Home > Linux >

fail2ban send automatic abuse email

I configured the fail2ban service to send out an automatic abuse email to the abuse contact for the IP range. To detect the right abuse contact the abusix.org service is queried.
The following system tools needs to be installed:

- whois
- a mailserver that also provides the sendmail binary
- host
- paste
- grep

At first configure a new action target, a new default action and make sure that mta is set to sendmail in /etc/fail2ban/jail.conf

# ban & send an e-mail with whois report and relevant log lines to abuse contact
action_abuse = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s]
               %(mta)s-abuse[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s]
 
 
# Choose default action.  To change, just override value of 'action' with the
# interpolation to the chosen action shortcut (e.g.  action_mw, action_mwl, etc) in jail.local
# globally (section [DEFAULT]) or per specific section
action = %(action_abuse)s

mta = sendmail

Now configure the new action_abuse in /etc/fail2ban/action.d/sendmail-abuse.conf. It’s important to set the sender address on the bottom of the script!

[Definition]

# Option:  actionstart
# Notes.:  command executed once at the start of Fail2Ban.
# Values:  CMD
#
actionstart = printf %%b "Subject: [Fail2Ban] <name>: started
              Date: `date -u +"%%a, %%d %%h %%Y %%T +0000"`
              From: Fail2Ban <<sender>>
              To: <dest>\n
              Hi,\n
              The jail <name> has been started successfully.\n
              Regards,\n
              Fail2Ban" | /usr/sbin/sendmail -f <sender> <dest>

# Option:  actionstop
# Notes.:  command executed once at the end of Fail2Ban
# Values:  CMD
#
actionstop = printf %%b "Subject: [Fail2Ban] <name>: stopped
             Date: `date -u +"%%a, %%d %%h %%Y %%T +0000"`
             From: Fail2Ban <<sender>>
             To: <dest>\n
             Hi,\n
             The jail <name> has been stopped.\n
             Regards,\n
             Fail2Ban" | /usr/sbin/sendmail -f <sender> <dest>

# Option:  actioncheck
# Notes.:  command executed once before each actionban command
# Values:  CMD
#
actioncheck =

# Option:  actionban
# Notes.:  command executed when banning an IP. Take care that the
#          command is executed with Fail2Ban user rights.
# Tags:    <ip>  IP address
#          <failures>  number of failures
#          <time>  unix timestamp of the ban time
# Values:  CMD
#
actionban = /usr/local/bin/fail2ban_abuse_mail.sh <ip> <sender> <dest> <logpath>

# Option:  actionunban
# Notes.:  command executed when unbanning an IP. Take care that the
#          command is executed with Fail2Ban user rights.
# Tags:    <ip>  IP address
#          <failures>  number of failures
#          <time>  unix timestamp of the ban time
# Values:  CMD
#
actionunban =

[Init]

# Defaut name of the chain
#
name = default

# Destination/Addressee of the mail
#
dest = root

# Sender of the mail
#
sender = fail2ban@example.com

# Path to the log files which contain relevant lines for the abuser IP
#
logpath = /dev/null

Create and chmod 755 the script for doing the job /usr/local/bin/fail2ban_abuse_mail.sh
If you want to get a copy of the email add a line like „Bcc: you@example.com“ under the To: field, but keep the blank line!

#!/bin/bash
 
PATH="$PATH:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
LANG=C
REMOTE_IP="$1"
SENDER_MAIL="$2"
DEST_MAIL="$3"
LOGFILE="$4"
DATE=$(date)
WHOIS_OUTPUT=$(whois $REMOTE_IP)
REVERSE_IP=$(echo $REMOTE_IP | awk 'BEGIN{FS=".";ORS="."} {for (i = NF; i > 0; i--){print $i}}')
LOG_LINES=$(grep $REMOTE_IP $LOGFILE)
BANNED_IP_PATH="/var/tmp/fail2ban_banned_ips"
 
# Skip sending email when an email was already sent out for that IP the last 24hours
if ! [ -d $BANNED_IP_PATH ]; then mkdir $BANNED_IP_PATH; else find ${BANNED_IP_PATH}/ -mtime +30 -type f -delete; fi
if [ -n "$(find ${BANNED_IP_PATH}/$REMOTE_IP -mtime -1 2>/dev/null)" ]; then exit 0; else touch ${BANNED_IP_PATH}/$REMOTE_IP; fi
 
# Get the Abuse email address from Abusix
if DNS_REPLY=$(host -t TXT ${REVERSE_IP}abuse-contacts.abusix.org); then
  ABUSE_ADDR=$(echo $DNS_REPLY | grep -Eio '\b[A-Z0-9._%+-]+@[A-Z0-9.-]+\.[A-Z]{2,}\b' | paste -sd ",")
fi
 
# Send email
if [ $ABUSE_ADDR ]; then
sendmail -t -i -f $SENDER_MAIL $ABUSE_ADDR << EOF
Subject: Automatic abuse report for IP address $REMOTE_IP
From: $SENDER_MAIL
To: $ABUSE_ADDR
 
This is an email abuse report about the IP address $REMOTE_IP generated at $DATE
You get this email because you are listed as the official abuse contact for this IP address.
 
The following intrusion attempts were detected:
$LOG_LINES
 
WHOIS report:
$WHOIS_OUTPUT
 
EOF
fi

That’s it. fail2ban should now ban the source ip address and send an abuse email as well.

KategorienLinux
  1. Bisher keine Kommentare
  1. Bisher keine Trackbacks