hermanekt / zabbix-fail2ban-discovery- Goto Github PK

When trying to import the template (for version 4.0), I get the following error within zabbix version 4.0.3 on Ubuntu 18.04:
Invalid tag "/zabbix_export/version": unsupported version number.
Installation of template version 3.4 worked just fine.

Hi,

I try to use your template on a Zabbix 4.4 on Ubuntu 18.04 with zabbix-agent2.

With root your command fail2ban.discovery work :

fail2ban-client status | grep 'Jail list:' | sed -e 's/^.*:\W\+//' -e 's/\(\(\w\|-\)\+\)/{"{#JAIL}":"\1"}/g' -e 's/.*/{"data":[\0]}/'
{"data":[{"{#JAIL}":"postfix-auth"}, {"{#JAIL}":"sshd"}]}

But with the user zabbix the return is not the same :

su - zabbix -s /bin/bash -c "fail2ban-client status | grep 'Jail list:' | sed -e 's/^.*:\W\+//' -e 's/\(\(\w\|-\)\+\)/{"{#JAIL}":"\1"}/g' -e 's/.*/{"data":[\0]}/'"
NOT root user
{data:[{{#JAIL}:1}, {{#JAIL}:1}]}

I follow your how to

ls -l /var/run/fail2ban/fail2ban.sock
srwx-w---- 1 root fail2ban 0 mai   11 15:21 /var/run/fail2ban/fail2ban.sock

if i remove the sed part :

su - zabbix -s /bin/bash -c "fail2ban-client status | grep 'Jail list:'"
NOT root user
`- Jail list:	postfix-auth, sshd

I missed something?

Thanks!

The doc seems to recommend a convoluted setup.
One can simply setup this template by following the below steps:

1. Add following line at sudoers file
   zabbix ALL= (ALL) NOPASSWD: /usr/bin/fail2ban-client

2. Edit fail2ban.conf, and prepend sudo at the used commands. Example:

UserParameter=fail2ban.status[*],sudo fail2ban-client status '$1' | grep 'Currently banned:' | grep -E -o '[0-9]+'
UserParameter=fail2ban.discovery,sudo fail2ban-client status | grep 'Jail list:' | sed -e 's/^.*:\W\+//' -e 's/\(\(\w\|-\)\+\)/{"{#JAIL}":"\1"}/g' -e 's/.*/{"data":[\0]}/'

3. Copy fail2ban.conf at /etc/zabbix/zabbix_agentd.d

4. Restart zabbix-agent:
   systemctl restart zabbix-agent

Note:

I had to amend the template to correctly detect status of fail2ban-server as following:
proc.num[python2,root,,fail2ban-server]

In case your fail2ban is running with another user then root, then replace root with your user.

Hi,

This is the second box with Ubuntu 20.04 that I'm deploying with this template, I got this behavior on both of them.
zabbix_agentd -t proc.num[fail2ban-server] returns zero even when fail2ban is running and the autodiscovery rule is working fine, so no misconfiguration here. I have used this template a lot in the past (thank you BTW).

This in the environment:

Running the item

zabbix_agentd -t proc.num[fail2ban-server]
proc.num[fail2ban-server]                     [u|0]

Workaround 1:

zabbix_agentd -t proc.num[,,,fail2ban-server]
proc.num[,,,fail2ban-server]                  [u|2]

Workaround 2 (more precise):

zabbix_agentd -t proc.num[python3,,,fail2ban-server]
proc.num[python3,,,fail2ban-server]           [u|1]

fail2ban-server -V
0.11.1

zabbix_agentd -V
zabbix_agentd (daemon) (Zabbix) 4.0.17
Revision a528a0a4bc 28 January 2020, compilation time: Feb  4 2020 04:03:41

Copyright (C) 2020 Zabbix SIA
License GPLv2+: GNU GPL version 2 or later <http://gnu.org/licenses/gpl.html>.
This is free software: you are free to change and redistribute it according to
the license. There is NO WARRANTY, to the extent permitted by law.

Compiled with GnuTLS 3.6.11
Running with GnuTLS 3.6.13

Ubuntu 20.04.1 LTS

How does the output of a ps -Af|grep fail2ban look? :

/usr/bin/python3 /usr/bin/fail2ban-server -xf start

How does the output use to be under Fail2Ban v0.10.2:

/usr/bin/python /usr/bin/fail2ban-server -b -s /var/run/fail2ban/fail2ban.sock -p /var/run/fail2ban/fail2ban.pid

For security it's better to use the template without granting root for the Zabbix agent

Hi,

its better to use in template's trigger definition this expression:

<items> <item> <name>Fail2Ban service is running</name> <type>0</type> <snmp_community/> <snmp_oid/> <key>proc.num[,,,fail2ban-server]</key> ....
It is more flexible when you have server with different version of python...

hi, all the data about the banned ip is received successfully, but the system always sends that Fail2ban server is Down
CentOS 7
Zabbix 5.2

Hello guys, first of all congratulations for this good work!

I wanna ask you if it is possible to have a trigger to create an alert under Problems once a new IP is banned, perhaps a grep on the /var/log/fail2ban.log log.

Thanks in advance! :)

Hello!
Do you plan to support Zabbix 5.0? Do you need help with this?

Seems that Ubuntu 22.04 and Zabbix 6 are not reporting correct f2b status. Zabbix shows the service as "Down" when in fact it is confirmed as Up.

root@aaaaaa:~# systemctl status fail2ban
● fail2ban.service - Fail2Ban Service
     Loaded: loaded (/lib/systemd/system/fail2ban.service; enabled; vendor preset: enabled)
     Active: active (running) since Thu 2022-12-01 18:52:51 PST; 7min ago
       Docs: man:fail2ban(1)
   Main PID: 4077 (fail2ban-server)
      Tasks: 17 (limit: 19118)
     Memory: 14.1M
        CPU: 3.243s
     CGroup: /system.slice/fail2ban.service
             └─4077 /usr/bin/python3 /usr/bin/fail2ban-server -xf start

Dec 01 18:52:51 aaaaa.com systemd[1]: Started Fail2Ban Service.
Dec 01 18:52:51 aaaaa.com fail2ban-server[4077]: Server ready

Zabbix:

Timestamp | Fail2Ban service is running
-- | --
2022-12-01 19:01:38 | Down (0)
2022-12-01 19:00:38 | Down (0)
2022-12-01 18:59:38 | Down (0)

zabbix_server (Zabbix) 6.2.3
Ubuntu version: 22.04.1

Seems that Ubuntu 22.04 and Zabbix 6 are not reporting correct f2b status. Zabbix shows the service as "Down" when in fact it is confirmed as Up.

root@aaaaaa:~# systemctl status fail2ban
● fail2ban.service - Fail2Ban Service
     Loaded: loaded (/lib/systemd/system/fail2ban.service; enabled; vendor preset: enabled)
     Active: active (running) since Thu 2022-12-01 18:52:51 PST; 7min ago
       Docs: man:fail2ban(1)
   Main PID: 4077 (fail2ban-server)
      Tasks: 17 (limit: 19118)
     Memory: 14.1M
        CPU: 3.243s
     CGroup: /system.slice/fail2ban.service
             └─4077 /usr/bin/python3 /usr/bin/fail2ban-server -xf start

Dec 01 18:52:51 aaaaa.com systemd[1]: Started Fail2Ban Service.
Dec 01 18:52:51 aaaaa.com fail2ban-server[4077]: Server ready

Zabbix:

Timestamp | Fail2Ban service is running
-- | --
2022-12-01 19:01:38 | Down (0)
2022-12-01 19:00:38 | Down (0)
2022-12-01 18:59:38 | Down (0)

zabbix_server (Zabbix) 6.2.3
Ubuntu version: 22.04.1

I've had a quick look at this template and I don't think it will detect the main error I'm looking to avoid with fail2ban.

Today I discovered f2b had stopped working on one of our servers. When I requested the status of the service I saw an error like this:

# systemctl status fail2ban
● fail2ban.service - Fail2Ban Service
   Loaded: loaded (/lib/systemd/system/fail2ban.service; enabled; vendor preset: enabled)
   Active: active (running) since Tue 2020-10-20 19:53:17 BST; 14h ago
     Docs: man:fail2ban(1)
 Main PID: 3181 (fail2ban-server)
    Tasks: 3
   Memory: 34.8M
      CPU: 40.139s
   CGroup: /system.slice/fail2ban.service
           └─3181 /usr/bin/python3 /usr/bin/fail2ban-server -s /var/run/fail2ban/fail2ban.sock -p /var/run/fail2ban/fail2ban.pid -x -b

Oct 20 19:53:14 OURSERVER systemd[1]: Starting Fail2Ban Service...
Oct 20 19:53:17 OURSERVER fail2ban-client[2645]: 2020-10-20 19:53:17,313 fail2ban.server         [3175]: INFO    Starting Fail2ban v0.
Oct 20 19:53:17 OURSERVER fail2ban-client[2645]: 2020-10-20 19:53:17,313 fail2ban.server         [3175]: INFO    Starting in daemon mo
Oct 20 19:53:17 OURSERVER fail2ban-client[2645]: ERROR  NOK: ('database disk image is malformed',)
Oct 20 19:53:17 OURSERVER systemd[1]: Started Fail2Ban Service.

As you can see, systemd thought the service was still active and running when really it wasn't due to the corrupted database. It seems the current template only checks to see if fail2ban-server is running and I suspect that in my case the template would not have detected.

Does fail2ban-server stop running when the database is corrupted? It doesn't seem to stop the systemd service.

I get this error:

    Cannot find item "fail2ban.status[{#JAIL}]" on "Template Fail2ban" used in graph prototype "Count of banned IPs on jail {#JAIL}" of discovery rule "Fail2ban discovery" on "Template Fail2ban Ubuntu 20.04".

Once I remove the graph section from the template, it imports just fine.

I tried to use the template file with Ubuntu 20.04 and Zabbix 5.0.6, but it shows several issues within the XML-file, e.g.:

In line 69 sth. like <meta name="hovercard-subject-tag" content="repository:161399386" data-pjax-transient="true" >

instead of just <meta name="hovercard-subject-tag" content="repository:161399386" data-pjax-transient> and several similar ones.

Thx
Andreas

Hi
I'm having issues importing the template in a freshly installed zabbix 4.2 system. When I import the file the following message appears:

Invalid tag "/zabbix_export/templates/template(1)/discovery_rules/discovery_rule(1)": the tag "master_item" is missing.

Since I'm really new to zabbix I don't know how to debug this problem.

The installation instructions cover changing the fail2ban socket permissions for access as a non root user, however these changes are lost the next time the socket is created.

To persist on a system where fail2ban is managed by systemd, add the following to the fail2ban service override file

systemctl edit fail2ban

[Service]
ExecStartPost=/bin/sh -c "while ! [ -S /run/fail2ban/fail2ban.sock ]; do sleep 1; done"
ExecStartPost=/bin/chgrp fail2ban /run/fail2ban/fail2ban.sock
ExecStartPost=/bin/chmod g+w /run/fail2ban/fail2ban.sock

I'm getting the error Unsupported item key in Zabbix 5.0. I have the following configuration:

root@server:~# dpkg -l | grep fail2ban
ii fail2ban 0.11.1-1 all ban hosts that cause multiple authentication errors

root@server:~# fail2ban-client status
Status
|- Number of jail: 9
`- Jail list: apache-badbots, apache-botsearch, apache-fakegooglebot, apache-modsecurity, apache-nohome, apache-noscript, apache-overflows, apache-shellshock, sshd

root@server:~# lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 20.04.2 LTS
Release: 20.04
Codename: focal

root@server:~# dpkg -l | grep zabbix
ii zabbix-agent 1:5.0.8-1+focal amd64 Zabbix network monitoring solution - agent
ii zabbix-release 1:5.0-1+focal all Zabbix official repository configuration

I downloaded the Version 5.0 template from the zabbix share. I followed all of the installation steps.

Hi.
On a host with debian 9 in the detection rules: Unsupported item key.
What could be the problem?
p.s. zabbix 4.0