Fail2ban is an open source intrusion prevention software that helps protect your server from malicious attacks. It works by monitoring log files for suspicious activity and then blocking access to the server from the offending IP address. It is easy to configure and can be used to secure services like SSH, Apache, Postfix, and more.
The prerequisites for monitoring Fail2ban with Netdata are to have Fail2ban and Netdata installed on your system.
Netdata auto discovers hundreds of services, and for those it doesn’t turning on manual discovery is a one line configuration. For more information on configuring Netdata for Fail2ban monitoring please read the collector documentation.
You should now see the Fail2ban section on the Overview tab in Netdata Cloud already populated with charts about all the metrics you care about.
Netdata has a public demo space (no login required) where you can explore different monitoring use-cases and get a feel for Netdata.
The number of failed login attempts per second. This is an important metric to monitor as it allows you to identify potential malicious activity, such as brute force attacks, and take action to mitigate them. By monitoring the number of failed attempts, it is possible to set up alerts or automated responses that can block the offending IP address before it can cause any damage. Normal values will depend on the type of services being monitored and the security measures in place. Generally, if the number of failed attempts/s is higher than usual, it may be a sign of malicious activity.
The number of times Fail2ban has blocked an IP address from accessing the service. This is a useful metric to monitor as it allows you to identify malicious IP addresses and take action to mitigate them. If the number of bans/s is higher than usual, it may be a sign of malicious activity.
The total number of IP addresses that have been blocked since the last restart of netdata. This is an important metric to monitor, as it allows you to keep track of the total number of malicious IP addresses that have been blocked. If the number of banned IP addresses is increasing, it may be a sign of malicious activity.