root / plugins / network / fail2ban @ dd4afac8
Historique | Voir | Annoter | Télécharger (2,37 ko)
| 1 |
#!/usr/bin/python |
|---|---|
| 2 |
# |
| 3 |
# Plugin to monitor fail2ban blacklists. |
| 4 |
# Parses iptables output. Must be run as a user that may do such. Probably root. |
| 5 |
# |
| 6 |
# Requires: python, probably 2.3 or so :) |
| 7 |
# |
| 8 |
# Written by Lasse Karstensen <lasse.karstensen@gmail.com> September 2007. |
| 9 |
# Parameters understood: |
| 10 |
# config (required) |
| 11 |
# autoconf (optional) |
| 12 |
# |
| 13 |
#%# family=auto |
| 14 |
#%# capabilities=autoconf |
| 15 |
|
| 16 |
libdir="/usr/share/fail2ban" |
| 17 |
iptablesbin="/sbin/iptables" |
| 18 |
|
| 19 |
import sys, os, ConfigParser |
| 20 |
|
| 21 |
|
| 22 |
def get_fail2ban_checks(configfile="/etc/fail2ban.conf"): |
| 23 |
confReader = ConfigParser.ConfigParser() |
| 24 |
confReader.read(configfile) |
| 25 |
res = [] |
| 26 |
for section in confReader.sections(): |
| 27 |
# basic configuration, not essential for us so we skip it. |
| 28 |
if section in ["MAIL"]: |
| 29 |
continue |
| 30 |
if confReader.has_option(section, "enabled"): |
| 31 |
val = confReader.get(section, "enabled") |
| 32 |
if val.lower() == "true": |
| 33 |
res.append(section) |
| 34 |
return res |
| 35 |
|
| 36 |
def list_iptables(chain): |
| 37 |
global iptablesbin |
| 38 |
cmd = "%s -n -L fail2ban-%s" % (iptablesbin, chain) |
| 39 |
num = 0 |
| 40 |
for line in os.popen(cmd): |
| 41 |
line = line.strip() |
| 42 |
if line.split()[0] == "DROP": |
| 43 |
num = num + 1 |
| 44 |
return num |
| 45 |
|
| 46 |
def print_config(): |
| 47 |
# noisy |
| 48 |
print 'graph_title Fail2ban blacklist' |
| 49 |
print 'graph_info This graph shows the number of host blocked by fail2ban.' |
| 50 |
print 'graph_category network' |
| 51 |
print 'graph_vlabel Count' |
| 52 |
|
| 53 |
print 'graph_args --base 1000 -l 0' |
| 54 |
print 'graph_total total' |
| 55 |
|
| 56 |
for checkname in get_fail2ban_checks(): |
| 57 |
checkname_sane = checkname_sanitize(checkname) |
| 58 |
print '%s.label Rules in chain %s' % (checkname_sane, checkname_sane) |
| 59 |
print '%s.min 0' % checkname_sane |
| 60 |
|
| 61 |
def checkname_sanitize(name): |
| 62 |
new = "" |
| 63 |
from string import digits, letters |
| 64 |
for char in name: |
| 65 |
if char not in letters+digits: |
| 66 |
new += "_" |
| 67 |
else: |
| 68 |
new += char |
| 69 |
return new |
| 70 |
|
| 71 |
def main(): |
| 72 |
if len(sys.argv) > 1 and sys.argv[1] == "autoconf": |
| 73 |
if os.path.isdir(libdir): |
| 74 |
print "yes" |
| 75 |
sys.exit(0) |
| 76 |
else: |
| 77 |
print "no" |
| 78 |
sys.exit(1) |
| 79 |
|
| 80 |
sys.path.append(libdir) |
| 81 |
if len(sys.argv) > 1 and sys.argv[1] == "config": |
| 82 |
print_config() |
| 83 |
sys.exit(0) |
| 84 |
|
| 85 |
for checkname in get_fail2ban_checks(): |
| 86 |
num = list_iptables(checkname) |
| 87 |
print "%s.value %s" % (checkname_sanitize(checkname), num) |
| 88 |
|
| 89 |
|
| 90 |
if __name__ == "__main__": |
| 91 |
main() |