Home > Linux >

fail2ban send automatic abuse email

I configured the fail2ban service to send out an automatic abuse email to the abuse contact for the IP range.
The following system tools needs to be installed: whois, a mailserver that also provides the sendmail binary, host, paste, grep
To detect the right abuse contact the abusix.org service is queried.

At first configure a new action target and a new default action in /etc/fail2ban/jail.conf

# ban & send an e-mail with whois report and relevant log lines to abuse contact
action_abuse = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s]
               %(mta)s-abuse[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s]
# Choose default action.  To change, just override value of 'action' with the
# interpolation to the chosen action shortcut (e.g.  action_mw, action_mwl, etc) in jail.local
# globally (section [DEFAULT]) or per specific section
action = %(action_abuse)s

Configure the new action_abuse /etc/fail2ban/action.d/sendmail-abuse.conf

# Option:  actionstart
# Notes.:  command executed once at the start of Fail2Ban.
# Values:  CMD
actionstart = printf %%b "Subject: [Fail2Ban] <name>: started
              Date: `date -u +"%%a, %%d %%h %%Y %%T +0000"`
              From: Fail2Ban <<sender>>
              To: <dest>\n
              The jail <name> has been started successfully.\n
              Fail2Ban" | /usr/sbin/sendmail -f <sender> <dest>
# Option:  actionstop
# Notes.:  command executed once at the end of Fail2Ban
# Values:  CMD
actionstop = printf %%b "Subject: [Fail2Ban] <name>: stopped
             Date: `date -u +"%%a, %%d %%h %%Y %%T +0000"`
             From: Fail2Ban <<sender>>
             To: <dest>\n
             The jail <name> has been stopped.\n
             Fail2Ban" | /usr/sbin/sendmail -f <sender> <dest>
# Option:  actioncheck
# Notes.:  command executed once before each actionban command
# Values:  CMD
actioncheck =
# Option:  actionban
# Notes.:  command executed when banning an IP. Take care that the
#          command is executed with Fail2Ban user rights.
actionban = /usr/local/bin/fail2ban_abuse_mail.sh <ip> <sender> <dest> <logpath>
# Option:  actionunban
# Notes.:  command executed when unbanning an IP. Take care that the
#          command is executed with Fail2Ban user rights.
# Tags:    <ip>  IP address
#          <failures>  number of failures
#          <time>  unix timestamp of the ban time
# Values:  CMD
actionunban =
# Defaut name of the chain
name = default
# Destination/Addressee of the mail
dest = root
# Sender of the mail
sender = fail2ban@domain
# Path to the log files which contain relevant lines for the abuser IP
logpath = /dev/null

Create and chmod 755 the script for doing the job /usr/local/bin/fail2ban_abuse_mail.sh

REVERSE_IP=$(echo $REMOTE_IP | awk 'BEGIN{FS=".";ORS="."} {for (i = NF; i > 0; i--){print $i}}')
# Skip sending email when an email was already sent out for that IP the last 24hours
if ! [ -d $BANNED_IP_PATH ]; then mkdir $BANNED_IP_PATH; else find ${BANNED_IP_PATH}/ -mtime +30 -type f -delete; fi
if [ -n "$(find ${BANNED_IP_PATH}/$REMOTE_IP -mtime -1 2>/dev/null)" ]; then exit 0; else touch ${BANNED_IP_PATH}/$REMOTE_IP; fi
# Get the Abuse email address from Abusix
if DNS_REPLY=$(host -t TXT ${REVERSE_IP}abuse-contacts.abusix.org); then
  ABUSE_ADDR=$(echo $DNS_REPLY | grep -Eio '\b[A-Z0-9._%+-]+@[A-Z0-9.-]+\.[A-Z]{2,}\b' | paste -sd ",")
# Send email
if [ $ABUSE_ADDR ]; then
sendmail -t -i -f $SENDER_MAIL $ABUSE_ADDR << EOF
Subject: Automatic abuse report for IP address $REMOTE_IP
This is an email abuse report about the IP address $REMOTE_IP generated at $DATE
You get this email because you are listed as the official abuse contact for this IP address.
The following intrusion attempts were detected:
WHOIS report:
  1. Bisher keine Kommentare
  1. Bisher keine Trackbacks