Nagios - Help with getting NRPE to work with check_fail2ban.sh

Question

I am trying to monitor fail2ban with Nagios so, I found the following check via a Google search: http://nagios.fm4dd.com/plugins/manual/check_fail2ban.htm

I am trying to get the check to work on a remote host, but I am unable to get it to return accurate results. I am using Fail2ban v0.9.3 on CentOS 7, so I had to make one change to the script per the following link: https://exchange.nagios.org/directory/Plugins/Security/Firewall-Software/check_fail2ban/details#rev-3948

*NOTE: All output below is from the "Remote Server" and not my "Nagios Server".

The change I made (Line 108) is below:

jail_list=$($fail2ban_client status|grep "list" |cut -d : -f 2 |tr -d ,)

I already gave the Nagios user & NRPE permissions per the wiki:

setfacl -m u:nagios:rwx /var/run/fail2ban/fail2ban.sock

I am able to run the fail2ban-client & the script as both the Nagios & NRPE users:

[root@localhost plugins]# sudo -u nrpe fail2ban-client status
Status
|- Number of jail:      2
`- Jail list:   openvpn, sshd

[root@localhost plugins]# sudo -u nagios fail2ban-client status
Status
|- Number of jail:      2
`- Jail list:   openvpn, sshd

[root@localhost etc]# sudo -u nagios /usr/lib64/nagios/plugins/check_fail2ban.sh -w 10 -c 20
OK: 1 banned IP(s) in 2 active jails|banned_IP=1;10;20;;
jail openvpn blocks 1 IP(s): 76.123.218.206
jail sshd blocks 0 IP(s):
| openvpn=1;;;; sshd=0;;;;

[root@localhost etc]# sudo -u nrpe /usr/lib64/nagios/plugins/check_fail2ban.sh -w 10 -c 20
OK: 1 banned IP(s) in 2 active jails|banned_IP=1;10;20;;
jail openvpn blocks 1 IP(s): 76.123.218.206
jail sshd blocks 0 IP(s):
| openvpn=1;;;; sshd=0;;;;

Here is what I get when I run it locally:

[root@localhost plugins]# ./check_fail2ban.sh -w 10 -c 20
OK: 1 banned IP(s) in 2 active jails|banned_IP=1;10;20;;
jail openvpn blocks 1 IP(s): 46.133.118.236
jail sshd blocks 0 IP(s):
| openvpn=1;;;; sshd=0;;;;

Here is what I get when I run it locally with NRPE:

[root@localhost plugins]# /usr/lib64/nagios/plugins/check_nrpe -t 60 -H 127.0.0.1 -p 5666 -c check_fail2ban -a 10 20
OK: 0 banned IP(s) in active jails|banned_IP=0;10;20;;
|

I Get the same result when I run it on my Nagios Server

My command is defined in my nrpe.cfg:

command[check_fail2ban]=/usr/lib64/nagios/plugins/check_fail2ban.sh -w $ARG1$ -c $ARG2$

I tried some "debugging" by adding the following to my nrpe.cfg file:

command[check_fail2ban]=whoami
command[check_fail2ban]=env

"Debug" output:

[root@localhost plugins]# /usr/lib64/nagios/plugins/check_nrpe -t 60 -H 127.0.0.1 -p 5666 -c check_fail2ban -a 10 20
SHELL=/sbin/nologin
NRPE_PROGRAMVERSION=2.15
USER=nrpe
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin
PWD=/
LANG=en_US.UTF-8
SHLVL=1
HOME=/var/run/nrpe
LOGNAME=nrpe
NRPE_SSL_OPT=
NRPE_MULTILINESUPPORT=1
_=/usr/bin/env

I tried additional debugging by setting NRPE to debug =1. Here is the output when I run the command from my Nagios Server.

Sep 27 12:36:46 localhost nrpe[31031]: Connection from 192.168.1.200 port 61853
Sep 27 12:36:46 localhost nrpe[31031]: Host address is in allowed_hosts
Sep 27 12:36:46 localhost nrpe[31031]: Handling the connection...
Sep 27 12:36:46 localhost nrpe[31031]: Host is asking for command 'check_fail2ban' to be run...
Sep 27 12:36:46 localhost nrpe[31031]: Running command: usr/lib64/nagios/plugins/check_fail2ban.sh -w 10 -c 20
Sep 27 12:36:46 localhost nrpe[31031]: Command completed with return code 0 and output: OK: 0 banned IP(s) in active jails|banned_IP=0;10;20;;#012|
Sep 27 12:36:46 localhost nrpe[31031]: Return Code: 0, Output: OK: 0 banned IP(s) in active jails|banned_IP=0;10;20;;#012|
Sep 27 12:36:46 localhost nrpe[31031]: Connection from `bYj closed.

I get the same thing when I run it locally from the server with check_nrpe.

It looks like NRPE may not be capturing all of the output from the script? Please forgive me if this is something stupid that I've missed, as I am a Windows user, that does very little on Linux. Any help is greatly appreciated!

* ***EDIT TO ANSWERS* ***

User4556274, I think it is enabled. Here is the output from that command:

[root@localhost etc]# ls -Z /usr/lib64/nagios/plugins
-rwxr-xr-x. root root unconfined_u:object_r:usr_t:s0   check_apc
-rwxr-xr-x. root root unconfined_u:object_r:usr_t:s0   check_asterisk_pri.php
-rwxr-xr-x. root root system_u:object_r:nagios_checkdisk_plugin_exec_t:s0 check_disk
-rwxr-xr-x. root root unconfined_u:object_r:lib_t:s0   check_fail2ban.old
-rwxr-xr-x. root root unconfined_u:object_r:lib_t:s0   check_fail2ban.sh
-rwxr-xr-x. root root system_u:object_r:nagios_system_plugin_exec_t:s0 check_load
-rwxr-xr-x. root root unconfined_u:object_r:lib_t:s0   check_mem.pl
-rwxr-xr-x. root root system_u:object_r:nagios_services_plugin_exec_t:s0 check_nrpe
-rwxr-xr-x. root root unconfined_u:object_r:usr_t:s0   check_openmanage
-rwxr-xr-x. root root unconfined_u:object_r:lib_t:s0   check_openvpn.php
-rwxr-xr-x. root root unconfined_u:object_r:lib_t:s0   check_openvpn_user_list
-rwxr-xr-x. root root unconfined_u:object_r:lib_t:s0   check_openvpn_user_status
-rwxr-xr-x. root root unconfined_u:object_r:lib_t:s0   check_openvpn_user_traffic
-rwxr-xr-x. root root unconfined_u:object_r:lib_t:s0   check_ping
-rwxr-xr-x. root root system_u:object_r:nagios_system_plugin_exec_t:s0 check_procs
-rwxr-xr-x. root root system_u:object_r:nagios_system_plugin_exec_t:s0 check_swap
-rwxr-xr-x. root root unconfined_u:object_r:usr_t:s0   check_swraid.py
-rwxr-xr-x. root root unconfined_u:object_r:usr_t:s0   check_swraid.sh
-rwxr-xr-x. root root system_u:object_r:nagios_system_plugin_exec_t:s0 check_users
-rwxr-xr-x. root root system_u:object_r:bin_t:s0       negate
-rwxr-xr-x. root root system_u:object_r:bin_t:s0       urlize
-rwxr-xr-x. root root system_u:object_r:bin_t:s0       utils.sh

it's been a while since I worked with Nagios & NRPE, but I'm pretty sure NRPE only wants to see the OK/WARN/CRIT line (with optional performance data) and may be getting confused by the extra output. — Jeff Schaller, Sep 27 '16 at 17:20
Is SELinux enabled on this machine? (iirc, it is by default on Centos7). If so, does `ls -Z /usr/lib64/nagios/plugins` show the same security context for `check_fail2ban.sh` as for the pre-packaged nagios plugins? — user4556274, Sep 27 '16 at 17:25
Use `getenforce` to check the SELinux state. Given that your plugins have a variety of security contexts, if `check_fail2ban.sh` is the only one giving problems, I'm less inclined to think SELinux context is the cause. You could do a quick check by changing the context to the standard for this directory, but I wouldn't have much confidence it would help. `cd /usr/lib64/nagios/plugins && chcon --reference=check_nrpe check_fail2ban.sh` — user4556274, Sep 27 '16 at 17:52
Jeff, I am looking into your suggestion. SELinux is "Enforcing". Thanks for the suggestion, I tried that but no change. — TB., Sep 27 '16 at 18:02
Jeff, I looked into your suggestion and it can accept additional lines of output. I think if that were the issue, then it would at least show the accurate count of blocked IP's; but I could be wrong. [link](http://www.naemon.org/documentation/usersguide/pluginapi.html) I am using Naemon, which is an updated fork of Nagios Core. — TB., Sep 27 '16 at 18:38

Nagios - Help with getting NRPE to work with check_fail2ban.sh

0 Answers0