Benutzer-Werkzeuge

Webseiten-Werkzeuge


linux:fail2ban

fail2ban notizen

sshd-ddos funktioniert nicht wie erwartet

influxdb & grafana

if you have influxdb exposed via http, you can send metrics via curl to it. Create a Table „fail2ban“ like

$ curl http://localhost:8086/query -XPOST --data-urlencode "q=CREATE DATABASE fail2ban"

1) Action to /etc/fail2ban/action.d/influxdb-writer.conf

influxdb-writer.conf
# Influxdb Writer
# Author: Haiko 
# Source: https://datenfahrt.org/wiki/linux/fail2ban
# 01-04-2019
 
[Definition]
 
# Option:  actionstart
# Notes.:  command executed once at the start of Fail2Ban.
# Values:  CMD
#
actionstart = 
 
# Option:  actionstop
# Notes.:  command executed once at the end of Fail2Ban
# Values:  CMD
#
actionstop = 
 
# Option:  actioncheck
# Notes.:  command executed once before each actionban command
# Values:  CMD
#
actioncheck =
 
# Option:  actionban
# Notes.:  command executed when banning an IP. Take care that the
#          command is executed with Fail2Ban user rights.
# Tags:    <ip>  IP address
#          <failures>  number of failures
#          <time>  unix timestamp of the ban time
# Values:  CMD
#
 
actionban = curl -o /dev/null --silent -XPOST '<influxdb_url>/write?db=<influxdb_db>' --data-binary 'fail2ban,jail=<name>,ip=<ip>,action=ban failures=<failures>'
 
# Option:  actionunban
# Notes.:  command executed when unbanning an IP. Take care that the
#          command is executed with Fail2Ban user rights.
# Tags:    <ip>  IP address
#          <failures>  number of failures
#          <time>  unix timestamp of the ban time
# Values:  CMD
#
 
actionunban = curl -o /dev/null --silent -XPOST '<influxdb_url>/write?db=<influxdb_db>' --data-binary 'fail2ban,jail=<name>,ip=<ip>,action=unban failures=<failures>'
 
# Init
 
[Init]
 
init = 'Write Point to InfluxDB'
 
# make sure, the database is available
influxdb_url = http://127.0.0.1:8086
influxdb_db = fail2ban

Download from Github

2) Append (or create) the new Action to your Default Action /etc/fail2ban/jail.local

Example:

...
# ban & send an e-mail with whois report to the destemail & write metrics to influxdb
action_mw_influxdb = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
                     %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s"
                     influxdb-writer[name=%(__name__)s]

...

# default action
action = %(action_mw_influxdb)s

...

* Restart fail2ban sudo systemctl restart fail2ban

* TEST your Setup & make sure fail2ban works correctly

* Make a nice Dashboard in Grafana

Single Stat:

Serie:

Diese Website verwendet Cookies. Durch die Nutzung der Website stimmen Sie dem Speichern von Cookies auf Ihrem Computer zu. Außerdem bestätigen Sie, dass Sie unsere Datenschutzbestimmungen gelesen und verstanden haben. Wenn Sie nicht einverstanden sind, verlassen Sie die Website.Weitere Information
linux/fail2ban.txt · Zuletzt geändert: 2019/06/12 09:07 von haiko

hello, world