Fail2ban email notifications

Discussion in 'Installation/Configuration' started by bswinnerton, May 5, 2010.

  1. bswinnerton

    bswinnerton New Member

    I can't seem to find any documentation on having fail2ban send you email notifications when it ban's something but I know that it's capable of it.

    Does it involve the action.d/mail-whois.local file?

    Here's my jail.local:
    Code:
    # Fail2Ban configuration file.
    #
    # This file was composed for Debian systems from the original one
    #  provided now under /usr/share/doc/fail2ban/examples/jail.conf
    #  for additional examples.
    #
    # To avoid merges during upgrades DO NOT MODIFY THIS FILE
    # and rather provide your changes in /etc/fail2ban/jail.local
    #
    # Author: Yaroslav O. Halchenko <debian@onerussian.com>
    #
    # $Revision: 281 $
    #
    
    # The DEFAULT allows a global definition of the options. They can be override
    # in each jail afterwards.
    
    [DEFAULT]
    
    # "ignoreip" can be an IP address, a CIDR mask or a DNS host
    ignoreip = 127.0.0.1
    bantime  = 180
    maxretry = 4
    
    # "backend" specifies the backend used to get files modification. Available
    # options are "gamin", "polling" and "auto".
    # yoh: For some reason Debian shipped python-gamin didn't work as expected
    #      This issue left ToDo, so polling is default backend for now
    backend = polling
    
    #
    # Destination email address used solely for the interpolations in
    # jail.{conf,local} configuration files.
    destemail = webmaster@mydomain.com
    
    #
    # ACTIONS
    #
    
    # Default banning action (e.g. iptables, iptables-new,
    # iptables-multiport, shorewall, etc) It is used to define 
    # action_* variables. Can be overriden globally or per 
    # section within jail.local file
    banaction = iptables-multiport
    
    # email action. Since 0.8.1 upstream fail2ban uses sendmail
    # MTA for the mailing. Change mta configuration parameter to mail
    # if you want to revert to conventional 'mail'.
    mta = sendmail
    
    # Default protocol
    protocol = tcp
    
    #
    # Action shortcuts. To be used to define action parameter
    
    # The simplest action to take: ban only
    action_ = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s]
    
    # ban & send an e-mail with whois report to the destemail.
    action_mw = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s]
                  %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s", protocol="%(protocol)s]
    
    # ban & send an e-mail with whois report and relevant log lines
    # to the destemail.
    action_mwl = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s]
                   %(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s]
     
    # Choose default action.  To change, just override value of 'action' with the
    # interpolation to the chosen action shortcut (e.g.  action_mw, action_mwl, etc) in jail.local
    # globally (section [DEFAULT]) or per specific section 
    action = %(action_)s
    
    #
    # JAILS
    #
    
    # Next jails corresponds to the standard configuration in Fail2ban 0.6 which
    # was shipped in Debian. Enable any defined here jail by including
    #
    # [SECTION_NAME] 
    # enabled = true
    
    #
    # in /etc/fail2ban/jail.local.
    #
    # Optionally you may override any other parameter (e.g. banaction,
    # action, port, logpath, etc) in that section within jail.local
    
    [ssh]
    
    enabled = true
    port	= ssh
    filter	= sshd
    logpath  = /var/log/auth.log
    maxretry = 3
    
    # Generic filter for pam. Has to be used with action which bans all ports
    # such as iptables-allports, shorewall
    [pam-generic]
    
    enabled = false
    # pam-generic filter can be customized to monitor specific subset of 'tty's
    filter	= pam-generic
    # port actually must be irrelevant but lets leave it all for some possible uses
    port = all
    banaction = iptables-allports
    port     = anyport
    logpath  = /var/log/auth.log
    maxretry = 6
    
    [xinetd-fail]
    
    enabled   = false
    filter    = xinetd-fail
    port      = all
    banaction = iptables-multiport-log
    logpath   = /var/log/daemon.log
    maxretry  = 2
    
    
    [ssh-ddos]
    
    enabled = false
    port    = ssh
    filter  = sshd-ddos
    logpath  = /var/log/auth.log
    maxretry = 6
    
    #
    # HTTP servers
    #
    
    [apache]
    
    enabled = true
    port	= http,https
    filter	= apache-auth
    logpath = /var/log/apache*/*error.log
    maxretry = 4
    
    # default action is now multiport, so apache-multiport jail was left
    # for compatibility with previous (<0.7.6-2) releases
    [apache-multiport]
    
    enabled   = false
    port	  = http,https
    filter	  = apache-auth
    logpath   = /var/log/apache*/*error.log
    maxretry  = 6
    
    [apache-noscript]
    
    enabled = false
    port    = http,https
    filter  = apache-noscript
    logpath = /var/log/apache*/*error.log
    maxretry = 6
    
    [apache-overflows]
    
    enabled = false
    port    = http,https
    filter  = apache-overflows
    logpath = /var/log/apache*/*error.log
    maxretry = 2
    
    #
    # FTP servers
    #
    
    [vsftpd]
    
    enabled  = false
    port	 = ftp,ftp-data,ftps,ftps-data
    filter   = vsftpd
    logpath  = /var/log/vsftpd.log
    # or overwrite it in jails.local to be
    # logpath = /var/log/auth.log
    # if you want to rely on PAM failed login attempts
    # vsftpd's failregex should match both of those formats
    maxretry = 6
    
    
    [proftpd]
    
    enabled  = false
    port	 = ftp,ftp-data,ftps,ftps-data
    filter   = proftpd
    logpath  = /var/log/proftpd/proftpd.log
    maxretry = 6
    
    
    [wuftpd]
    
    enabled  = false
    port	 = ftp,ftp-data,ftps,ftps-data
    filter   = wuftpd
    logpath  = /var/log/auth.log
    maxretry = 6
    
    
    [pure-ftpd]
    enabled  = true
    port     = ftp
    filter   = pure-ftpd
    logpath  = /var/log/messages
    maxretry = 3
    
    
    #
    # Mail servers
    #
    
    [postfix]
    
    enabled  = false
    port	 = smtp,ssmtp
    filter   = postfix
    logpath  = /var/log/mail.log
    
    
    [courierimap]
    
    enabled  = true
    port     = imap2
    filter   = courierlogin
    logpath  = /var/log/mail.log
    maxretry = 4
    
    [couriersmtp]
    
    enabled  = false
    port	 = smtp,ssmtp
    filter   = couriersmtp
    logpath  = /var/log/mail.log
    
    
    #
    # Mail servers authenticators: might be used for smtp,ftp,imap servers, so
    # all relevant ports get banned
    #
    
    [courierauth]
    
    enabled  = false
    port	 = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
    filter   = courierlogin
    logpath  = /var/log/mail.log
    
    
    [sasl]
    
    enabled  = true
    port	 = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
    filter   = sasl
    # You might consider monitoring /var/log/warn.log instead
    # if you are running postfix. See http://bugs.debian.org/507990
    logpath  = /var/log/mail.log
    maxretry = 4
    
    
    # DNS Servers
    
    
    # These jails block attacks against named (bind9). By default, logging is off
    # with bind9 installation. You will need something like this:
    #
    # logging {
    #     channel security_file {
    #         file "/var/log/named/security.log" versions 3 size 30m;
    #         severity dynamic;
    #         print-time yes;
    #     };
    #     category security {
    #         security_file;
    #     };
    # };
    #
    # in your named.conf to provide proper logging
    
    # Word of Caution:
    # Given filter can lead to DoS attack against your DNS server
    # since there is no way to assure that UDP packets come from the
    # real source IP
    [named-refused-udp]
    
    enabled  = false
    port     = domain,953
    protocol = udp
    filter   = named-refused
    logpath  = /var/log/named/security.log
    
    [named-refused-tcp]
    
    enabled  = false
    port     = domain,953
    protocol = tcp
    filter   = named-refused
    logpath  = /var/log/named/security.log
     
    Last edited: May 5, 2010
  2. bswinnerton

    bswinnerton New Member

    Haha, nevermind I got it! I was changing the wrong parameter.

    To get it working change:
    Code:
    action = %(action_)s
    to:
    Code:
    action = %(action_mw)s
    or mwl if you want the whole shabang
     
  3. make-fun

    make-fun Member

    Hi there

    Just a note on your jail.local

    A filter I value a lot is [php-url-fopen]
    Code:
    [Definition]
    
    # Option:  failregex
    # Notes.:  regex to match this kind of request:
    #
    # 127.127.127.172 - - [26/Mar/2009:08:44:20 -0500] "GET /index.php?n=http://eatmyfood.hostinginfive.com/pizza.htm? HTTP/1.1" 200 114 "-" "Mozilla/
    #
    failregex = ^<HOST> -.*"(GET|POST).*\?.*\=http\:\/\/.* HTTP\/.*$
    Now, to run this against
    Code:
    logpath   = /var/log/apache*/*error.log
    
    would make no sence, as a call to /index.php? may be valid, of course!

    So I just create one in
    Code:
    /etc/fail2ban/filter.d/
    with the name "php-url-fopenAccessLog.conf" and match it to the way ISPConfig2 keeps the logs.
    Code:
    [Definition]
    # Option:  failregex
    failregex = \|\|\|\|.*.\|\|\|\|<HOST> -.*"(GET|POST).*\?.*\=http\:\/\/.* HTTP\/.*$
    
    Now I add this to jail.local
    Code:
    [php-url-fopenAccessLog]
    enabled = true
    port    = http,https
    filter  = php-url-fopenAccessLog
    logpath = /var/log/httpd/ispconfig_access_log
    maxretry = 2
    
    Cheers
     
  4. jags84

    jags84 New Member

    Hi

    Hi, i have a problem, my fail2ban works perfect when the action is

    Code:
    action = %(action_)s
    when i change to

    Code:
    action = %(action_mw)s
    it give me this error

    Code:
    Traceback (most recent call last):
      File "/usr/bin/fail2ban-client", line 401, in <module>
        if client.start(sys.argv):
      File "/usr/bin/fail2ban-client", line 370, in start
        return self.__processCommand(args)
      File "/usr/bin/fail2ban-client", line 180, in __processCommand
        ret = self.__readConfig()
      File "/usr/bin/fail2ban-client", line 375, in __readConfig
        ret = self.__configurator.getOptions()
      File "/usr/share/fail2ban/client/configurator.py", line 65, in getOptions
        return self.__jails.getOptions(jail)
      File "/usr/share/fail2ban/client/jailsreader.py", line 64, in getOptions
        ret = jail.getOptions()
      File "/usr/share/fail2ban/client/jailreader.py", line 70, in getOptions
        self.__opts = ConfigReader.getOptions(self, self.__name, opts)
      File "/usr/share/fail2ban/client/configreader.py", line 84, in getOptions
        v = self.get(sec, option[1])
      File "/usr/lib/python2.6/ConfigParser.py", line 545, in get
        return self._interpolate(section, option, value, d)
      File "/usr/lib/python2.6/ConfigParser.py", line 613, in _interpolate
        self._interpolate_some(option, L, rawval, section, vars, 1)
      File "/usr/lib/python2.6/ConfigParser.py", line 648, in _interpolate_some
        section, map, depth + 1)
      File "/usr/lib/python2.6/ConfigParser.py", line 645, in _interpolate_some
        option, section, rest, var)
    ConfigParser.InterpolationMissingOptionError: Bad value substitution:
    	section: [courierauth]
    	option : action
    	key    : destemail
    	rawval : ", logpath=%(logpath)s]
    
    i am runing ubuntu 10.04 and fail2ban version 0.8.4 if any one can help me!!!?? thanks a lot!
     
  5. bswinnerton

    bswinnerton New Member

    Did you reboot fail2ban?

    /etc/init.d/fail2ban restart
     
  6. make-fun

    make-fun Member

    Hi

    What's in your conf?

    Code:
    action_ = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s]
    
    # ban & send an e-mail with whois report to the destemail.
    action_mw = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s]
                  %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s", protocol="%(protocol)s]
    All the action_mw does, is adding whois info to the email it's sending.
    Other than that, it turns on the mta option for sending the email, so I'd say look at your mta config -- have you ever received an email from fail2ban at all?

    Cheers
     
  7. MET

    MET New Member

    May I join you with the same question. I'm running fail2ban 0.8.3 on debian lenny on a vserver at an external hoster. Do I have to specify my mail-address also at an other place than fail2ban to get it working? At present the mail address is specified together with the only one active filter criteria in jail.conf:
    Code:
    [asterisk-iptables]
    
    enabled  = true
    filter   = asterisk
    action   = hostsdeny[name=ASTERISK, protocol=all]
               mail-whois[name=ASTERISK, dest=Me@My1stDomain.com, sender=Me@My2ndDomain]
    logpath  = /var/log/asterisk/messages
    maxretry = 5
    bantime = 259200
    
    Both of the two mail-addresses are valid ones.

    The results I get are
    Code:
    2010-05-22 11:57:10,435 fail2ban.actions.action: ERROR printf %b "Hi,\n
    The jail ASTERISK has been started successfully.\n
    Regards,\n
    Fail2Ban"|mail -s "[Fail2Ban] ASTERISK: started" Me@My.com returned 7f00
    or
    Code:
    2010-05-22 16:04:09,130 fail2ban.actions.action: ERROR  printf %b "Hi,\n
    The IP 76.76.96.74 has just been banned by Fail2Ban after
    11 attempts against ASTERISK.\n\n
    Here are more information about 76.76.96.74:\n
    `whois 76.76.96.74`\n
    Regards,\n
    Fail2Ban"|mail -s "[Fail2Ban] ASTERISK: banned 76.76.96.74" Me@My.net returned 7f00
    
    Do you have any suggestions on how to get the mail-message working? Thanks.
     
    Last edited: May 24, 2010
  8. BorderAmigos

    BorderAmigos New Member

    The 'action' settings are shortcuts that need to be configured correctly. Another way to send an email is to add the mail-whois directive to the action part (action can be multiline).

    example in jail.local:
    Code:
    [postfix]
    enabled  = true
    port	 = smtp,ssmtp
    filter   = postfix
    logpath  = /var/log/mail.log
    bantime  = 7200
    maxretry = 2
    action = hostsdeny
             mail-whois[name=Postfix, dest=spam_notify@yourdomain.com]
    
    
    Since I'm now getting well over 100 bans an hour from bad Postfix connects I don't want email about it. But without the ban some of the same servers try to connect 50~100 times in that same hour. Spam sucks.
     
    Last edited: May 24, 2010
  9. MET

    MET New Member

    Isn't that what I actually mentioned above to have in my jail.conf? I don't see a difference to your jail.local. BTW: What is the difference between the two? So far I only have jail.conf. What comes in one but not in the other?
     
  10. BorderAmigos

    BorderAmigos New Member

    My example is using the mail-whois directive and supplying the destination address directly, not using the shortcut. Yes, you are doing that also in your code, I missed that, my bad.

    jail.conf may get overwritten by updates to fail2ban, jail.local shouldn't be.
     
  11. make-fun

    make-fun Member

    Sender may not work anymore, depending on your system and installed mail or mailx.

    Check your jail.conf for
    Code:
    # email action. Since 0.8.1 upstream fail2ban uses sendmail
    # MTA for the mailing. Change mta configuration parameter to mail
    # if you want to revert to conventional 'mail'.
    #mta = sendmail
    mta = mail  
    
    and maybe try mta = mail

    Cheers
     
  12. MET

    MET New Member

    In the jail.conf of fail2ban version 0.8.3 this option doesn't seem to exist. I tried to add the proposed commands under [Default] but neither of them: mta = sendmail or mta = mail resolved the the error.
     
  13. javco

    javco New Member

    Include attacked user or log segment in mail alert

    Hello I'm trying to find a way to include the log section that it used to ban an IP address or better just include the attacked user in my server. What I'm trying to achieve is know which user(s) in my server are being target of attacks and check if it have a strong password.

    Enyone know how to do that?

    Thanks!
     

Share This Page