From: Klaus L. <leh...@t-...> - 2008-05-13 07:58:59
|
hi fans last days was very martial days. me and my servers (only two) get attached by a big botnet. my problem, was how can I see, that fail2ban is working? I remembered "my" old tool dienstcheck.... , it is working since 3 or 4 years, to watch an service -aspecially for libraries-, and this tool works very good. I forget it, to have and use it. ;-) Michael Geiger -here in list- follows another possibility. I think, he checks the availability of fail2ban WITH nagios. (nice idea, to hard to understand for me; but I must have a look on it. Michael? ;-) ok, here's some scripts: #!/bin/sh # based on a shell script by patrick Ditchen 2003 # found in german book 'Shell-Skript Programmierung', 2003 published by mitp # dienstchk6-f2b Testet alle x Sekunden, ob ein Dienst noch laeuft. # a little bit tuned by Klaus Lehmann 2008 (Radeberg) leh...@t-... # Aufruf: dienstchk6-f2b [-c] [-s] dienst [intervall] intervall_dflt=120 usage="$0 [-c] [-s] dienst [intervall]" continue="no" slowdown="no" # Kommandozeile abarbeiten if [ "$1" = "-c" ] ; then continue="yes" shift fi if [ "$1" = "-s" ] ; then slowdown="yes" shift fi dienst=$1 intervall=$2 # Fehler-Routinen if [ $# -gt 2 -o $# -eq 0 ] ; then echo "Falsche Anzahl von Parametern" echo "$usage" exit 1 fi if echo $intervall | grep '[^0-9]' >/dev/null 2>&1 ; then echo "Intervall ist keine ganze Zahl" echo "$usage" exit 2 fi [ "$intervall" = "" ] && intervall=$intervall_dflt while true do if ps -ef | grep $dienst | grep -v grep | grep -v $0 >/dev/null 2>&1 then : else echo `date` | mailx -s "Achtung: $dienst ausgefallen!" 012...@el... if [ "$continue" = "no" ] then break fi if [ "$slowdown" = "yes" ] then intervall=`expr $intervall \* 2` fi fi sleep $intervall done _end dienstchk-f2b for /etc/init.d I have this: _begin init-dienstchk-f2b #!/bin/sh ### BEGIN INIT INFO # Provides: dienstchk-f2b # Required-Start: $network # Required-Stop: $network # Default-Start: 2 3 5 # Description: prueft die verf³gbarkeit von fail2ban-server(!) alle 120sec ### END INIT INFO case "$1" in 'start') /usr/local/bin/dienstchk-f2b -c -s fail2ban-server & ;; 'stop') killall dienstchk-f2b ;; *) echo "Usage: $0 { start | stop }" ;; esac exit 0 _end idea is: script init-dienstchk-f2b checks every 120 seconds, exist in process_list fail2ban-server (really! and !not! fail2ban-client) 120 seconds are defined in dienstchk-f2b (intervall_dflt) if there is no process, than send a sms to echo `date` | mailx -s "Achtung: $dienst ausgefallen!" 017...@t-... [found in dienstchk-f2b] generally: dienstchk6-f2b [-c] [-s] dienst [intervall] means: [I think so] -c [I'm not shure] it could mean, search continously for existing of that service "fail2ban-server" -s slowdown. 1st 120 sec, thand after 240sec, and so on. sorry, but script is mainly in german. I hope, to get you a small translation onto the functions. [german "dienst" is in english "service"] I think it works. ;-) yours very klaus |
From: Michael G. <ge...@mg...> - 2008-05-13 08:27:26
Attachments:
check_fail2ban
fail2ban
|
Hi Klaus, since you've asked for my solution: ;-) I'm checking the availability of my services with nagios: http://www.nagios.org/ To check the fail2ban service I've written a small plugin (attached). Contrary to you I'm probing fail2ban with "fail2ban-client ping" - sometimes I had the situation that the server process was still running (as seen with ps) but it did not respond to commands, so I chanced to check with the client. But I must admit that's also not a perfect solution, the client reported twice a running fail2ban when the task didn't respond ... :-( On failure nagios restarts fail2ban with the event_handler setting - for (re)start I've scripted a sys5-initscript thats cleaning up the remaining processes (/etc/rc.d/fail2ban force-start, also attached). Michael Klaus Lehmann schrieb: > hi fans > > last days was very martial days. > me and my servers (only two) get attached by a big botnet. > > my problem, was how can I see, that fail2ban is working? > I remembered "my" old tool dienstcheck.... , it is working since 3 or 4 > years, to watch an service -aspecially for libraries-, and this tool > works very good. I forget it, to have and use it. ;-) > Michael Geiger -here in list- follows another possibility. I think, he > checks the availability of fail2ban WITH nagios. (nice idea, to hard to > understand for me; but I must have a look on it. Michael? > ;-) |
From: Cyril J. <cyr...@fa...> - 2008-05-13 21:59:17
|
Hi Michael, I like your nagios script :) Do you mind if I include it in the official package? If it is alright for you, could you please give me: 1/ the license 2/ your name and e-mail Thank you Cyril Michael Geiger wrote: > Hi Klaus, > > since you've asked for my solution: ;-) > > I'm checking the availability of my services with nagios: > http://www.nagios.org/ > > To check the fail2ban service I've written a small plugin (attached). > Contrary to you I'm probing fail2ban with "fail2ban-client ping" - > sometimes I had the situation that the server process was still running > (as seen with ps) but it did not respond to commands, so I chanced to > check with the client. But I must admit that's also not a perfect > solution, the client reported twice a running fail2ban when the task > didn't respond ... :-( > > On failure nagios restarts fail2ban with the event_handler setting - for > (re)start I've scripted a sys5-initscript thats cleaning up the > remaining processes (/etc/rc.d/fail2ban force-start, also attached). > > > Michael > > > > Klaus Lehmann schrieb: >> hi fans >> >> last days was very martial days. >> me and my servers (only two) get attached by a big botnet. >> >> my problem, was how can I see, that fail2ban is working? >> I remembered "my" old tool dienstcheck.... , it is working since 3 or 4 >> years, to watch an service -aspecially for libraries-, and this tool >> works very good. I forget it, to have and use it. ;-) >> Michael Geiger -here in list- follows another possibility. I think, he >> checks the availability of fail2ban WITH nagios. (nice idea, to hard to >> understand for me; but I must have a look on it. Michael? >> ;-) > > > ------------------------------------------------------------------------ > > ------------------------------------------------------------------------- > This SF.net email is sponsored by: Microsoft > Defy all challenges. Microsoft(R) Visual Studio 2008. > http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ > > > ------------------------------------------------------------------------ > > _______________________________________________ > Fail2ban-users mailing list > Fai...@li... > https://lists.sourceforge.net/lists/listinfo/fail2ban-users |