Netdata and fail2ban persistent bans

Netdata works out of the box with fail2ban and monitors the number of bans in each of the jails defined. It displays 2 charts: IPs banned per second and cumulative IPs banned (since the last restart of netdata). The downside of this is that whenever netdata or the server machine restarts, the cumulative IPs chart is reset to 0. If you ban IPs persistently like me (by setting [cci]bantime = -1[/cci] in, say, [cci]sshd[/cci] in the fail2ban [cci]jail.local[/cci] file), then the cumulative IPs chart loses its purpose. We will modify some netdata code such that it correctly monitors the total number of banned IPs in each fail2ban jail.

Note: This fix only works for 1.10.0 or earlier releases of netdata. Version 1.11.0 refactored the fail2ban module, and this fix no longer works as intended.

All of the netdata monitoring scripts are stored in [cci]/usr/lib/netdata/[/cci]. Use your favourite text editor to open the Python script:
Change the line
[cc lang="python"]REGEX_DATA = r_compile(r'\[(?P[A-Za-z-_0-9]+)\] (?PU|B)[a-z]+ (?P\d{1,3}(?:\.\d{1,3}){3})')[/cc]
[cc lang="python"]REGEX_DATA = r_compile(r'\[(?P[A-Za-z-_0-9]+)\] (?PU|B|R)[a-z]+(| Ban) (?P\d{1,3}(?:\.\d{1,3}){3})')[/cc]
Then, change the line
[cc lang="python"]if action == 'B':[/cc]
[cc lang="python"]if action == 'B' or action == 'R':[/cc]
Save and exit the text editor. This tells netdata to also recognise the following line in the fail2ban log as a "ban" action:
[cc]2017-12-28 08:22:16,573 fail2ban.actions [15022]: NOTICE [sshd] Restore Ban xx.xx.xx.xx[/cc]

Restart netdata:
[cc lang="bash"]$ sudo systemctl restart netdata[/cc]
For netdata to correctly count all persistently banned IPs, we must also restart fail2ban:
[cc lang="bash"]$ sudo systemctl restart fail2ban[/cc]
Note that we are [cci]restart[/cci]ing, not [cci]reload[/cci]ing. Fail2ban will remove all entries from iptables, and then repopulate them. Wait a minute for the IPs to fill up the iptables.

Every time netdata or your server machine is restarted, you must also manually restart fail2ban once for the total IP count to be correct. This is because fail2ban must only begin populating the iptables when netdata is fully ready to parse the fail2ban log file.

Leave a Reply

Your email address will not be published. Required fields are marked *