Suite a l’installation de fail2ban pour améliorer la sécurité du serveur, il a bien fallut installer un script munin pour vérifier l’impact de celui-ci. Un petit tour sur munin exange et voila un joli script:

#!/usr/bin/python
#
# Plugin to monitor fail2ban blacklists.
# Parses iptables output. Must be run as a user that may do such. Probably root.
#
# Requires: python, probably 2.3 or so 🙂
#
# Written by Lasse Karstensen <lasse.karstensen@gmail.com> September 2007.
# Parameters understood:
# 	config   (required)
# 	autoconf (optional)
#
#%# family=auto
#%# capabilities=autoconf

libdir="/usr/share/fail2ban"
iptablesbin="/sbin/iptables"

import sys, os, ConfigParser

def get_fail2ban_checks(configfile="/etc/fail2ban.conf"):
    confReader = ConfigParser.ConfigParser()
    confReader.read(configfile)
    res = []
    for section in confReader.sections():
        # basic configuration, not essential for us so we skip it.
        if section in ["MAIL"]:
            continue
        if confReader.has_option(section, "enabled"):
	    val = confReader.get(section, "enabled")
	    if val.lower() == "true":
	        res.append(section)
    return res

def list_iptables(chain):
    global iptablesbin
    cmd = "%s -n -L fail2ban-%s" % (iptablesbin, chain)
    num = 0
    for line in os.popen(cmd):
        line = line.strip()
	if line.split()[0] == "DROP":
	    num = num + 1
    return num

def print_config():
    # noisy
    print 'graph_title Fail2ban blacklist'
    print 'graph_info This graph shows the number of host blocked by fail2ban.'
    print 'graph_category network'
    print 'graph_vlabel Count'

    print 'graph_args --base 1000 -l 0'
    print 'graph_total total'

    for checkname in get_fail2ban_checks():
        checkname_sane = checkname_sanitize(checkname)
        print '%s.label Rules in chain %s' % (checkname_sane, checkname_sane)
        print '%s.min 0' % checkname_sane

def checkname_sanitize(name):
    new = ""
    from string import digits, letters
    for char in name:
        if char not in letters+digits:
	    new += "_"
        else:
	    new += char
    return new

def main():
   if len(sys.argv) > 1 and sys.argv[1] == "autoconf":
       if os.path.isdir(libdir):
           print "yes"
	   sys.exit(0)
       else:
           print "no"
           sys.exit(1)

   sys.path.append(libdir)
   if len(sys.argv) > 1 and sys.argv[1] == "config":
       print_config()
       sys.exit(0)

   for checkname in get_fail2ban_checks():
       num = list_iptables(checkname)
       print "%s.value %s" % (checkname_sanitize(checkname), num)

if __name__ == "__main__":
    main()

Dans un permier temps je n’avais aucun résultat en effet dans mon fichier /etc/jail.conf

j’ai utilisé

[section]
enable= yes

au lieu de

[section]
enable = true

qui fonctionne pour fail2ban mais pas pour ce script qui attend uniquement true….

Laisser un commentaire

Votre adresse de messagerie ne sera pas publiée. Les champs obligatoires sont indiqués avec *

Optimization WordPress Plugins & Solutions by W3 EDGE