Netdata Community

Alarm configuration for fail2ban

Hello together,

is it possible to notify me, then the “BanCounter” (fail2ban.jails_in_jail) count in 5 minutes more then 3 new IPs?

Thx for this great tool and your help.

my test-config looks like that:
# /usr/lib/netdata/conf.d/health.d/fail2ban.conf
alarm: fail2ban
on: fail2ban.jails_in_jail
lookup: average -1m collected_total_raw
every: 60s
warn: $this > 2
delay: down 5m multiplier 1.5 max 1h
plugin: python.d.plugin
module: fail2ban
info: fail2ban more then 2 in 1 minute
to: sysadmin

Hi @youmakemyday :wave:

If you want if sum of jailed IPs (sum) more then 3 ($this > 3) and get notified after it’s been so for 5 minutes (up 5m), try the following:

alarm: fail2ban
on: fail2ban.jails_in_jail
lookup: sum -10s
every: 10s
warn: $this > 3
delay: up 5m down 1m multiplier 1.5 max 1h
info: fail2ban more then 3 in 5 minute
to: sysadmin

and get notified

I mean via email or whatever notification method you are using.

Hello Ilyam,
thx for your answer. My Fail2ban configuration is banning permanently, so the „Ban-Counter“ is growing with any new ban. I want to notify, when fail2ban log more then 3 new Bans in 5 minutes.

Example:
22:00:00 Total Bans: 55
22:04:00 Total Bans: 58+ notify me (pushover)

Thx for your help.

Then we need jails_bans chart, it contains bans rate - check every 5m minutes last 5 minutes of data. Would that do?

alarm: fail2ban
on: fail2ban.jails_bans
lookup: sum -5m
every: 5m
warn: $this > 3
delay: down 5m multiplier 1.5 max 1h
info: fail2ban more then 3 in 5 minute
to: sysadmin
1 Like

i will try and give you feedback tomorrow. thanks so much.

Hello Ilyam8,

the config looks good, i believe it works. I will test a few days and give then feedback again.

Thanks for your help.