4 files changed, 380 insertions, 0 deletions
diff --git a/collectors/python.d.plugin/fail2ban/Makefile.inc b/collectors/python.d.plugin/fail2ban/Makefile.inc
new file mode 100644
index 0000000..31e117e
--- /dev/null
+++ b/collectors/python.d.plugin/fail2ban/Makefile.inc
@@ -0,0 +1,13 @@
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+# THIS IS NOT A COMPLETE Makefile
+# IT IS INCLUDED BY ITS PARENT'S Makefile.am
+# IT IS REQUIRED TO REFERENCE ALL FILES RELATIVE TO THE PARENT
+
+# install these files
+dist_python_DATA       += fail2ban/fail2ban.chart.py
+dist_pythonconfig_DATA += fail2ban/fail2ban.conf
+
+# do not install these files, but include them in the distribution
+dist_noinst_DATA       += fail2ban/README.md fail2ban/Makefile.inc
+
diff --git a/collectors/python.d.plugin/fail2ban/README.md b/collectors/python.d.plugin/fail2ban/README.md
new file mode 100644
index 0000000..be09e18
--- /dev/null
+++ b/collectors/python.d.plugin/fail2ban/README.md
@@ -0,0 +1,82 @@
+<!--
+title: "Fail2ban monitoring with Netdata"
+custom_edit_url: https://github.com/netdata/netdata/edit/master/collectors/python.d.plugin/fail2ban/README.md
+sidebar_label: "Fail2ban"
+-->
+
+# Fail2ban monitoring with Netdata
+
+Monitors the fail2ban log file to show all bans for all active jails.
+
+## Requirements
+
+The `fail2ban.log` file must be readable by the user `netdata`:
+
+- change the file ownership and access permissions.
+- update `/etc/logrotate.d/fail2ban` to persists the changes after rotating the log file.
+
+<details>
+  <summary>Click to expand the instruction.</summary>
+
+To change the file ownership and access permissions, execute the following:
+
+```shell
+sudo chown root:netdata /var/log/fail2ban.log
+sudo chmod 640 /var/log/fail2ban.log
+```
+
+To persist the changes after rotating the log file, add `create 640 root netdata` to the `/etc/logrotate.d/fail2ban`:
+
+```shell
+/var/log/fail2ban.log {
+
+    weekly
+    rotate 4
+    compress
+
+    delaycompress
+    missingok
+    postrotate
+        fail2ban-client flushlogs 1>/dev/null
+    endscript
+
+    # If fail2ban runs as non-root it still needs to have write access
+    # to logfiles.
+    # create 640 fail2ban adm
+    create 640 root netdata
+}
+```
+
+</details>
+
+## Charts
+
+- Failed attempts in attempts/s
+- Bans in bans/s
+- Banned IP addresses (since the last restart of netdata) in ips
+
+## Configuration
+
+Edit the `python.d/fail2ban.conf` configuration file using `edit-config` from the
+Netdata [config directory](/docs/configure/nodes.md), which is typically at `/etc/netdata`.
+
+```bash
+cd /etc/netdata   # Replace this path with your Netdata config directory, if different
+sudo ./edit-config python.d/fail2ban.conf
+```
+
+Sample:
+
+```yaml
+local:
+  log_path: '/var/log/fail2ban.log'
+  conf_path: '/etc/fail2ban/jail.local'
+  exclude: 'dropbear apache'
+```
+
+If no configuration is given, module will attempt to read log file at `/var/log/fail2ban.log` and conf file
+at `/etc/fail2ban/jail.local`. If conf file is not found default jail is `ssh`.
+
+---
+
+
diff --git a/collectors/python.d.plugin/fail2ban/fail2ban.chart.py b/collectors/python.d.plugin/fail2ban/fail2ban.chart.py
new file mode 100644
index 0000000..76f6d92
--- /dev/null
+++ b/collectors/python.d.plugin/fail2ban/fail2ban.chart.py
@@ -0,0 +1,217 @@
+# -*- coding: utf-8 -*-
+# Description: fail2ban log netdata python.d module
+# Author: ilyam8
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+import os
+import re
+from collections import defaultdict
+from glob import glob
+
+from bases.FrameworkServices.LogService import LogService
+
+ORDER = [
+    'jails_failed_attempts',
+    'jails_bans',
+    'jails_banned_ips',
+]
+
+
+def charts(jails):
+    """
+    Chart definitions creating
+    """
+
+    ch = {
+        ORDER[0]: {
+            'options': [None, 'Failed attempts', 'attempts/s', 'failed attempts', 'fail2ban.failed_attempts', 'line'],
+            'lines': []
+        },
+        ORDER[1]: {
+            'options': [None, 'Bans', 'bans/s', 'bans', 'fail2ban.bans', 'line'],
+            'lines': []
+        },
+        ORDER[2]: {
+            'options': [None, 'Banned IP addresses (since the last restart of netdata)', 'ips', 'banned ips',
+                        'fail2ban.banned_ips', 'line'],
+            'lines': []
+        },
+    }
+    for jail in jails:
+        dim = ['{0}_failed_attempts'.format(jail), jail, 'incremental']
+        ch[ORDER[0]]['lines'].append(dim)
+
+        dim = [jail, jail, 'incremental']
+        ch[ORDER[1]]['lines'].append(dim)
+
+        dim = ['{0}_in_jail'.format(jail), jail, 'absolute']
+        ch[ORDER[2]]['lines'].append(dim)
+
+    return ch
+
+
+RE_JAILS = re.compile(r'\[([a-zA-Z0-9_-]+)\][^\[\]]+?enabled\s+= +(true|yes|false|no)')
+
+ACTION_BAN = 'Ban'
+ACTION_UNBAN = 'Unban'
+ACTION_RESTORE_BAN = 'Restore Ban'
+ACTION_FOUND = 'Found'
+
+# Example:
+# 2018-09-12 11:45:58,727 fail2ban.actions[25029]: WARNING [ssh] Found 203.0.113.1
+# 2018-09-12 11:45:58,727 fail2ban.actions[25029]: WARNING [ssh] Ban 203.0.113.1
+# 2018-09-12 11:45:58,727 fail2ban.actions[25029]: WARNING [ssh] Restore Ban 203.0.113.1
+# 2018-09-12 11:45:53,715 fail2ban.actions[25029]: WARNING [ssh] Unban 203.0.113.1
+RE_DATA = re.compile(
+    r'\[(?P<jail>[A-Za-z-_0-9]+)\] (?P<action>{0}|{1}|{2}|{3}) (?P<ip>[a-f0-9.:]+)'.format(
+        ACTION_BAN, ACTION_UNBAN, ACTION_RESTORE_BAN, ACTION_FOUND
+    )
+)
+
+DEFAULT_JAILS = [
+    'ssh',
+]
+
+
+class Service(LogService):
+    def __init__(self, configuration=None, name=None):
+        LogService.__init__(self, configuration=configuration, name=name)
+        self.order = ORDER
+        self.definitions = dict()
+        self.log_path = self.configuration.get('log_path', '/var/log/fail2ban.log')
+        self.conf_path = self.configuration.get('conf_path', '/etc/fail2ban/jail.local')
+        self.conf_dir = self.configuration.get('conf_dir', '/etc/fail2ban/jail.d/')
+        self.exclude = self.configuration.get('exclude', str())
+        self.monitoring_jails = list()
+        self.banned_ips = defaultdict(set)
+        self.data = dict()
+
+    def check(self):
+        """
+        :return: bool
+        """
+        if not self.conf_path.endswith(('.conf', '.local')):
+            self.error('{0} is a wrong conf path name, must be *.conf or *.local'.format(self.conf_path))
+            return False
+
+        if not os.access(self.log_path, os.R_OK):
+            self.error('{0} is not readable'.format(self.log_path))
+            return False
+
+        if os.path.getsize(self.log_path) == 0:
+            self.error('{0} is empty'.format(self.log_path))
+            return False
+
+        self.monitoring_jails = self.jails_auto_detection()
+        for jail in self.monitoring_jails:
+            self.data['{0}_failed_attempts'.format(jail)] = 0
+            self.data[jail] = 0
+            self.data['{0}_in_jail'.format(jail)] = 0
+
+        self.definitions = charts(self.monitoring_jails)
+        self.info('monitoring jails: {0}'.format(self.monitoring_jails))
+
+        return True
+
+    def get_data(self):
+        """
+        :return: dict
+        """
+        raw = self._get_raw_data()
+
+        if not raw:
+            return None if raw is None else self.data
+
+        for row in raw:
+            match = RE_DATA.search(row)
+
+            if not match:
+                continue
+
+            match = match.groupdict()
+
+            if match['jail'] not in self.monitoring_jails:
+                continue
+
+            jail, action, ip = match['jail'], match['action'], match['ip']
+
+            if action == ACTION_FOUND:
+                self.data['{0}_failed_attempts'.format(jail)] += 1
+            elif action in (ACTION_BAN, ACTION_RESTORE_BAN):
+                self.data[jail] += 1
+                if ip not in self.banned_ips[jail]:
+                    self.banned_ips[jail].add(ip)
+                    self.data['{0}_in_jail'.format(jail)] += 1
+            elif action == ACTION_UNBAN:
+                if ip in self.banned_ips[jail]:
+                    self.banned_ips[jail].remove(ip)
+                    self.data['{0}_in_jail'.format(jail)] -= 1
+
+        return self.data
+
+    def get_files_from_dir(self, dir_path, suffix):
+        """
+        :return: list
+        """
+        if not os.path.isdir(dir_path):
+            self.error('{0} is not a directory'.format(dir_path))
+            return list()
+
+        return glob('{0}/*.{1}'.format(self.conf_dir, suffix))
+
+    def get_jails_from_file(self, file_path):
+        """
+        :return: list
+        """
+        if not os.access(file_path, os.R_OK):
+            self.error('{0} is not readable or not exist'.format(file_path))
+            return list()
+
+        with open(file_path, 'rt') as f:
+            lines = f.readlines()
+            raw = ' '.join(line for line in lines if line.startswith(('[', 'enabled')))
+
+        match = RE_JAILS.findall(raw)
+        # Result: [('ssh', 'true'), ('dropbear', 'true'), ('pam-generic', 'true'), ...]
+
+        if not match:
+            self.debug('{0} parse failed'.format(file_path))
+            return list()
+
+        return match
+
+    def jails_auto_detection(self):
+        """
+        :return: list
+
+        Parses jail configuration files. Returns list of enabled jails.
+        According man jail.conf parse order must be
+        * jail.conf
+        * jail.d/*.conf (in alphabetical order)
+        * jail.local
+        * jail.d/*.local (in alphabetical order)
+        """
+        jails_files, all_jails, active_jails = list(), list(), list()
+
+        jails_files.append('{0}.conf'.format(self.conf_path.rsplit('.')[0]))
+        jails_files.extend(self.get_files_from_dir(self.conf_dir, 'conf'))
+        jails_files.append('{0}.local'.format(self.conf_path.rsplit('.')[0]))
+        jails_files.extend(self.get_files_from_dir(self.conf_dir, 'local'))
+
+        self.debug('config files to parse: {0}'.format(jails_files))
+
+        for f in jails_files:
+            all_jails.extend(self.get_jails_from_file(f))
+
+        exclude = self.exclude.split()
+
+        for name, status in all_jails:
+            if name in exclude:
+                continue
+
+            if status in ('true', 'yes') and name not in active_jails:
+                active_jails.append(name)
+            elif status in ('false', 'no') and name in active_jails:
+                active_jails.remove(name)
+
+        return active_jails or DEFAULT_JAILS
diff --git a/collectors/python.d.plugin/fail2ban/fail2ban.conf b/collectors/python.d.plugin/fail2ban/fail2ban.conf
new file mode 100644
index 0000000..a36436b
--- /dev/null
+++ b/collectors/python.d.plugin/fail2ban/fail2ban.conf
@@ -0,0 +1,68 @@
+# netdata python.d.plugin configuration for fail2ban
+#
+# This file is in YaML format. Generally the format is:
+#
+# name: value
+#
+# There are 2 sections:
+#  - global variables
+#  - one or more JOBS
+#
+# JOBS allow you to collect values from multiple sources.
+# Each source will have its own set of charts.
+#
+# JOB parameters have to be indented (using spaces only, example below).
+
+# ----------------------------------------------------------------------
+# Global Variables
+# These variables set the defaults for all JOBs, however each JOB
+# may define its own, overriding the defaults.
+
+# update_every sets the default data collection frequency.
+# If unset, the python.d.plugin default is used.
+# update_every: 1
+
+# priority controls the order of charts at the netdata dashboard.
+# Lower numbers move the charts towards the top of the page.
+# If unset, the default for python.d.plugin is used.
+# priority: 60000
+
+# penalty indicates whether to apply penalty to update_every in case of failures.
+# Penalty will increase every 5 failed updates in a row. Maximum penalty is 10 minutes.
+# penalty: yes
+
+# autodetection_retry sets the job re-check interval in seconds.
+# The job is not deleted if check fails.
+# Attempts to start the job are made once every autodetection_retry.
+# This feature is disabled by default.
+# autodetection_retry: 0
+
+# ----------------------------------------------------------------------
+# JOBS (data collection sources)
+#
+# The default JOBS share the same *name*. JOBS with the same name
+# are mutually exclusive. Only one of them will be allowed running at
+# any time. This allows autodetection to try several alternatives and
+# pick the one that works.
+#
+# Any number of jobs is supported.
+#
+# All python.d.plugin JOBS (for all its modules) support a set of
+# predefined parameters. These are:
+#
+# job_name:
+#     name: myname            # the JOB's name as it will appear at the
+#                             # dashboard (by default is the job_name)
+#                             # JOBs sharing a name are mutually exclusive
+#     update_every: 1         # the JOB's data collection frequency
+#     priority: 60000         # the JOB's order on the dashboard
+#     penalty: yes            # the JOB's penalty
+#     autodetection_retry: 0  # the JOB's re-check interval in seconds
+#
+# Additionally to the above, fail2ban also supports the following:
+#
+#     log_path:  'path to fail2ban.log'			                 # Default: '/var/log/fail2ban.log'
+#     conf_path: 'path to jail.local/jail.conf'			         # Default: '/etc/fail2ban/jail.local'
+#     conf_dir:  'path to jail.d/'			                     # Default: '/etc/fail2ban/jail.d/'
+#     exclude:   'jails you want to exclude from autodetection'  # Default: none
+#------------------------------------------------------------------------------------------------------------------