fail2ban-prometheus-exporter icon indicating copy to clipboard operation
fail2ban-prometheus-exporter copied to clipboard
verified publisher icon hectorjsmith

systemD file

Open djtecha opened this issue 1 year ago • 1 comments

Not sure if this is helpful but if someone wanted to run the binary as a systemD process

[Unit]
Description=Fail2ban Exporter
After=fail2ban.service
Requires=fail2ban.service

[Service]
ExecStart=/opt/fail2ban_exporter/fail2ban_exporter --collector.f2b.socket=/var/run/fail2ban/fail2ban.sock --web.listen-address=":9191"
Type=simple
Restart=always

djtecha avatar May 01 '24 17:05 djtecha

Hi,

Thanks for the info.

It’s also possible to avoid running the service as root by using ACLs.

You just need to change the permissions on the socket using the ExecStartPre option (the + is important), and set fail2ban as a Requires so that it starts in the proper order.

You should also run the collector with the option: --collector.f2b.exit-on-socket-connection-error

[Unit]
Description=Prometheus exporter for fail2ban metrics
Requires=network-online.target fail2ban.service
After=network-online.target fail2ban.service

[Service]
EnvironmentFile=-/etc/default/fail2ban_exporter.conf
ExecStartPre=+/usr/bin/setfacl -m u:{{ telemetrie_fail2ban_exporter_user }}:rw /var/run/fail2ban/fail2ban.sock
ExecStart={{ telemetrie_fail2ban_exporter_path }} $FAIL2BAN_EXPORTER_ARGS
ExecReload=/bin/kill -HUP $MAINPID
User={{ telemetrie_fail2ban_exporter_user }}
Group={{ telemetrie_fail2ban_exporter_user }}
Restart=on-failure
RestartSec=5s

NoNewPrivileges=true
LimitNOFILE=1048576
UMask=0077
RestrictNetworkInterfaces=lo

ProtectSystem=strict
ProtectHome=true
PrivateUsers=yes
PrivateTmp=true
PrivateDevices=true
ProtectHostname=true
ProtectClock=true
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectKernelLogs=true
ProtectControlGroups=true
RestrictAddressFamilies=AF_UNIX AF_INET
RestrictNamespaces=true
LockPersonality=true
MemoryDenyWriteExecute=true
RestrictRealtime=true
RestrictSUIDSGID=true
RemoveIPC=true
CapabilityBoundingSet=
AmbientCapabilities=

SystemCallFilter=@system-service
SystemCallFilter=~@privileged @resources
SystemCallArchitectures=native

[Install]
WantedBy=multi-user.target

and the /etc/default/fail2ban_exporter.conf file

FAIL2BAN_EXPORTER_ARGS="--web.listen-address='127.0.0.1:{{ telemetrie_fail2ban_exporter_port }}' --collector.f2b.exit-on-socket-connection-error"

tititototutu avatar Nov 08 '25 19:11 tititototutu