Home / server / Questions / 448779
Accepted
Banjer
Asked: 2012-11-15 12:23:45 +0800 CST

Have fail2ban send notification to banned party

  • 772

I have fail2ban configured on some CentOS 5 and 6 servers, and it sends me an email with a whois of the IP whenever an IP is banned. Is it possible to configure fail2ban to also send a notification to the email from the whois report?

Here is my jail config:

# /etc/fail2ban/jail.conf    

[ssh-iptables]

enabled  = true
filter   = sshd
action   = iptables-allports[name=SSH, protocol=all]
           sendmail-whois[name=SSH, [email protected], sender=fail2ban]
logpath  = /var/log/secure
maxretry = 3

Is there some sort of variable I can put it dest= to send to the whois email?

linux

3 Answers

  1. Best Answer

    Looks like there is an action the comes with fail2ban called complain. Notice the line with complain[logpath=/var/log/secure]:

    # /etc/fail2ban/jail.conf    

[ssh-iptables]

enabled  = true
filter   = sshd
action   = iptables-allports[name=SSH, protocol=all]
           sendmail-whois[name=SSH, [email protected], sender=fail2ban]
           complain[logpath=/var/log/secure]
logpath  = /var/log/secure
maxretry = 3

    Add that line and restart the fail2ban service. The action conf file is /etc/fail2ban/action.d/complain.conf. Short description:

    Sends a complaint e-mail to addresses listed in the whois record for an offending IP address.

    • 10

  2. It's possible. (Depending on how strictly you define "have fail2ban do this.") Doesn't strike me as a particularly fruitful waste of time, though.

    Basically, you'd take your whois to get the domain owner, and send an email to abuse@[domain].[tld] to let them know that someone on one of their hosts is trying to gain unauthorized access to your system, and attach the logs, presumably. (You could also send one to the email in the whois, as you suggest, but that's even less likely to reach anyone who cares or can do something about it.) You'd have to hope that:

    1. abuse is the right address (you could try other ones, but that would be the most common by far) and is monitored. (Same of the email address listed in the whois - if it's not valid or not monitored, you're wastign your time right off the bat.)
    2. The host gives a damn.
    3. The host isn't in on it.
    4. The host has an abundance of free time to track down the naughty user.
    5. The host has the technical ability to track down the naughty user.
    6. The naughty user doesn't immediate switch hosts/compromised systems and carry on unimpeded.

    Any one of those conditions being false guarantee that you're completely wasting your time, and in my experience, 2, 4, 5, and 6 are almost always false, so what you're looking to so is a complete waste of time, unless you're looking to use this as a learning experience to become a better scripter.

    • 5

  3. To add to the answer by @Banjer (which is correct): you don't really need both actions "sendmail-whois" and "complain" if you configure the action "complain" correctly:

    # /etc/fail2ban/jail.conf    
[ssh-iptables]
enabled  = true
filter   = sshd
action   = iptables-allports[name=SSH, protocol=all]
           complain[logpath=/var/log/secure]
logpath  = /var/log/secure
maxretry = 3

    And:

    # /etc/fail2ban/action.d/complain.conf
[Init]
message = <insert body-text here>\n\nWhois information about $IP:\n`/usr/bin/whois $IP`\n
logpath = /dev/null
mailcmd = mail -s
mailargs = -c <insert your e-mailaddress here> -- -f root@<insert your domain here>

    That way, the internet service provider administering the offending IP address will be contacted automatically AND you will receive a copy of the e-mail in cc: ('-c'-option to the mailargs variable).

    I have also added the WHOIS-information to the message-variable, which is not a default in the Debian-configuration, but is a nice addon to the default message imho.

    • 3