


Note that after changing/creating rules you first need to apply them (big orange button in the left top corner that says X Changes!).
Done! πŸ™‚

Version 1.1 and older:
Note that this check_mk fail2ban plugin currently supports setting the warn and crit level for current fails and current bans if you like, defaults are at 50/100 for fail and 25/50 for ban.
You can adjust these levels by editing your Check_MK’s main.mk, add a line like this where you enter your wanted levels:

fail2ban_default_params = (50, 100, 25, 50)

Have fun with this new plugin! πŸ™‚

ChangeLog:
V1.3: Compatibility with newer Check_MK / OMD versions, thanks to Erdo King for the report!
V1.2: WATO support for configuring parameters, changed to dict style. NOTE: Due to config style change you might need to re-inventarize.
When params are set to 0 they will no longer alert.
V1.1: Multiple jails on the same machine ended up with the same counters, fixed.

Older versions:
fail2ban-1.3.mkp (646 downloads)      SHA1: 22be3179e56c268ad9408e97da76fa1e9814e79d  MD5: 3c3597e9da7141ca5df7791943e4d443
[Download not found]
[Download not found]
[Download not found]




:,

17 Comments for this entry

  • erdo_king

    Hi BenV,

    your plugin works nearly perfectly!
    Is there any way to set threshold per Jail?

    Every day I import ips from blocklist. Nearly ~200 IP…
    At the moment i have completely disabled the Jail-services for blocklist and fail2ban …

    Is there any way to extend your plugin?

    Regards
    erdo

  • BenV

    Hello Erdo,

    At the moment there’s no such option, but I will look into it. One of my machines gets a ton of ftp scanners so I’d like to be able to change those tresholds per jail myself as well.
    I’ll update this page once I’ve tinkered in a solution.

  • erdo_king

    Hi BenV,

    wow very, very! fast solution πŸ™‚ ( I don’t think you work for an service hotline πŸ˜€ )

    It’s works very well, thank you!

    Regards
    erdo

  • erdo_king

    Hi BenV,

    your plugin stopped working after update to “OMD 1.2.8”.
    It seems that get_regex doesn’t exixt anymore in Python 1.2.7.

    Rename get_regex to regex helps!

    You can read more in the german mailing-list:
    http://comments.gmane.org/gmane.network.nagios.checkmk.german/6179

    Regards
    erdo

  • erdo_king

    Hi BenV,

    really fast update again πŸ™‚
    I removed the plugin and installed again, works for me very well on 1.2.8b6.cre (CentOS 7.2.1511)

    Thank you!

    Regards
    erdo

  • zehunter

    i got an error when running the check on my server … (related to line 68 on the check file into my OMD 1.3 installation)

    Check_MK Version: 1.2.6p12
    NameError: global name ‘regex’ is not defined

    • BenV

      @zehunter: What version of the plugin are you running? If you’ve tried v1.3, can you see if v1.2 is working?

      • lucindrea

        same problem , but it seems the link for 1.2 is bad?

        Check output: check failed – please submit a crash report!
        Check_MK Version: 1.2.6p12
        Date: 2016-25-08 12:41:55
        Host: ###############################
        Service: Jail ssh
        Check type: fail2ban
        Item: ‘ssh’
        Parameters: {‘levels_ban’: (1, 1), ‘levels_fail’: (1, 1)}
        Traceback (most recent call last):
        File “/omd/sites/thg/var/check_mk/precompiled/##############”, line 1115, in do_all_checks_on_host
        jod}*|)dGt |
        File “/omd/sites/thg/var/check_mk/precompiled/#################”, line 4171, in check_fail2ban
        NameError: global name ‘regex’ is not defined

        • lucindrea

          my fix ..

          local/share/check_mk/checks/fail2ban

          i added

          import re

          commented out this

          #cfreg = regex(r’Currently failed:\s*(\d+)’)
          #cbreg = regex(r’Currently banned:\s*(\d+)’)
          #tfreg = regex(r’Total failed:\s*(\d+)’)
          #tbreg = regex(r’Total banned:\s*(\d+)’)

          and changed the foloowing to look like ..

          elif ourstatus == 1:
          l = ” “.join(line)
          cfm = re.search(r’Currently failed:\s*(\d+)’,l)
          if cfm:
          curfail = int(cfm.group(1))
          continue
          tfm = re.search(r’Total failed:\s*(\d+)’,l)
          if tfm:
          totfail = int(tfm.group(1))
          continue
          cbm = re.search(r’Currently banned:\s*(\d+)’,l)
          if cbm:
          curban = int(cbm.group(1))
          continue
          tbm = re.search(r’Total banned:\s*(\d+)’,l)
          if tbm:
          totban = int(tbm.group(1))
          continue

  • memyselfandi

    Does this still work with check_mk 1.4? I tried to install latest version of the plugin, but the docs do not fit with check_mk easily.
    Any updates to code or documentation, please?

  • BenV

    Hi @memyselfandi,

    I haven’t tried check_mk 1.4 myself yet since they dropped support for the raw edition on my platform and I haven’t had the time to figure it out how to circumvent that yet.
    In other words: I have no clue whether or not it still works, but if it doesn’t I’d like to know where it breaks and why so I can fix it πŸ™‚

    I’ll post an update as soon as I get CMK 1.4 running somewhere.

  • erdo_king

    I am using the fail2ban plugin V1.3 with CheckMK 1.4.0p24 (RAW) and it works like a charm.

    Graphs and configuration working for me. Including perf-o-meter πŸ˜‰ 5 jails at the moment.

  • memyselfandi

    good to hear that, @erdo_king! It is probably my fault, then. I have experience with Nagios but I am rather new with check_mk and this was my first plugin.

    I cannot follow the instructions. The server part works after issuing a omd su , but the scp to the remote machines does not work, because the origin is not there. I searched the server and copied it from another location.

    My problem is, I am getting “Missing agent sections: fail2ban” on every host.

    Any ideas??

  • ssgcorp

    I am using fail2ban plugin 1.3 with CheckMK 1.4.0p23 (RAW). It is working great for some hosts.

    If the “agent” plugin is installed on the target host, but the fail2ban linux package is not installed. The following message is displayed in WATO.

    WARN – Discovery failed: Exception in check plugin ‘fail2ban’: list index out of range

    Do you have a solution besides not adding the agent plugin or creating a rule to disable the check for the host that doesn’t have the fail2ban package installed.

    Thanks!

    • BenV

      This is probably due to the check actually expecting lines, I should fix that.
      You can try manually patching this, in the check_mk/checks/fail2ban file there is an inventory function that has:
      line = info[0]
      before that, add something like:
      if len(info) == 0:
      return

      See if that helps πŸ™‚
      I’ll try it out myself soon, but am at work right now, hopefully I can fix it tomorrow.

1 Trackback or Pingback for this entry

Leave a Reply

You must be logged in to post a comment.

Archives

  • 2018 (1)
  • 2016 (1)
  • 2015 (7)
  • 2014 (4)
  • 2013 (11)
  • 2012 (27)
  • 2011 (26)
  • 2010 (25)
  • 2009 (68)