Fail2ban not working

Ricardo_Viteri · 22 May 2019 06:37

I followed the instructions to install monitoring for fail2ban however it does not work.

> Please see the following:
> 1. #### Load poller module applications ####
> 
> 2. fail2banSNMP[[0;36m'/usr/bin/snmpget' '-v2c' '-c' 'COMMUNITY' '-Oqv' '-m' 'NET-SNMP-EXTEND-MIB' '-M' '/opt/librenms/mibs:/opt/librenms/mibs/supermicro:/opt/librenms/mibs/dell' 'udp:HOSTNAME:161' 'nsExtendOutputFull.8.102.97.105.108.50.98.97.110'[0m]
> 
> 3. RRD[[0;32mupdate telefonia.grupoviteri.com/app-fail2ban-1.rrd N:U:U --daemon unix:/var/run/rrdcached.sock[0m]
> 
> 4. [[0;31mRRD Disabled[0m]RRD[[0;32mupdate telefonia.grupoviteri.com/app-fail2ban-1-BEGIN.rrd N:U --daemon unix:/var/run/rrdcached.sock[0m]
> 
> 5. [[0;31mRRD Disabled[0m]: ..
> 
>  * Warning: Illegal offset type in /opt/librenms/LibreNMS/Component.php on line 163
> 
>  * Warning: Illegal offset type in /opt/librenms/LibreNMS/Component.php on line 166
> 
>  * Warning: Illegal offset type in /opt/librenms/LibreNMS/Component.php on line 163
> 
>  * Warning: Illegal offset type in /opt/librenms/LibreNMS/Component.php on line 166
> 
>   * &gt;&gt; Runtime for poller module 'applications': 0.1222 seconds with 62464 bytes
> 
> 6. &gt;&gt; SNMP: [1/0.12s] MySQL: [5/0.00s] RRD: [0/0.00s]
> 
> 7. #### Unload poller module applications ####

I have set to 1 minute polling

slashdoom · 22 May 2019 09:46

Are you doing any of the caching options or just running the script normally in your snmp extend conf? Do you get good output if you run /etc/snmp/fail2ban manually?

If so, do you also get good out if you run the snmpget manually from your LibreNMS server?

snmpget -v2c -c COMMUNITY -Oqv -m NET-SNMP-EXTEND-MIB -M /opt/librenms/mibs:/opt/librenms/mibs/supermicro:/opt/librenms/mibs/dell udp:HOSTNAME:161 nsExtendOutputFull.8.102.97.105.108.50.98.97.110

Ricardo_Viteri · 22 May 2019 17:16

Hi

Nope, I get this:

Can’t locate JSON.pm in @INC (you may need to install the JSON module) (@INC contains: /etc/perl /usr/local/lib/x86_64-linux-gnu/perl /5.20.2 /usr/local/share/perl/5.20.2 /usr/lib/x86_64-linux-gnu/perl5/5.20 /usr/share/perl5 /usr/lib/x86_64-linux-gnu/perl/5.20 /usr/s hare/perl/5.20 /usr/local/lib/site_perl .) at ./fail2ban line 80.
BEGIN failed–compilation aborted at ./fail2ban line 80.

slashdoom · 22 May 2019 19:36

It looks like you just need to install the perl JSON module. Depending on the OS you can probably do that in your OS’s package manager.

centos/fedora/RH:
sudo yum install perl-JSON

debian/ubuntu
sudo apt install libjson-perl

Ricardo_Viteri · 22 May 2019 19:40

I tried, but it cant find it in my repositories. I am running Debian Jessie

apt-get install libjson-perl
Reading package lists… Done
Building dependency tree
Reading state information… Done
Package libjson-perl is not available, but is referred to by another package.
This may mean that the package is missing, has been obsoleted, or
is only available from another source

Ricardo_Viteri · 22 May 2019 19:52

Okay I found it. Will let you know the results after installation. Thanks!

Ricardo_Viteri · 22 May 2019 20:04

@slashdoom,

/etc/snmp/fail2ban returns:

{“data”:{“total”:14,“jails”:{“fusionpbx-404”:“0”,“nginx-404”:“0”,“nginx-dos”:“8”,“ssh”:“2”,“freeswitch-dos-udp”:“0”,“freeswitch-ip-tcp”:“2”,“freeswitch-tcp”:“0”,“fusionpbx”:“0”,“fusionpbx-mac”:“0”,“freeswitch-udp”:“0”,“freeswitch-ip-udp”:“2”,“freeswitch-dos-tcp”:“0”}},“version”:“1”,“errorString”:“fail2ban-client exited with 0”,“error”:“0”}

So this is the output when I run this:

ERROR Unable to contact server. Is it running? {"errorString":"fail2ban-client exited with 255","error":"255","version":"1","data":{"total":0,"jails":{}}}

slashdoom · 22 May 2019 21:15

That looks to me like your snmpd service is running with a service account rather than as root (probably snmp) and that that service account doesn’t seem to have access to run fail2ban-client. You’re going to have to resolve that somehow and that’ll depend on your environment.

If you have sudo on this server, one idea would be to give the snmp user root access to run the agent script by adding something like…

snmp ALL=(root) NOPASSWD: /etc/snmp/fail2ban

…to /etc/sudoers.

Then change the line in your snmpd.conf to extend fail2ban sudo /etc/snmp/fail2ban

Just an idea though, all of my fail2ban extends are on RHEL which luckily runs snmpd as root so I can’t really test. Be careful messing with sudoers.

Ricardo_Viteri · 22 May 2019 21:20

You are right, it is running as snmp. I run Debian Jessie.

I will do reasearch on to it. I hope someone else that has had this problem before can pitch in. I will keep the forum posted.

Thank you so much for your time.

Ricardo_Viteri · 23 May 2019 03:40

So I had the same issue as:

Michael_Richey · 31 August 2019 22:21

It turns out, reading the fail2ban perl script reveals the intended usage.

It describes creating a cron job running the perl script as root with the -u flag, which updates a cache file. Running the fail2ban perl script with the -c flag reads the cache file and can be run by any user.

It’s super easy - only 4 steps

Make the script executable
chmod +x /opt/librenms-agent/snmp/fail2ban

Create a symlink to the perl script
cd /etc/snmp; ln -s /opt/librenms-agent/snmp/fail2ban

Create a cron job running as root to update the cache file every 3 minutes:
echo "0,3,6,9,12,15,18,21,24,27,30,33,36,39,42,45,48,51,54,57 * * * * /etc/snmp/fail2ban -u" >> /var/spool/cron/crontabs/root

(Don’t forget to restart crond in whatever way it’s done in your distro)

Change your extend line in snmpd.conf to use the -c flag, so the script reads the cache file
extend fail2ban /etc/snmp/fail2ban -c

Done

arrmo · 5 October 2019 22:11

FYI, this does work, thanks! But in case anyone else has this issue … on Debian and Ubuntu, the user is Debian-snmp (not snmp). Just to help out if I can.