5

I have fail2ban configured on some CentOS 5 and 6 servers, and it sends me an email with a whois of the IP whenever an IP is banned. Is it possible to configure fail2ban to also send a notification to the email from the whois report?

Here is my jail config:

# /etc/fail2ban/jail.conf    

[ssh-iptables]

enabled  = true
filter   = sshd
action   = iptables-allports[name=SSH, protocol=all]
           sendmail-whois[name=SSH, dest=root@mydomain.com, sender=fail2ban]
logpath  = /var/log/secure
maxretry = 3

Is there some sort of variable I can put it dest= to send to the whois email?

Banjer
  • 3,854
  • 11
  • 40
  • 47
  • I don't think this is possible or even parseable. – DerfK Nov 14 '12 at 20:47
  • @DerfK What's not parseable or possible about this? Could be I'm missing something obvious, but setting up a script to run a whois on an ip banned by fail2ban, then send an email with attached logs to abuse@[founddomain].[tld] isn't that difficult a scripting task. Futile, but fairly easy. – HopelessN00b Nov 14 '12 at 21:12
  • @HopelessN00b does fail2ban have a better lookup than `/usr/bin/whois`? Because looking at what I get from `whois` for random IPs it'd probably be easier to regex match for the first word with an `@` in it and pray it's an abuse reporting email than it would be to figure out what domain an IP belongs to. – DerfK Nov 14 '12 at 22:22
  • @DerfK Well, like I said `Depending on how strictly you define "have fail2ban do this."` - I can't imagine a scenario in which it would be required that fail2ban *has* to be the program doing this, rather than, say a script in your scripting language of choice... guess maybe clarification from the OP is order. – HopelessN00b Nov 14 '12 at 22:32

3 Answers3

10

Looks like there is an action the comes with fail2ban called complain. Notice the line with complain[logpath=/var/log/secure]:

# /etc/fail2ban/jail.conf    

[ssh-iptables]

enabled  = true
filter   = sshd
action   = iptables-allports[name=SSH, protocol=all]
           sendmail-whois[name=SSH, dest=root@mydomain.com, sender=fail2ban]
           complain[logpath=/var/log/secure]
logpath  = /var/log/secure
maxretry = 3

Add that line and restart the fail2ban service. The action conf file is /etc/fail2ban/action.d/complain.conf. Short description:

Sends a complaint e-mail to addresses listed in the whois record for an offending IP address.

Banjer
  • 3,854
  • 11
  • 40
  • 47
  • I have configured complain, bu tit's not sending email to abuse contacts. I can't see in log, neither I received it, since I am simulating it, and checking my abuse email. My abuse is properly set, since I am receiving abuses from others... – Aleksandar Pavić Feb 26 '19 at 08:26
  • @AleksandarPavić Have you configured a mailserver on the same machine? Fail2ban needs a local mailserver to take care of the relaying – Orphans Aug 12 '22 at 11:00
  • Well @Orphans to be honest I was only using it for full web-hosting configured servers. Postfix was used, installed via virtualmin. – Aleksandar Pavić Aug 12 '22 at 16:31
5

It's possible. (Depending on how strictly you define "have fail2ban do this.") Doesn't strike me as a particularly fruitful waste of time, though.

Basically, you'd take your whois to get the domain owner, and send an email to abuse@[domain].[tld] to let them know that someone on one of their hosts is trying to gain unauthorized access to your system, and attach the logs, presumably. (You could also send one to the email in the whois, as you suggest, but that's even less likely to reach anyone who cares or can do something about it.) You'd have to hope that:

  1. abuse is the right address (you could try other ones, but that would be the most common by far) and is monitored. (Same of the email address listed in the whois - if it's not valid or not monitored, you're wastign your time right off the bat.)
  2. The host gives a damn.
  3. The host isn't in on it.
  4. The host has an abundance of free time to track down the naughty user.
  5. The host has the technical ability to track down the naughty user.
  6. The naughty user doesn't immediate switch hosts/compromised systems and carry on unimpeded.

Any one of those conditions being false guarantee that you're completely wasting your time, and in my experience, 2, 4, 5, and 6 are almost always false, so what you're looking to so is a complete waste of time, unless you're looking to use this as a learning experience to become a better scripter.

HopelessN00b
  • 53,385
  • 32
  • 133
  • 208
  • Looks like fail2ban does use `/usr/bin/whois`. Yeah it's totally scriptable, but I agree that its not worth my time. We occasionally get abuse emails sent to us which is nice to know if any clients are being malicious, so I was thinking fail2ban had this feature already, but perhaps not. I'll leave this question open to see if someone else chimes in, but if not I'll accept your answer. – Banjer Nov 15 '12 at 14:46
3

To add to the answer by @Banjer (which is correct): you don't really need both actions "sendmail-whois" and "complain" if you configure the action "complain" correctly:

# /etc/fail2ban/jail.conf    
[ssh-iptables]
enabled  = true
filter   = sshd
action   = iptables-allports[name=SSH, protocol=all]
           complain[logpath=/var/log/secure]
logpath  = /var/log/secure
maxretry = 3

And:

# /etc/fail2ban/action.d/complain.conf
[Init]
message = <insert body-text here>\n\nWhois information about $IP:\n`/usr/bin/whois $IP`\n
logpath = /dev/null
mailcmd = mail -s
mailargs = -c <insert your e-mailaddress here> -- -f root@<insert your domain here>

That way, the internet service provider administering the offending IP address will be contacted automatically AND you will receive a copy of the e-mail in cc: ('-c'-option to the mailargs variable).

I have also added the WHOIS-information to the message-variable, which is not a default in the Debian-configuration, but is a nice addon to the default message imho.

zenlord
  • 197
  • 1
  • 8