Skip to content

Add fail2ban monitor#12251

Merged
mekarpeles merged 3 commits intointernetarchive:masterfrom
cdrini:feature/fail2ban-monitor
Apr 3, 2026
Merged

Add fail2ban monitor#12251
mekarpeles merged 3 commits intointernetarchive:masterfrom
cdrini:feature/fail2ban-monitor

Conversation

@cdrini
Copy link
Copy Markdown
Collaborator

@cdrini cdrini commented Apr 1, 2026

Part of #12171

Technical

Monitors the banned and failed. Failed is IPs that have failed the check (in our case I think this means IPs that have had a recent 429). Banned is IPs that have had enough 429s to be jailed.

Testing

Screenshot

image

Stakeholders

@cdrini cdrini force-pushed the feature/fail2ban-monitor branch from 6f0d71d to 2ca265b Compare April 1, 2026 18:49
@cdrini cdrini marked this pull request as ready for review April 1, 2026 19:45
Copilot AI review requested due to automatic review settings April 1, 2026 19:45
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds monitoring support for fail2ban’s nginx-429 jail so the cluster monitoring job can report current “failed” and “banned” counts to Graphite (for Grafana visualization as requested in #12171).

Changes:

  • Introduces a get_fail2ban_counts() helper to query and parse fail2ban jail status.
  • Adds a scheduled monitoring job to emit Graphite metrics for nginx-429 fail2ban stats.
  • Updates production/container configuration to make fail2ban-client and the host fail2ban socket available to the monitoring container.

Reviewed changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated 3 comments.

Show a summary per file
File Description
scripts/monitoring/fail2ban_monitor.py New helper to read fail2ban jail status and extract counts.
scripts/monitoring/monitor.py Adds scheduled job to submit fail2ban metrics to Graphite.
scripts/monitoring/tests/test_fail2ban_monitor.py Unit test for parsing fail2ban output.
docker/Dockerfile.olbase Installs fail2ban in the base image to provide fail2ban-client.
compose.production.yaml Mounts host /var/run/fail2ban into the monitoring container.

Comment thread scripts/monitoring/fail2ban_monitor.py
Comment thread scripts/monitoring/fail2ban_monitor.py
Comment thread docker/Dockerfile.olbase
@mekarpeles mekarpeles self-assigned this Apr 1, 2026
@mekarpeles mekarpeles added dependencies Pull requests that update a dependency file Needs: Submitter Input Waiting on input from the creator of the issue/pr [managed] labels Apr 1, 2026
@mekarpeles
Copy link
Copy Markdown
Member

One point about fail2ban v. fail2ban-client and whether we can install it only on ol-www0 rather than the core image

@mekarpeles mekarpeles merged commit 65a5aab into internetarchive:master Apr 3, 2026
7 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file Needs: Submitter Input Waiting on input from the creator of the issue/pr [managed]

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants