I'd like to invoke sending an e-mail (or running a particular script, if that would be possible) when a certain iptables DROP rule is being run. (For instance, when I'm blocking an IP after 5 failed SSH logins, I'd like to run mail -s "SSH Blocked" [email protected] or something similar. Is there a way to directly have iptables execute this?
If not, then I guess I'd need to scan the logs with an external tool and then send out emails. Any recommended tool for this? Please note that I'm using systemd so I am using journalctl and not old fashioned log files.
What I have been using for more that 5 years to alert sysadmins to this type of (and many others) event, is ossec hids (http://www.ossec.net) funded by Trend Micro.
Ossec does blocking and alerting by scanning logs in real-time. You can install it on the local machine, or on another server. It can function as a central syslog server. Most features can be tailored to your needs. For log aggregation and inspection (required in PCI environments), I have not found many other applications that surpass what Ossec offers.