Fail2Ban – Send Notification to Banned Party

centosfail2banlinux

I have fail2ban configured on some CentOS 5 and 6 servers, and it sends me an email with a whois of the IP whenever an IP is banned. Is it possible to configure fail2ban to also send a notification to the email from the whois report?

Here is my jail config:

# /etc/fail2ban/jail.conf    

[ssh-iptables]

enabled  = true
filter   = sshd
action   = iptables-allports[name=SSH, protocol=all]
           sendmail-whois[name=SSH, dest=root@mydomain.com, sender=fail2ban]
logpath  = /var/log/secure
maxretry = 3

Is there some sort of variable I can put it dest= to send to the whois email?

Best Answer

Looks like there is an action the comes with fail2ban called complain. Notice the line with complain[logpath=/var/log/secure]:

# /etc/fail2ban/jail.conf    

[ssh-iptables]

enabled  = true
filter   = sshd
action   = iptables-allports[name=SSH, protocol=all]
           sendmail-whois[name=SSH, dest=root@mydomain.com, sender=fail2ban]
           complain[logpath=/var/log/secure]
logpath  = /var/log/secure
maxretry = 3

Add that line and restart the fail2ban service. The action conf file is /etc/fail2ban/action.d/complain.conf. Short description:

Sends a complaint e-mail to addresses listed in the whois record for an offending IP address.

Related Solutions

Ubuntu – fail2ban cannot ban ip on all ports if it’s already banned for specific port

While fail2ban creates an iptables chain per service (eg fail2ban-ssh), the check for an existing ban is based on the IP address. A possibility to fix the problem is to make fail2ban unban an IP (ticket) if it is already in the banned-list just before it is going to ban it (again)

These actions happen in the python script located (when installed via apt-get install) in

/usr/share/fail2ban/server

edit the file actions.py, you should see the following code for the __checkban definition

def __checkBan(self):
        ticket = self.jail.getFailTicket()
        if ticket != False:
                aInfo = dict()
                bTicket = BanManager.createBanTicket(ticket)
                aInfo["ip"] = bTicket.getIP()
                aInfo["failures"] = bTicket.getAttempt()
                aInfo["time"] = bTicket.getTime()
                aInfo["matches"] = "".join(bTicket.getMatches())
                if self.__banManager.addBanTicket(bTicket):
                        logSys.warn("[%s] Ban %s" % (self.jail.getName(), aInfo["ip"]))
                        for action in self.__actions:
                                action.execActionBan(aInfo)
                        return True
                else:
                       logSys.warn("[%s] %s already banned" % (self.jail.getName(), aInfo["ip"]))
        return False

modify/replace the definition with

def __checkBan(self):
        ticket = self.jail.getFailTicket()
        if ticket != False:
                aInfo = dict()
                bTicket = BanManager.createBanTicket(ticket)
                aInfo["ip"] = bTicket.getIP()
                aInfo["failures"] = bTicket.getAttempt()
                aInfo["time"] = bTicket.getTime()
                aInfo["matches"] = "".join(bTicket.getMatches())
                # changes from here ...
                if not self.__banManager.addBanTicket(bTicket):
                        logSys.warn("[%s] first unban %s before ban" % (self.jail.getName(), aInfo["ip"]))
                        self.__unBan(ticket)
                        self.__banManager.addBanTicket(bTicket)
                logSys.warn("[%s] Ban %s" % (self.jail.getName(), aInfo["ip"]))
                for action in self.__actions:
                        action.execActionBan(aInfo)
                return True
                # else:
                #       logSys.warn("[%s] %s already banned" % (self.jail.getName(), 
                #                                                                                       aInfo["ip"]))
        #return False

and restart fail2ban (e.g. /etc/init.d/fail2ban restart) while it is probably not necessary...

Note: if you want to 'play around' with this, you can list the firewall (iptables) rules

iptables -L

and delete the rule that was created by fail2ban in order to access and force a "re-ban"

iptables -D fail2ban-ssh xxxx

where xxxx is the number of the rule in that chain from the list iptables -L fail2ban-ssh

CentOS 6.5 – Fail2Ban Not Banning: Troubleshooting Guide

Well, I'm no regex master (or even novice), but I did manage to get it to work by adding:

^.*authentication failure;.*rhost=<HOST>

to filters.d/sshd.conf. This did it and I've successfully banned my first host. If any regex experts would like to chime in, I'd be greatly appreciative. I'm sure there's a case that I'm missing in this short expression that would fail in a certain case.

Thanks!

Best Answer

Related Solutions

Ubuntu – fail2ban cannot ban ip on all ports if it’s already banned for specific port

CentOS 6.5 – Fail2Ban Not Banning: Troubleshooting Guide

Related Topic