Script munin pour fail2ban
Suite a l’installation de fail2ban pour améliorer la sécurité du serveur, il a bien fallut installer un script munin pour vérifier l’impact de celui-ci. Un petit tour sur munin exange et voila un joli script:
#!/usr/bin/python
#
# Plugin to monitor fail2ban blacklists.
# Parses iptables output. Must be run as a user that may do such. Probably root.
#
# Requires: python, probably 2.3 or so :)
#
# Written by Lasse Karstensen <lasse.karstensen@gmail.com> September 2007.
# Parameters understood:
# config (required)
# autoconf (optional)
#
#%# family=auto
#%# capabilities=autoconf
libdir="/usr/share/fail2ban"
iptablesbin="/sbin/iptables"
import sys, os, ConfigParser
def get_fail2ban_checks(configfile="/etc/fail2ban.conf"):
confReader = ConfigParser.ConfigParser()
confReader.read(configfile)
res = []
for section in confReader.sections():
# basic configuration, not essential for us so we skip it.
if section in ["MAIL"]:
continue
if confReader.has_option(section, "enabled"):
val = confReader.get(section, "enabled")
if val.lower() == "true":
res.append(section)
return res
def list_iptables(chain):
global iptablesbin
cmd = "%s -n -L fail2ban-%s" % (iptablesbin, chain)
num = 0
for line in os.popen(cmd):
line = line.strip()
if line.split()[0] == "DROP":
num = num + 1
return num
def print_config():
# noisy
print 'graph_title Fail2ban blacklist'
print 'graph_info This graph shows the number of host blocked by fail2ban.'
print 'graph_category network'
print 'graph_vlabel Count'
print 'graph_args --base 1000 -l 0'
print 'graph_total total'
for checkname in get_fail2ban_checks():
checkname_sane = checkname_sanitize(checkname)
print '%s.label Rules in chain %s' % (checkname_sane, checkname_sane)
print '%s.min 0' % checkname_sane
def checkname_sanitize(name):
new = ""
from string import digits, letters
for char in name:
if char not in letters+digits:
new += "_"
else:
new += char
return new
def main():
if len(sys.argv) > 1 and sys.argv[1] == "autoconf":
if os.path.isdir(libdir):
print "yes"
sys.exit(0)
else:
print "no"
sys.exit(1)
sys.path.append(libdir)
if len(sys.argv) > 1 and sys.argv[1] == "config":
print_config()
sys.exit(0)
for checkname in get_fail2ban_checks():
num = list_iptables(checkname)
print "%s.value %s" % (checkname_sanitize(checkname), num)
if __name__ == "__main__":
main()
Dans un permier temps je n’avais aucun résultat en effet dans mon fichier /etc/jail.conf
j’ai utilisé
[section]
enable= yes
au lieu de
[section]
enable = true
qui fonctionne pour fail2ban mais pas pour ce script qui attend uniquement true….
Laisser un commentaire