Munin: fail2ban (#13)
entfernen Playbook erstellt Typo fail2ban eingebaut Co-authored-by: Michael Grote <michael.grote@posteo.de> Reviewed-on: mg/ansible#13 Co-Authored-By: mg <mg@noreply.git.mgrote.net> Co-Committed-By: mg <mg@noreply.git.mgrote.net>
This commit is contained in:
parent
16dd0cbe08
commit
e794108547
3 changed files with 315 additions and 1 deletions
|
@ -29,6 +29,7 @@
|
|||
- name: zfs_arcstats
|
||||
- name: zfs_list
|
||||
- name: zpool_capacity
|
||||
- name: fail2ban_
|
||||
munin_node_config: {
|
||||
"apc_nis": {
|
||||
"env.host": "pve2.grote.lan",
|
||||
|
@ -41,8 +42,9 @@
|
|||
- remote_src: https://git.mgrote.net/mg/munin-plugins/raw/branch/master/zpool_iostat
|
||||
- remote_src: https://git.mgrote.net/mg/munin-plugins/raw/branch/master/zfs_list
|
||||
- remote_src: https://git.mgrote.net/mg/munin-plugins/raw/branch/master/zpool_capacity
|
||||
- src: templates/fail2ban_
|
||||
munin_node_remove_plugins:
|
||||
- name: meminfo # zhohe last
|
||||
- name: meminfo # zu hohe last
|
||||
- name: hddtemp2 # ersetzt durch hddtemp_smartctl
|
||||
- name: squid_cache
|
||||
- name: squid_objectsize
|
||||
|
@ -50,6 +52,7 @@
|
|||
- name: squid_traffic
|
||||
- name: nfsd
|
||||
- name: nfsd4
|
||||
- name: cronjobs
|
||||
- name: hddtempd # ersetzt durch hddtemp_smartctl
|
||||
- name: ipmi_power # für pve2, leeres diagramm
|
||||
# Ansible Variablen
|
||||
|
|
14
playbooks/on-off/remove_munin_node.yml
Normal file
14
playbooks/on-off/remove_munin_node.yml
Normal file
|
@ -0,0 +1,14 @@
|
|||
---
|
||||
- hosts: all
|
||||
become: yes
|
||||
|
||||
tasks:
|
||||
- name: remove Packages
|
||||
become: yes
|
||||
ansible.builtin.apt:
|
||||
autoremove: yes
|
||||
autoclean: yes
|
||||
purge: yes
|
||||
name:
|
||||
- munin-node
|
||||
state: absent
|
297
roles/geerlingguy.munin-node/templates/fail2ban_
Normal file
297
roles/geerlingguy.munin-node/templates/fail2ban_
Normal file
|
@ -0,0 +1,297 @@
|
|||
#!/usr/bin/env python3
|
||||
|
||||
"""
|
||||
=head1 NAME
|
||||
|
||||
fail2ban_ - Wildcard plugin to monitor fail2ban blacklists
|
||||
|
||||
=head1 ABOUT
|
||||
|
||||
Requires Python 2.7
|
||||
Requires fail2ban 0.9.2
|
||||
|
||||
=head1 AUTHOR
|
||||
|
||||
Copyright (c) 2015 Lee Clemens
|
||||
|
||||
Inspired by fail2ban plugin written by Stig Sandbeck Mathisen
|
||||
|
||||
=head1 CONFIGURATION
|
||||
|
||||
fail2ban-client needs to be run as root.
|
||||
|
||||
Add the following to your @@CONFDIR@@/munin-node:
|
||||
|
||||
[fail2ban_*]
|
||||
user root
|
||||
|
||||
=head1 LICENSE
|
||||
|
||||
GNU GPLv2 or any later version
|
||||
|
||||
=begin comment
|
||||
|
||||
This program is free software; you can redistribute it and/or modify
|
||||
it under the terms of the GNU General Public License as published by
|
||||
the Free Software Foundation; either version 2 of the License, or (at
|
||||
your option) any later version.
|
||||
|
||||
This program is distributed in the hope that it will be useful, but
|
||||
WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
||||
General Public License for more details
|
||||
|
||||
You should have received a copy of the GNU General Public License along
|
||||
with this program; if not, write to the Free Software Foundation, Inc.,
|
||||
51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
||||
|
||||
=end comment
|
||||
|
||||
=head1 BUGS
|
||||
|
||||
Transient values (particularly ASNs) come and go...
|
||||
Better error handling (Popen), logging
|
||||
Optimize loops and parsing in __get_jail_status() and parse_fail2ban_status()
|
||||
Cymru ASNs aren't displayed in numerical order (internal name has alpha-prefix)
|
||||
Use JSON status once fail2ban exposes JSON status data
|
||||
|
||||
=head1 MAGIC MARKERS
|
||||
|
||||
#%# family=auto
|
||||
#%# capabilities=autoconf suggest
|
||||
|
||||
=cut
|
||||
"""
|
||||
|
||||
from collections import Counter
|
||||
from os import path, stat, access, X_OK, environ
|
||||
from subprocess import Popen, PIPE
|
||||
from time import time
|
||||
import re
|
||||
import sys
|
||||
|
||||
|
||||
PLUGIN_BASE = "fail2ban_"
|
||||
|
||||
CACHE_DIR = environ['MUNIN_PLUGSTATE']
|
||||
CACHE_MAX_AGE = 120
|
||||
|
||||
STATUS_FLAVORS_FIELDS = {
|
||||
"basic": ["jail"],
|
||||
"cymru": ["asn", "country", "rir"]
|
||||
}
|
||||
|
||||
|
||||
def __parse_plugin_name():
|
||||
if path.basename(__file__).count("_") == 1:
|
||||
return path.basename(__file__)[len(PLUGIN_BASE):], ""
|
||||
else:
|
||||
return (path.basename(__file__)[len(PLUGIN_BASE):].split("_")[0],
|
||||
path.basename(__file__)[len(PLUGIN_BASE):].split("_")[1])
|
||||
|
||||
|
||||
def __get_jails_cache_file():
|
||||
return "%s/%s.state" % (CACHE_DIR, path.basename(__file__))
|
||||
|
||||
|
||||
def __get_jail_status_cache_file(jail_name):
|
||||
return "%s/%s__%s.state" % (CACHE_DIR, path.basename(__file__), jail_name)
|
||||
|
||||
|
||||
def __parse_jail_names(jails_data):
|
||||
"""
|
||||
Parse the jails returned by `fail2ban-client status`:
|
||||
|
||||
Status
|
||||
|- Number of jail: 3
|
||||
`- Jail list: apache-badbots, dovecot, sshd
|
||||
"""
|
||||
jails = []
|
||||
for line in jails_data.splitlines()[1:]:
|
||||
if line.startswith("`- Jail list:"):
|
||||
return [jail.strip(" ,\t") for jail in
|
||||
line.split(":", 1)[1].split(" ")]
|
||||
return jails
|
||||
|
||||
|
||||
def __get_jail_names():
|
||||
"""
|
||||
Read jails from cache or execute `fail2ban-client status`
|
||||
and pass stdout to __parse_jail_names
|
||||
"""
|
||||
cache_filename = __get_jails_cache_file()
|
||||
try:
|
||||
mtime = stat(cache_filename).st_mtime
|
||||
except OSError:
|
||||
mtime = 0
|
||||
if time() - mtime > CACHE_MAX_AGE:
|
||||
p = Popen(["fail2ban-client", "status"], shell=False, stdout=PIPE)
|
||||
jails_data = p.communicate()[0]
|
||||
with open(cache_filename, 'w') as f:
|
||||
f.write(jails_data)
|
||||
else:
|
||||
with open(cache_filename, 'r') as f:
|
||||
jails_data = f.read()
|
||||
return __parse_jail_names(jails_data)
|
||||
|
||||
|
||||
def autoconf():
|
||||
"""
|
||||
Attempt to find fail2ban-client in path (using `which`) and ping the client
|
||||
"""
|
||||
p_which = Popen(["which", "fail2ban-client"], shell=False, stdout=PIPE,
|
||||
stderr=PIPE)
|
||||
stdout, stderr = p_which.communicate()
|
||||
if len(stdout) > 0:
|
||||
client_path = stdout.strip()
|
||||
if access(client_path, X_OK):
|
||||
p_ping = Popen([client_path, "ping"], shell=False)
|
||||
p_ping.communicate()
|
||||
if p_ping.returncode == 0:
|
||||
print("yes")
|
||||
else:
|
||||
print("no (fail2ban-server does not respond to ping)")
|
||||
else:
|
||||
print("no (fail2ban-client is not executable)")
|
||||
else:
|
||||
import os
|
||||
|
||||
print("no (fail2ban-client not found in path: %s)" %
|
||||
os.environ["PATH"])
|
||||
|
||||
|
||||
def suggest():
|
||||
"""
|
||||
Iterate all defined flavors (source of data) and fields (graph to display)
|
||||
"""
|
||||
# Just use basic for autoconf/suggest
|
||||
flavor = "basic"
|
||||
for field in STATUS_FLAVORS_FIELDS[flavor]:
|
||||
print("%s_%s" % (flavor, field if len(flavor) > 0 else flavor))
|
||||
|
||||
|
||||
def __get_jail_status(jail, flavor):
|
||||
"""
|
||||
Return cache or execute `fail2ban-client status <jail> <flavor>`
|
||||
and save to cache and return
|
||||
"""
|
||||
cache_filename = __get_jail_status_cache_file(jail)
|
||||
try:
|
||||
mtime = stat(cache_filename).st_mtime
|
||||
except OSError:
|
||||
mtime = 0
|
||||
if time() - mtime > CACHE_MAX_AGE:
|
||||
p = Popen(["fail2ban-client", "status", jail, flavor], shell=False,
|
||||
stdout=PIPE)
|
||||
jail_status_data = p.communicate()[0]
|
||||
with open(cache_filename, 'w') as f:
|
||||
f.write(jail_status_data)
|
||||
else:
|
||||
with open(cache_filename, 'r') as f:
|
||||
jail_status_data = f.read()
|
||||
return jail_status_data
|
||||
|
||||
|
||||
def __normalize(name):
|
||||
name = re.sub("[^a-z0-9A-Z]", "_", name)
|
||||
return name
|
||||
|
||||
|
||||
def __count_groups(value_str):
|
||||
"""
|
||||
Helper method to count unique values in the space-delimited value_str
|
||||
"""
|
||||
return Counter([key for key in value_str.split(" ") if key])
|
||||
|
||||
|
||||
def config(flavor, field):
|
||||
"""
|
||||
Print config data (e.g. munin-run config), including possible labels
|
||||
by parsing real status data
|
||||
"""
|
||||
print("graph_title fail2ban %s %s" % (flavor, field))
|
||||
print("graph_args --base 1000 -l 0")
|
||||
print("graph_vlabel Hosts banned")
|
||||
print("graph_category security")
|
||||
print("graph_info"
|
||||
" Number of hosts banned using status flavor %s and field %s" %
|
||||
(flavor, field))
|
||||
print("graph_total total")
|
||||
munin_fields, field_labels, values = parse_fail2ban_status(flavor, field)
|
||||
for munin_field in munin_fields:
|
||||
print("%s.label %s" % (munin_field, field_labels[munin_field]))
|
||||
|
||||
|
||||
def run(flavor, field):
|
||||
"""
|
||||
Parse the status data and print all values for a given flavor and field
|
||||
"""
|
||||
munin_fields, field_labels, values = parse_fail2ban_status(flavor, field)
|
||||
for munin_field in munin_fields:
|
||||
print("%s.value %s" % (munin_field, values[munin_field]))
|
||||
|
||||
|
||||
def parse_fail2ban_status(flavor, field):
|
||||
"""
|
||||
Shared method to parse jail status output and determine field names
|
||||
and aggregate counts
|
||||
"""
|
||||
field_labels = dict()
|
||||
values = dict()
|
||||
for jail in __get_jail_names():
|
||||
jail_status = __get_jail_status(jail, flavor)
|
||||
for line in jail_status.splitlines()[1:]:
|
||||
if flavor == "basic":
|
||||
if field == "jail":
|
||||
if line.startswith(" |- Currently banned:"):
|
||||
internal_name = __normalize(jail)
|
||||
field_labels[internal_name] = jail
|
||||
values[internal_name] = line.split(":", 1)[1].strip()
|
||||
else:
|
||||
raise Exception(
|
||||
"Undefined field %s for flavor %s for jail %s" %
|
||||
(field, flavor, jail))
|
||||
elif flavor == "cymru":
|
||||
# Determine which line of output we care about
|
||||
if field == "asn":
|
||||
search_string = " |- Banned ASN list:"
|
||||
elif field == "country":
|
||||
search_string = " |- Banned Country list:"
|
||||
elif field == "rir":
|
||||
search_string = " `- Banned RIR list:"
|
||||
else:
|
||||
raise Exception(
|
||||
"Undefined field %s for flavor %s for jail %s" %
|
||||
(field, flavor, jail))
|
||||
if line.startswith(search_string):
|
||||
prefix = "%s_%s" % (flavor, field)
|
||||
# Now process/aggregate the counts
|
||||
counts_dict = __count_groups(line.split(":", 1)[1].strip())
|
||||
for key in counts_dict:
|
||||
internal_name = "%s_%s" % (prefix, __normalize(key))
|
||||
if internal_name in field_labels:
|
||||
values[internal_name] += counts_dict[key]
|
||||
else:
|
||||
field_labels[internal_name] = key
|
||||
values[internal_name] = counts_dict[key]
|
||||
else:
|
||||
raise Exception("Undefined flavor: %s for jail %s" %
|
||||
(flavor, jail))
|
||||
return sorted(field_labels.keys()), field_labels, values
|
||||
|
||||
|
||||
if __name__ == "__main__":
|
||||
if len(sys.argv) > 1:
|
||||
command = sys.argv[1]
|
||||
else:
|
||||
command = ""
|
||||
if command == "autoconf":
|
||||
autoconf()
|
||||
elif command == "suggest":
|
||||
suggest()
|
||||
elif command == 'config':
|
||||
flavor_, field_ = __parse_plugin_name()
|
||||
config(flavor_, field_)
|
||||
else:
|
||||
flavor_, field_ = __parse_plugin_name()
|
||||
run(flavor_, field_)
|
Loading…
Reference in a new issue