- Automatic discovery of jails
- Monitor service status
- Monitor jails current
- Monitor jails total
- Monitor jails for banned IPs
- Trigger for jails
- Trigger for service status
- Jails graph
- Script for collect banned IPs for jail
Download the latest version of configuration file fail2ban.conf from the repo. Put the file here /etc/zabbix/zabbix_agentd.d/fail2ban.conf or here for zabbix agent 2 /etc/zabbix/zabbix_agentd2.d/fail2ban.conf and here for zabbix server /etc/zabbix/zabbix_agentd.d/fail2ban.conf
Download the latest version of script file fail2ban.sh from the repo. Put the file here /etc/zabbix/zabbix_agentd.conf.d/scripts/ or here for zabbix agent 2 /etc/zabbix/zabbix_agentd2.conf.d/scripts and here for zabbix server in directory /etc/zabbix/zabbix_agentd.d/scripts.
Fail2ban works only with root by default. We need to grant permission to Zabbix to access the Fail2ban. This is done by granting the required permissions to the socket of Fail2ban. Below is an example for Debian 10, all operations are performed under root.
The socket file is located at /var/run/fail2ban/fail2ban.sock. It has the following permissions by default:
root@server:~# ls -l /var/run/fail2ban/fail2ban.sock
srwx------ 1 root root 0 Mar 4 17:51 /var/run/fail2ban/fail2ban.sockSo, if you will try to use Fail2ban, you will get access denied message:
root@server:~# fail2ban-client status
ERROR Permission denied to socket: /var/run/fail2ban/fail2ban.sock, (you must be root)It's not a good idea to grant root permission to Zabbix in terms of security. Instead we will allow the Zabbix user to use this socket. Zabbix agent is run under the zabbix user. First, we need to create a new group called fail2ban. All users that belong to this group will be able to access Fail2ban. To create a group use the following command:
root@server:~# addgroup --group fail2banNow let's add the existing zabbix user to this newly created group:
root@server:~# usermod -a -G fail2ban zabbixThen we must change the group owner of the socket from root to fail2ban:
root@server:~# chown root:fail2ban /var/run/fail2ban/fail2ban.sockFinally adjust the permissions on the socket so that the group members can access it:
root@server:~# chmod g+rwx /var/run/fail2ban/fail2ban.sockNow we can test that Zabbix agent can call Fail2ban:
root@server:~# su - zabbix --shell=/bin/bash -c ' fail2ban-client status sshd'
Status for the jail: sshd
|- Filter
| |- Currently failed: 0
| |- Total failed: 0
| `- File list: /var/log/auth.log
`- Actions
|- Currently banned: 0
|- Total banned: 0
`- Banned IP list:
The response above with list of jails means that everything works fine. Sometimes you may see a warning:
warning: cannot change directory to /var/lib/zabbix/: No such file or directory`
It happens when the Zabbix home directory does not exist (installation issue?). In this case simply create this directory:
root@server:~# mkdir /var/lib/zabbix
root@server:~# chown zabbix:zabbix /var/lib/zabbixAfter that perform the test above and the error message should disappear.
The installation instructions cover changing the fail2ban socket permissions for access as a non root user, however these changes are lost the next time the socket is created.
To persist on a system where fail2ban is managed by systemd, add the following to the fail2ban service override file
root@server:~# systemctl edit fail2ban[Service]
ExecStartPost=/bin/sh -c "while ! [ -S /run/fail2ban/fail2ban.sock ]; do sleep 1; done"
ExecStartPost=/bin/chown root:fail2ban /var/run/fail2ban/fail2ban.sock
ExecStartPost=/bin/chmod g+rwx /var/run/fail2ban/fail2ban.sockroot@server:~# systemctl daemon-reload
root@server:~# systemctl restart zabbix-agent fail2ban- Import the template file into Zabbix Server (this operation is done only once). Use the template file that matches your Zabbix Server version.
- Assign the template to a host that you want to monitor.