Fail2ban icon

Fail2ban

Fail2ban

Plugin: go.d.plugin Module: fail2ban

Overview

This collector tracks two main metrics for each jail: currently banned IPs and active failure incidents. It relies on the fail2ban-client CLI tool but avoids directly executing the binary. Instead, it utilizes ndsudo, a Netdata helper specifically designed to run privileged commands securely within the Netdata environment. This approach eliminates the need to use sudo, improving security and potentially simplifying permission management.

This collector is supported on all platforms.

This collector only supports collecting metrics from a single instance of this integration.

Default Behavior

Auto-Detection

This integration doesn’t support auto-detection.

Limits

The default configuration for this integration does not impose any limits on data collection.

Performance Impact

The default configuration for this integration is not expected to impose a significant performance impact on the system.

Setup

Prerequisites

For Netdata running in a Docker container

  1. Install Fail2ban client.

    Ensure fail2ban-client is available in the container by setting the environment variable NETDATA_EXTRA_DEB_PACKAGES=fail2ban when starting the container.

  2. Mount host’s /var/run directory.

    Mount the host machine’s /var/run directory to /host/var/run inside your Netdata container. This grants Netdata access to the Fail2ban socket file, typically located at /var/run/fail2ban/fail2ban.sock.

Configuration

File

The configuration file name for this integration is go.d/fail2ban.conf.

You can edit the configuration file using the edit-config script from the Netdata config directory.

cd /etc/netdata 2>/dev/null || cd /opt/netdata/etc/netdata
sudo ./edit-config go.d/fail2ban.conf

Options

The following options can be defined globally: update_every.

Name Description Default Required
update_every Data collection frequency. 10 no
timeout fail2ban-client binary execution timeout. 2 no

Examples

Custom update_every

Allows you to override the default data collection interval.

jobs:
  - name: fail2ban
    update_every: 5  # Collect Fail2Ban jails statistics every 5 seconds

Metrics

Metrics grouped by scope.

The scope defines the instance that the metric belongs to. An instance is uniquely identified by a set of labels.

Per jail

These metrics refer to the Jail.

Labels:

Label Description
jail Jail’s name

Metrics:

Metric Dimensions Unit
fail2ban.jail_banned_ips banned addresses
fail2ban.jail_active_failures active_failures failures

Alerts

There are no alerts configured by default for this integration.

Troubleshooting

Debug Mode

Important: Debug mode is not supported for data collection jobs created via the UI using the Dyncfg feature.

To troubleshoot issues with the fail2ban collector, run the go.d.plugin with the debug option enabled. The output should give you clues as to why the collector isn’t working.

  • Navigate to the plugins.d directory, usually at /usr/libexec/netdata/plugins.d/. If that’s not the case on your system, open netdata.conf and look for the plugins setting under [directories].

    cd /usr/libexec/netdata/plugins.d/
    
  • Switch to the netdata user.

    sudo -u netdata -s
    
  • Run the go.d.plugin to debug the collector:

    ./go.d.plugin -d -m fail2ban
    

Getting Logs

If you’re encountering problems with the fail2ban collector, follow these steps to retrieve logs and identify potential issues:

  • Run the command specific to your system (systemd, non-systemd, or Docker container).
  • Examine the output for any warnings or error messages that might indicate issues. These messages should provide clues about the root cause of the problem.

System with systemd

Use the following command to view logs generated since the last Netdata service restart:

journalctl _SYSTEMD_INVOCATION_ID="$(systemctl show --value --property=InvocationID netdata)" --namespace=netdata --grep fail2ban

System without systemd

Locate the collector log file, typically at /var/log/netdata/collector.log, and use grep to filter for collector’s name:

grep fail2ban /var/log/netdata/collector.log

Note: This method shows logs from all restarts. Focus on the latest entries for troubleshooting current issues.

Docker Container

If your Netdata runs in a Docker container named “netdata” (replace if different), use this command:

docker logs netdata 2>&1 | grep fail2ban

The observability platform companies need to succeed

Sign up for free

Want a personalised demo of Netdata for your use case?

Book a Demo