#1  
Old 5th May 2010, 14:55
bswinnerton bswinnerton is offline
Senior Member
 
Join Date: Jul 2007
Location: Connecticut, US
Posts: 502
Thanks: 51
Thanked 16 Times in 13 Posts
Default Fail2ban email notifications

I can't seem to find any documentation on having fail2ban send you email notifications when it ban's something but I know that it's capable of it.

Does it involve the action.d/mail-whois.local file?

Here's my jail.local:
Code:
# Fail2Ban configuration file.
#
# This file was composed for Debian systems from the original one
#  provided now under /usr/share/doc/fail2ban/examples/jail.conf
#  for additional examples.
#
# To avoid merges during upgrades DO NOT MODIFY THIS FILE
# and rather provide your changes in /etc/fail2ban/jail.local
#
# Author: Yaroslav O. Halchenko <debian@onerussian.com>
#
# $Revision: 281 $
#

# The DEFAULT allows a global definition of the options. They can be override
# in each jail afterwards.

[DEFAULT]

# "ignoreip" can be an IP address, a CIDR mask or a DNS host
ignoreip = 127.0.0.1
bantime  = 180
maxretry = 4

# "backend" specifies the backend used to get files modification. Available
# options are "gamin", "polling" and "auto".
# yoh: For some reason Debian shipped python-gamin didn't work as expected
#      This issue left ToDo, so polling is default backend for now
backend = polling

#
# Destination email address used solely for the interpolations in
# jail.{conf,local} configuration files.
destemail = webmaster@mydomain.com

#
# ACTIONS
#

# Default banning action (e.g. iptables, iptables-new,
# iptables-multiport, shorewall, etc) It is used to define 
# action_* variables. Can be overriden globally or per 
# section within jail.local file
banaction = iptables-multiport

# email action. Since 0.8.1 upstream fail2ban uses sendmail
# MTA for the mailing. Change mta configuration parameter to mail
# if you want to revert to conventional 'mail'.
mta = sendmail

# Default protocol
protocol = tcp

#
# Action shortcuts. To be used to define action parameter

# The simplest action to take: ban only
action_ = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s]

# ban & send an e-mail with whois report to the destemail.
action_mw = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s]
              %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s", protocol="%(protocol)s]

# ban & send an e-mail with whois report and relevant log lines
# to the destemail.
action_mwl = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s]
               %(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s]
 
# Choose default action.  To change, just override value of 'action' with the
# interpolation to the chosen action shortcut (e.g.  action_mw, action_mwl, etc) in jail.local
# globally (section [DEFAULT]) or per specific section 
action = %(action_)s

#
# JAILS
#

# Next jails corresponds to the standard configuration in Fail2ban 0.6 which
# was shipped in Debian. Enable any defined here jail by including
#
# [SECTION_NAME] 
# enabled = true

#
# in /etc/fail2ban/jail.local.
#
# Optionally you may override any other parameter (e.g. banaction,
# action, port, logpath, etc) in that section within jail.local

[ssh]

enabled = true
port	= ssh
filter	= sshd
logpath  = /var/log/auth.log
maxretry = 3

# Generic filter for pam. Has to be used with action which bans all ports
# such as iptables-allports, shorewall
[pam-generic]

enabled = false
# pam-generic filter can be customized to monitor specific subset of 'tty's
filter	= pam-generic
# port actually must be irrelevant but lets leave it all for some possible uses
port = all
banaction = iptables-allports
port     = anyport
logpath  = /var/log/auth.log
maxretry = 6

[xinetd-fail]

enabled   = false
filter    = xinetd-fail
port      = all
banaction = iptables-multiport-log
logpath   = /var/log/daemon.log
maxretry  = 2


[ssh-ddos]

enabled = false
port    = ssh
filter  = sshd-ddos
logpath  = /var/log/auth.log
maxretry = 6

#
# HTTP servers
#

[apache]

enabled = true
port	= http,https
filter	= apache-auth
logpath = /var/log/apache*/*error.log
maxretry = 4

# default action is now multiport, so apache-multiport jail was left
# for compatibility with previous (<0.7.6-2) releases
[apache-multiport]

enabled   = false
port	  = http,https
filter	  = apache-auth
logpath   = /var/log/apache*/*error.log
maxretry  = 6

[apache-noscript]

enabled = false
port    = http,https
filter  = apache-noscript
logpath = /var/log/apache*/*error.log
maxretry = 6

[apache-overflows]

enabled = false
port    = http,https
filter  = apache-overflows
logpath = /var/log/apache*/*error.log
maxretry = 2

#
# FTP servers
#

[vsftpd]

enabled  = false
port	 = ftp,ftp-data,ftps,ftps-data
filter   = vsftpd
logpath  = /var/log/vsftpd.log
# or overwrite it in jails.local to be
# logpath = /var/log/auth.log
# if you want to rely on PAM failed login attempts
# vsftpd's failregex should match both of those formats
maxretry = 6


[proftpd]

enabled  = false
port	 = ftp,ftp-data,ftps,ftps-data
filter   = proftpd
logpath  = /var/log/proftpd/proftpd.log
maxretry = 6


[wuftpd]

enabled  = false
port	 = ftp,ftp-data,ftps,ftps-data
filter   = wuftpd
logpath  = /var/log/auth.log
maxretry = 6


[pure-ftpd]
enabled  = true
port     = ftp
filter   = pure-ftpd
logpath  = /var/log/messages
maxretry = 3


#
# Mail servers
#

[postfix]

enabled  = false
port	 = smtp,ssmtp
filter   = postfix
logpath  = /var/log/mail.log


[courierimap]

enabled  = true
port     = imap2
filter   = courierlogin
logpath  = /var/log/mail.log
maxretry = 4

[couriersmtp]

enabled  = false
port	 = smtp,ssmtp
filter   = couriersmtp
logpath  = /var/log/mail.log


#
# Mail servers authenticators: might be used for smtp,ftp,imap servers, so
# all relevant ports get banned
#

[courierauth]

enabled  = false
port	 = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
filter   = courierlogin
logpath  = /var/log/mail.log


[sasl]

enabled  = true
port	 = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
filter   = sasl
# You might consider monitoring /var/log/warn.log instead
# if you are running postfix. See http://bugs.debian.org/507990
logpath  = /var/log/mail.log
maxretry = 4


# DNS Servers


# These jails block attacks against named (bind9). By default, logging is off
# with bind9 installation. You will need something like this:
#
# logging {
#     channel security_file {
#         file "/var/log/named/security.log" versions 3 size 30m;
#         severity dynamic;
#         print-time yes;
#     };
#     category security {
#         security_file;
#     };
# };
#
# in your named.conf to provide proper logging

# Word of Caution:
# Given filter can lead to DoS attack against your DNS server
# since there is no way to assure that UDP packets come from the
# real source IP
[named-refused-udp]

enabled  = false
port     = domain,953
protocol = udp
filter   = named-refused
logpath  = /var/log/named/security.log

[named-refused-tcp]

enabled  = false
port     = domain,953
protocol = tcp
filter   = named-refused
logpath  = /var/log/named/security.log

Last edited by bswinnerton; 5th May 2010 at 15:34.
Reply With Quote
Sponsored Links
  #2  
Old 5th May 2010, 15:37
bswinnerton bswinnerton is offline
Senior Member
 
Join Date: Jul 2007
Location: Connecticut, US
Posts: 502
Thanks: 51
Thanked 16 Times in 13 Posts
Default

Haha, nevermind I got it! I was changing the wrong parameter.

To get it working change:
Code:
action = %(action_)s
to:
Code:
action = %(action_mw)s
or mwl if you want the whole shabang
Reply With Quote
The Following User Says Thank You to bswinnerton For This Useful Post:
falko (6th May 2010)
  #3  
Old 16th May 2010, 08:46
make-fun make-fun is offline
Member
 
Join Date: Jan 2008
Posts: 92
Thanks: 8
Thanked 8 Times in 7 Posts
Default

Hi there

Just a note on your jail.local

A filter I value a lot is [php-url-fopen]
Code:
[Definition]

# Option:  failregex
# Notes.:  regex to match this kind of request:
#
# 127.127.127.172 - - [26/Mar/2009:08:44:20 -0500] "GET /index.php?n=http://eatmyfood.hostinginfive.com/pizza.htm? HTTP/1.1" 200 114 "-" "Mozilla/
#
failregex = ^<HOST> -.*"(GET|POST).*\?.*\=http\:\/\/.* HTTP\/.*$
Now, to run this against
Code:
logpath   = /var/log/apache*/*error.log
would make no sence, as a call to /index.php? may be valid, of course!

So I just create one in
Code:
/etc/fail2ban/filter.d/
with the name "php-url-fopenAccessLog.conf" and match it to the way ISPConfig2 keeps the logs.
Code:
[Definition]
# Option:  failregex
failregex = \|\|\|\|.*.\|\|\|\|<HOST> -.*"(GET|POST).*\?.*\=http\:\/\/.* HTTP\/.*$
Now I add this to jail.local
Code:
[php-url-fopenAccessLog]
enabled = true
port    = http,https
filter  = php-url-fopenAccessLog
logpath = /var/log/httpd/ispconfig_access_log
maxretry = 2
Cheers
Reply With Quote
  #4  
Old 21st May 2010, 03:50
jags84 jags84 is offline
Junior Member
 
Join Date: May 2010
Posts: 1
Thanks: 0
Thanked 0 Times in 0 Posts
Default Hi

Hi, i have a problem, my fail2ban works perfect when the action is

Code:
action = %(action_)s
when i change to

Code:
action = %(action_mw)s
it give me this error

Code:
Traceback (most recent call last):
  File "/usr/bin/fail2ban-client", line 401, in <module>
    if client.start(sys.argv):
  File "/usr/bin/fail2ban-client", line 370, in start
    return self.__processCommand(args)
  File "/usr/bin/fail2ban-client", line 180, in __processCommand
    ret = self.__readConfig()
  File "/usr/bin/fail2ban-client", line 375, in __readConfig
    ret = self.__configurator.getOptions()
  File "/usr/share/fail2ban/client/configurator.py", line 65, in getOptions
    return self.__jails.getOptions(jail)
  File "/usr/share/fail2ban/client/jailsreader.py", line 64, in getOptions
    ret = jail.getOptions()
  File "/usr/share/fail2ban/client/jailreader.py", line 70, in getOptions
    self.__opts = ConfigReader.getOptions(self, self.__name, opts)
  File "/usr/share/fail2ban/client/configreader.py", line 84, in getOptions
    v = self.get(sec, option[1])
  File "/usr/lib/python2.6/ConfigParser.py", line 545, in get
    return self._interpolate(section, option, value, d)
  File "/usr/lib/python2.6/ConfigParser.py", line 613, in _interpolate
    self._interpolate_some(option, L, rawval, section, vars, 1)
  File "/usr/lib/python2.6/ConfigParser.py", line 648, in _interpolate_some
    section, map, depth + 1)
  File "/usr/lib/python2.6/ConfigParser.py", line 645, in _interpolate_some
    option, section, rest, var)
ConfigParser.InterpolationMissingOptionError: Bad value substitution:
	section: [courierauth]
	option : action
	key    : destemail
	rawval : ", logpath=%(logpath)s]
i am runing ubuntu 10.04 and fail2ban version 0.8.4 if any one can help me!!!?? thanks a lot!
Reply With Quote
  #5  
Old 21st May 2010, 16:13
bswinnerton bswinnerton is offline
Senior Member
 
Join Date: Jul 2007
Location: Connecticut, US
Posts: 502
Thanks: 51
Thanked 16 Times in 13 Posts
Default

Did you reboot fail2ban?

/etc/init.d/fail2ban restart
Reply With Quote
  #6  
Old 24th May 2010, 01:33
make-fun make-fun is offline
Member
 
Join Date: Jan 2008
Posts: 92
Thanks: 8
Thanked 8 Times in 7 Posts
Default

Hi

What's in your conf?

Code:
action_ = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s]

# ban & send an e-mail with whois report to the destemail.
action_mw = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s]
              %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s", protocol="%(protocol)s]
All the action_mw does, is adding whois info to the email it's sending.
Other than that, it turns on the mta option for sending the email, so I'd say look at your mta config -- have you ever received an email from fail2ban at all?

Cheers
Reply With Quote
  #7  
Old 24th May 2010, 08:38
MET MET is offline
Junior Member
 
Join Date: May 2010
Posts: 10
Thanks: 0
Thanked 0 Times in 0 Posts
Default

May I join you with the same question. I'm running fail2ban 0.8.3 on debian lenny on a vserver at an external hoster. Do I have to specify my mail-address also at an other place than fail2ban to get it working? At present the mail address is specified together with the only one active filter criteria in jail.conf:
Code:
[asterisk-iptables]

enabled  = true
filter   = asterisk
action   = hostsdeny[name=ASTERISK, protocol=all]
           mail-whois[name=ASTERISK, dest=Me@My1stDomain.com, sender=Me@My2ndDomain]
logpath  = /var/log/asterisk/messages
maxretry = 5
bantime = 259200
Both of the two mail-addresses are valid ones.

The results I get are
Code:
2010-05-22 11:57:10,435 fail2ban.actions.action: ERROR printf %b "Hi,\n
The jail ASTERISK has been started successfully.\n
Regards,\n
Fail2Ban"|mail -s "[Fail2Ban] ASTERISK: started" Me@My.com returned 7f00
or
Code:
2010-05-22 16:04:09,130 fail2ban.actions.action: ERROR  printf %b "Hi,\n
The IP 76.76.96.74 has just been banned by Fail2Ban after
11 attempts against ASTERISK.\n\n
Here are more information about 76.76.96.74:\n
`whois 76.76.96.74`\n
Regards,\n
Fail2Ban"|mail -s "[Fail2Ban] ASTERISK: banned 76.76.96.74" Me@My.net returned 7f00
Do you have any suggestions on how to get the mail-message working? Thanks.

Last edited by MET; 24th May 2010 at 08:43.
Reply With Quote
  #8  
Old 24th May 2010, 20:17
BorderAmigos BorderAmigos is offline
Senior Member
 
Join Date: Apr 2008
Location: San Diego & Tijuana
Posts: 302
Thanks: 26
Thanked 33 Times in 31 Posts
Send a message via MSN to BorderAmigos Send a message via Yahoo to BorderAmigos
Default

The 'action' settings are shortcuts that need to be configured correctly. Another way to send an email is to add the mail-whois directive to the action part (action can be multiline).

example in jail.local:
Code:
[postfix]
enabled  = true
port	 = smtp,ssmtp
filter   = postfix
logpath  = /var/log/mail.log
bantime  = 7200
maxretry = 2
action = hostsdeny
         mail-whois[name=Postfix, dest=spam_notify@yourdomain.com]
Since I'm now getting well over 100 bans an hour from bad Postfix connects I don't want email about it. But without the ban some of the same servers try to connect 50~100 times in that same hour. Spam sucks.
__________________
System6Hosting.com, ISPConfig 3, Debian.

Last edited by BorderAmigos; 24th May 2010 at 20:20.
Reply With Quote
  #9  
Old 25th May 2010, 07:02
make-fun make-fun is offline
Member
 
Join Date: Jan 2008
Posts: 92
Thanks: 8
Thanked 8 Times in 7 Posts
Default

Quote:
Originally Posted by MET View Post
Both of the two mail-addresses are valid ones.
Sender may not work anymore, depending on your system and installed mail or mailx.

Check your jail.conf for
Code:
# email action. Since 0.8.1 upstream fail2ban uses sendmail
# MTA for the mailing. Change mta configuration parameter to mail
# if you want to revert to conventional 'mail'.
#mta = sendmail
mta = mail
and maybe try mta = mail

Cheers
Reply With Quote
  #10  
Old 31st January 2014, 21:03
javco javco is offline
Junior Member
 
Join Date: Jan 2014
Posts: 1
Thanks: 0
Thanked 0 Times in 0 Posts
Lightbulb Include attacked user or log segment in mail alert

Hello I'm trying to find a way to include the log section that it used to ban an IP address or better just include the attacked user in my server. What I'm trying to achieve is know which user(s) in my server are being target of attacks and check if it have a strong password.

Enyone know how to do that?

Thanks!
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
fail2ban is doing nothing? rlischer Server Operation 16 29th June 2010 07:29
Email delivery problem - Ubuntu Karmic Koala (Ubuntu 9.10) [ISPConfig 2] qiubosu General 58 16th April 2010 12:24
Email delivery problem - Ubuntu Karmic Koala (Ubuntu 9.10) [ISPConfig 2] qiubosu Installation/Configuration 1 18th January 2010 09:21
hotmail rejects outgoing email nzimas Server Operation 3 1st May 2009 03:39
email forwarding locally consumes all resources rdells General 20 1st May 2006 19:43


All times are GMT +2. The time now is 06:22.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.