Home > Linux >

fail2ban send automatic abuse email

I configured the fail2ban service to send out an automatic abuse email to the abuse contact for the IP range.
The following system tools needs to be installed: whois, a mailserver that also provides the sendmail binary, host, paste, grep
To detect the right abuse contact the abusix.org service is queried.

At first configure a new action target and a new default action in /etc/fail2ban/jail.conf

# ban & send an e-mail with whois report and relevant log lines to abuse contact
action_abuse = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s]
               %(mta)s-abuse[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s]
 
 
# Choose default action.  To change, just override value of 'action' with the
# interpolation to the chosen action shortcut (e.g.  action_mw, action_mwl, etc) in jail.local
# globally (section [DEFAULT]) or per specific section
action = %(action_abuse)s

Configure the new action_abuse /etc/fail2ban/action.d/sendmail-abuse.conf

[Definition]
 
# Option:  actionstart
# Notes.:  command executed once at the start of Fail2Ban.
# Values:  CMD
#
actionstart = printf %%b "Subject: [Fail2Ban] <name>: started
              Date: `date -u +"%%a, %%d %%h %%Y %%T +0000"`
              From: Fail2Ban <<sender>>
              To: <dest>\n
              Hi,\n
              The jail <name> has been started successfully.\n
              Regards,\n
              Fail2Ban" | /usr/sbin/sendmail -f <sender> <dest>
 
# Option:  actionstop
# Notes.:  command executed once at the end of Fail2Ban
# Values:  CMD
#
actionstop = printf %%b "Subject: [Fail2Ban] <name>: stopped
             Date: `date -u +"%%a, %%d %%h %%Y %%T +0000"`
             From: Fail2Ban <<sender>>
             To: <dest>\n
             Hi,\n
             The jail <name> has been stopped.\n
             Regards,\n
             Fail2Ban" | /usr/sbin/sendmail -f <sender> <dest>
 
# Option:  actioncheck
# Notes.:  command executed once before each actionban command
# Values:  CMD
#
actioncheck =
 
# Option:  actionban
# Notes.:  command executed when banning an IP. Take care that the
#          command is executed with Fail2Ban user rights.
actionban = /usr/local/bin/fail2ban_abuse_mail.sh <ip> <sender> <dest> <logpath>
 
# Option:  actionunban
# Notes.:  command executed when unbanning an IP. Take care that the
#          command is executed with Fail2Ban user rights.
# Tags:    <ip>  IP address
#          <failures>  number of failures
#          <time>  unix timestamp of the ban time
# Values:  CMD
#
actionunban =
 
[Init]
 
# Defaut name of the chain
#
name = default
 
# Destination/Addressee of the mail
#
dest = root
 
# Sender of the mail
#
sender = fail2ban@domain
 
# Path to the log files which contain relevant lines for the abuser IP
#
logpath = /dev/null

Create and chmod 755 the script for doing the job /usr/local/bin/fail2ban_abuse_mail.sh

#!/bin/bash
 
PATH="$PATH:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
LANG=C
REMOTE_IP="$1"
SENDER_MAIL="$2"
DEST_MAIL="$3"
LOGFILE="$4"
DATE=$(date)
WHOIS_OUTPUT=$(whois $REMOTE_IP)
REVERSE_IP=$(echo $REMOTE_IP | awk 'BEGIN{FS=".";ORS="."} {for (i = NF; i > 0; i--){print $i}}')
LOG_LINES=$(grep $REMOTE_IP $LOGFILE)
BANNED_IP_PATH="/var/tmp/fail2ban_banned_ips"
 
# Skip sending email when an email was already sent out for that IP the last 24hours
if ! [ -d $BANNED_IP_PATH ]; then mkdir $BANNED_IP_PATH; else find ${BANNED_IP_PATH}/ -mtime +30 -type f -delete; fi
if [ -n "$(find ${BANNED_IP_PATH}/$REMOTE_IP -mtime -1 2>/dev/null)" ]; then exit 0; else touch ${BANNED_IP_PATH}/$REMOTE_IP; fi
 
# Get the Abuse email address from Abusix
if DNS_REPLY=$(host -t TXT ${REVERSE_IP}abuse-contacts.abusix.org); then
  ABUSE_ADDR=$(echo $DNS_REPLY | grep -Eio '\b[A-Z0-9._%+-]+@[A-Z0-9.-]+\.[A-Z]{2,}\b' | paste -sd ",")
fi
 
# Send email
if [ $ABUSE_ADDR ]; then
sendmail -t -i -f $SENDER_MAIL $ABUSE_ADDR << EOF
Subject: Automatic abuse report for IP address $REMOTE_IP
From: $SENDER_MAIL
To: $ABUSE_ADDR
 
This is an email abuse report about the IP address $REMOTE_IP generated at $DATE
You get this email because you are listed as the official abuse contact for this IP address.
 
The following intrusion attempts were detected:
$LOG_LINES
 
WHOIS report:
$WHOIS_OUTPUT
 
EOF
fi
KategorienLinux
  1. Bisher keine Kommentare
  1. Bisher keine Trackbacks