From: Fabian W. <fa...@we...> - 2013-03-31 21:18:31
|
Hello Yaroslav On 26.03.2013 17:11, Yaroslav Halchenko wrote: > If you are monitoring fail2ban with nagios, I would strongly > encourage you to give a try to a newer nagios status script: > https://github.com/fail2ban/fail2ban/pull/157 > and provide feedback (it works, or has drawbacks) My fail2ban-server is running as root, but then fail2ban-client can also only be used as user root, because of the permissions of fail2ban.sock. This also applies to the mention check_fail2ban script. But my Nagios installation and also the nrpe2 on the other hosts is running with the user nagios. To work around this, I created a short wrapper in C which just runs 'fail2ban-client ping' and can be installed with setuid root and is only executable for the nagios group. This C binary is called from a simple shell script which returns the values for Nagios. I have C wrappers working for Linux (Gentoo) and FreeBSD. If anybody is interested, I will clean it up and document it on my website. Eventually it would be useful, if the permissions (rw for group and others) for the fail2ban.sock could be configured in fail2ban.conf. A quick test (manually changing the permissions) showed, that it would need group rw and setting the group to the group in which the user running fail2ban-client is. But this opens a much wider window, which would e.g. allow nagios to change stuff in the jails or add IP addresses to ban. Maybe there is a way to create only read permissions for stuff like ping or status, but currently it needs rw on the fail2ban.sock. bye Fabian |