Fail2ban for Opsview Monitor

This guide will show you a very quick and dirty way to use Fail2ban to prevent brute-force attacks on your Opsview Monitor 5.0 server. This should work the same for Opsview 4.x servers, but I havent tested it.

Fail2ban, for those who arent familiar, is “an intrusion prevention framework written in the Python programming language. It works by reading SSH, ProFTP, Apache logs etc.. and uses iptables profiles to block brute-force attempts.” (src: https://help.ubuntu.com/community/Fail2ban).

Firstly, install fail2ban. In my example I am using Ubuntu 14.04, so simply:

Next, go to the fail2ban directory and create the opsview ‘filter’:

Within here, copy and paste the following:

This is a simple regex that filters for the source IP of the ‘hacker’, using the standard syslog message left in opsview- web.log. Example message below:

Next, lets tell fail2ban to actually use this rule. Create a new file called ‘/etc/fail2ban/jail.local’ and add the following:

Obviously, if you arent using https then change this to ‘http’. Next, modify /etc/fail2ban/jail.conf and modify the line

to

Finally,  Simply start fail2ban using the command:

You can view the ‘jail’ by running the script here: https://gist.github.com/kamermans/1076290 . Simply clone this file, chmod +x and then run, as below:

This will give an output similar to:

Now, go and try and brute force 10-15 times and see what happens when you run the command above again:

Here you can see that 10 failed attempts have been made, and an IP address has now been banned from trying to login. To prove this, run the iptables command below:

To unblock an IP address, simply run the command:

Sorted. Now, go forth and fail2ban!

Leave a Reply