Fail2ban icon

Fail2ban

Fail2ban

Plugin: go.d.plugin Module: fail2ban

Overview

This collector tracks two main metrics for each jail: currently banned IPs and active failure incidents. It relies on the fail2ban-client CLI tool but avoids directly executing the binary. Instead, it utilizes ndsudo, a Netdata helper specifically designed to run privileged commands securely within the Netdata environment. This approach eliminates the need to use sudo, improving security and potentially simplifying permission management.

This collector is only supported on the following platforms:

  • Linux

This collector only supports collecting metrics from a single instance of this integration.

Default Behavior

Auto-Detection

This integration doesn’t support auto-detection.

Limits

The default configuration for this integration does not impose any limits on data collection.

Performance Impact

The default configuration for this integration is not expected to impose a significant performance impact on the system.

Setup

You can configure the fail2ban collector in two ways:

Method Best for How to
UI Fast setup without editing files Go to Nodes → Configure this node → Collectors → Jobs, search for fail2ban, then click + to add a job.
File If you prefer configuring via file, or need to automate deployments (e.g., with Ansible) Edit go.d/fail2ban.conf and add a job.

:::important

UI configuration requires paid Netdata Cloud plan.

:::

Prerequisites

For Netdata running in a Docker container

  1. Install Fail2ban client.

    Ensure fail2ban-client is available in the container by setting the environment variable NETDATA_EXTRA_DEB_PACKAGES=fail2ban when starting the container.

  2. Mount host’s /var/run directory.

    Mount the host machine’s /var/run directory to /host/var/run inside your Netdata container. This grants Netdata access to the Fail2ban socket file, typically located at /var/run/fail2ban/fail2ban.sock.

Configuration

Options

The following options can be defined globally: update_every.

Option Description Default Required
update_every Data collection frequency. 10 no
timeout fail2ban-client binary execution timeout. 2 no

via UI

Configure the fail2ban collector from the Netdata web interface:

  1. Go to Nodes.
  2. Select the node where you want the fail2ban data-collection job to run and click the :gear: (Configure this node). That node will run the data collection.
  3. The Collectors → Jobs view opens by default.
  4. In the Search box, type fail2ban (or scroll the list) to locate the fail2ban collector.
  5. Click the + next to the fail2ban collector to add a new job.
  6. Fill in the job fields, then click Test to verify the configuration and Submit to save.
    • Test runs the job with the provided settings and shows whether data can be collected.
    • If it fails, an error message appears with details (for example, connection refused, timeout, or command execution errors), so you can adjust and retest.

via File

The configuration file name for this integration is go.d/fail2ban.conf.

The file format is YAML. Generally, the structure is:

update_every: 1
autodetection_retry: 0
jobs:
  - name: some_name1
  - name: some_name2

You can edit the configuration file using the edit-config script from the Netdata config directory.

cd /etc/netdata 2>/dev/null || cd /opt/netdata/etc/netdata
sudo ./edit-config go.d/fail2ban.conf
Examples
Custom update_every

Allows you to override the default data collection interval.

jobs:
  - name: fail2ban
    update_every: 5  # Collect Fail2Ban jails statistics every 5 seconds

Metrics

Metrics grouped by scope.

The scope defines the instance that the metric belongs to. An instance is uniquely identified by a set of labels.

Per jail

These metrics refer to the Jail.

Labels:

Label Description
jail Jail’s name

Metrics:

Metric Dimensions Unit
fail2ban.jail_banned_ips banned addresses
fail2ban.jail_active_failures active_failures failures

Alerts

There are no alerts configured by default for this integration.

Troubleshooting

Debug Mode

Important: Debug mode is not supported for data collection jobs created via the UI using the Dyncfg feature.

To troubleshoot issues with the fail2ban collector, run the go.d.plugin with the debug option enabled. The output should give you clues as to why the collector isn’t working.

  • Navigate to the plugins.d directory, usually at /usr/libexec/netdata/plugins.d/. If that’s not the case on your system, open netdata.conf and look for the plugins setting under [directories].

    cd /usr/libexec/netdata/plugins.d/

  • Switch to the netdata user.

    sudo -u netdata -s

  • Run the go.d.plugin to debug the collector:

    ./go.d.plugin -d -m fail2ban

    To debug a specific job:

    ./go.d.plugin -d -m fail2ban -j jobName

Getting Logs

If you’re encountering problems with the fail2ban collector, follow these steps to retrieve logs and identify potential issues:

  • Run the command specific to your system (systemd, non-systemd, or Docker container).
  • Examine the output for any warnings or error messages that might indicate issues. These messages should provide clues about the root cause of the problem.

System with systemd

Use the following command to view logs generated since the last Netdata service restart:

journalctl _SYSTEMD_INVOCATION_ID="$(systemctl show --value --property=InvocationID netdata)" --namespace=netdata --grep fail2ban

System without systemd

Locate the collector log file, typically at /var/log/netdata/collector.log, and use grep to filter for collector’s name:

grep fail2ban /var/log/netdata/collector.log

Note: This method shows logs from all restarts. Focus on the latest entries for troubleshooting current issues.

Docker Container

If your Netdata runs in a Docker container named “netdata” (replace if different), use this command:

docker logs netdata 2>&1 | grep fail2ban

The observability platform companies need to succeed

Sign up for free

Want a personalised demo of Netdata for your use case?

Book a Demo