If the server is restarted, or even if fail2ban is stopped/start it sends a notification.

enabled  = true
filter   = asterisk
action   = iptables-allports[name=ASTERISK, protocol=all]
           sendmail-whois[name=ASTERISK, dest=blah@foo.com, sender=blah@foo.com] 
logpath  = /var/log/asterisk/messages
maxretry = 5
bantime = 259200

Removing the sendmail-whois stops it, but it also stops the ban notifications, how can I get it to stop notifying me when the process starts/stops?


13 Answers13


To fix this on Fail2Ban v0.9.1 (from the epel repository) on CentOS 7 (RHEL 7) you can override the sendmail start and stop actions (set them to nothing) in /etc/fail2ban/action.d/sendmail-common.local. I create this file by running these commands as root:

cat << EOF >> /etc/fail2ban/action.d/sendmail-common.local
# Override the Fail2Ban defaults in sendmail-common.conf with these entries

# Disable email notifications of jails stopping or starting
actionstart =
actionstop =
cat /etc/fail2ban/action.d/sendmail-common.local
  • This does not actually help to solve the problem, since the `.local` variant will be loaded after the `.conf` file, but both will still be loaded *before* the definitions in the `(send)mail-*.conf` files configuring the actions. There is no other way than editing the action files, the cleanest/most minimalist being to add an `after` hook in those files pointing to the same include. Cf. https://www.osso.nl/blog/fail2ban-started-e-mail-disable/. You could also duplicate all those files and create a complete other branch, i.e. `custommail-*.conf`, which avoids modifying default files. – Bernard Rosset Mar 17 '17 at 13:07
  • In centOS7, this was the only advise that actually helped. sure, the next fail2ban restart will still trigger the stop jails notification(s), but not the start one(s). Then new conf is loaded and so neither the stop notifications will be triggered again – lese Jul 18 '17 at 15:16
    @BernardRosset This really does work, but it requires fail2ban 0.9 or higher and that someone hasn't modified the shipped configuration files and has confined their changes to `.local` files. Everything in 0.9 can be overridden from `.local` files, but this wasn't true in 0.8 and prior. – Michael Hampton Oct 25 '18 at 16:58
  • This is the correct answer. It certainly needs voting up! – Jack Miller Nov 14 '19 at 06:08
  • In Manjaro Linux at least, I had to edit both sendmail.conf and sendmail-common.conf. I copied each to a .local file, and then made actionstart and actionstop empty vars. The other suggestions have you disabling all mail sent by fail2ban, not just the jail started/stopped mail. The original question specifically asked about stopping the jail started/stopped emails. – Andy Forceno Mar 11 '20 at 13:21

Have a look in the action.d/mail.conf or action.d/sendmail.conf which control the mail for start/stop/ban.

  • this doesn't do the trick. I think there are some others files to edit because I keep getting this annoying email :( – Kreker May 09 '12 at 07:25
  • @Kreker It worked for me and the OP that's presumably why they marked it as accepted. If it doesn't work for you, perhaps you have a different configuration or you mis-configured something? – user9517 May 09 '12 at 08:06
  • In the fail2ban's config I'm using sendmail as mta so it loaded the action.d/sendmail.conf. I have a normal installation from apt-get – Kreker May 09 '12 at 08:25

Its not necessary to fix this in any file. It depends on your configuration in jail.conf.

If you configured mta = sendmail, you can narrow the files action.d/sendmail-*.

Then you have to look at your action = %(action_*)s. If you configured

"action_": comment "actionstart" & "actionstop" in action.d/sendmail.conf

"action_mw": comment ... in action.d/sendmail-whois.conf

"action_mwl": comment ... in action.d/sendmail-whois-lines.conf

If you configured mta to "mail", then just change sendmail to mail and configure the specific file.

Dont forget to restart after commenting the file!

  • So which file am I supposed to edit? `.conf` or `.local`? But maybe I just don't understand because this answer is so old. Jim's answer works in 2019. – Jack Miller Nov 14 '19 at 06:12

The only way I found to disable the start/stop notifications was to comment out the actionstart and actionstop sections in all of these files in action.d/:

Trying to put together the bits and pieces of the previous answers, with some more details and long commands for the lazy.

Your jail.{conf,local} defines how mails are sent. By default, it is sendmail. Check with:

grep 'mta *=' jail.{conf,local}

To see which start/stop actions are configured for your jails, use fail2ban-client -d.

Putting both together:

mta=$(grep 'mta *=' /etc/fail2ban/jail.{conf,local} | awk '{print $NF}')
fail2ban-client -d | awk "/action(start|stop).*$mta/ {print \$4}" | sort -u

In my config, the output is 'sendmail-whois-lines', so that is the file to edit. Assuming your config is under /etc/fail2ban, the full file name is /etc/fail2ban/action.d/sendmail-whois-lines.conf.

However, as Rabin mentions, do not edit that file directly, because it will be overwritten during updates. Instead, create /etc/fail2ban/action.d/sendmail-whois-lines.local (or whatever action.d/file-name.local is right in your config) and add these lines:

actionstart =
actionstop  =

Or, for the really lazy who cannot be bothered with looking up and creating the right file:

mta=$(grep 'mta *=' /etc/fail2ban/jail.{conf,local} | awk '{print $NF}')
fail2ban-client -d \
| awk "/action(start|stop).*$mta/ {print \$4}" \
| sort -u \
| while read f; do \
    cat <<EOF >>"$f"
actionstart =
actionstop  =
Override actionstart and actionstop definitions in /etc/fail2ban/action.d/sendmail-common.conf by creating a file /etc/fail2ban/action.d/sendmail-common.local.

Add the text below to this file

actionstart =
actionstop =

Now you are not getting any mail on start / stop of the fail2ban service.

  • Worth pointing out that you need to make sure the permissions are set properly on the file (i.e `0644` and owned by `root`). This bit me today. – Pezholio Sep 27 '17 at 14:30

It depends on several things:

  1. The mta indicated in /etc/fail2ban/jail.local. Take note if you have sendmail or mail. The default is sendmail.

  2. The value of the variable "action" in /etc/fail2ban/jail.local. You may have one of these values depending on the information you want to receive by mail:

    action_, action_mw,action_mwl,action_xarf, action_cf_mwl...

Each of the options is explained in the file itself. In my case I have action = %(aciton_mwl)s. The default is action_ Make a note of the value.

Depending on whether you have as mta sendmail or mail you should look at the files in /etc/fail2ban/actions/sendmail* or /etc/fail2ban/actions/mail*

Depending on the value of "action" you have to edit one file or another. For example if I have as mta = mail and action = %(action_)s I must edit mail.conf. If I have as mta = mail and action = %(action_mwl)s I must edit mail-whois-lines.conf. If I have as mta = sendmail and action = %(action_mw)s I must edit sendmail-whois.conf

Within the file I change the value of actionstart and actionstop by

actionstart = 
actionstop =
My jail config is

mta = mail

action_mw = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
            %(mta)s-whois[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s"]

action = %(action_mw)s

take a note of %(mta)s-whois[name=%(__name__)s value from action_mw.

I tried updating the mail.conf and mail-whois.conf files with empty action values but neither had any effect..

What finally worked is copying mail.conf file to mail.local and then overriding the contents of mail.local to:

actionstart = 
actionstop = 

and then cloning the mail.local file into following results:


Some of the files finally worked :)

R&D Note:

[INCLUDES] section makes no sense. Based on definition from here:

The [INCLUDES] section header specifies other filter files that are read in before or after this file.

So before setting acts like a parent/base, and after defines which files are the children (override the current file).

We have:

mail.conf (nobody uses it??)

nothing in [INCLUDES]


after = mail-whois-common.local


before = mail-whois-common.conf

So based on action (in my case action_mw) the chain must be:

  • mail-whois.conf -> which loads mail-whois-common.conf file BEFORE being loaded.
  • mail-whois-common.conf loads the mail-whois-common.local. I.e. local file overrides the main conf file.

See how mail.conf is nowhere in this chain. Basically load sequence is following:

  • mail-whois-common.conf -> mail-whois-common.local -> mail-whois.conf

So, by chain's logic mail-whois.conf file is the LAST one to load. It overrides all the prior settings specified in previous files.. Since I have default values set in mail-whois.conf then I have no idea why my solution actually works :) Maybe mail-whois.conf under-the-hood loads mail-whois.local at the AFTER stage.

On a second though, maybe AFTER section is global. Is a sense that the order of loading is

  • mail-whois-common.conf -> mail-whois.conf -> mail-whois-common.local

I am too lazy to check it now :)

There is a much simpler way than all the other answers:

action = %(known/action_mwl)s[actionstart="", actionstop=""]

As it can be set in jail.local instead of editing mail configuration files.

I found a quick and easy way to do this:

cd into your /etc/fail2ban/action.d directory.

Then simply supersede each actionstart statement with your own, which for me was blank.

for FILE in *mail* ; do echo -e "actionstart =\nactionstop =\n" >> $FILE ; done

This will append a new actionstart and actionstop section to each file that mails out.

1 line, job done.

I don't recommend changing the default files which comes with the package (as some suggested here), they will be overwritten next time you update them.

Just copy the action your using in that case sendmail-whois to a new file, name it as you like e.g sendmail-mod and in this file you need to comment out (or delete) the actionstart/actionstop parts.

Next change the action in the configuration file (jail.conf/jail.local), to use the new action.


action   = iptables-allports[name=ASTERISK, protocol=all]
           sendmail-whois[name=ASTERISK, dest=blah@foo.com, sender=blah@foo.com] 


action   = iptables-allports[name=ASTERISK, protocol=all]
           sendmail-mod[name=ASTERISK, dest=blah@foo.com, sender=blah@foo.com] 
First, as some people mentioned, it seems better to create a ".local" file and make the changes in it, than to edit the original ".conf" file, which could be overridden in future updates.

Bottom line, based on this excellent link: http://tonesworld.co.uk/fail2ban-disable-stop-and-start-emails/, I did the following steps and it solved the problem:

1. Create a new file and edit it:

sudo nano /etc/fail2ban/action.d/stop-start.local

2. Paste inside (then exit and save):


actionstart =

actionstop =

3. If fail2ban uses "mail" to send emails:

sudo ln -s /etc/fail2ban/action.d/stop-start.local /etc/fail2ban/action.d/mail-buffered.local

sudo ln -s /etc/fail2ban/action.d/stop-start.local /etc/fail2ban/action.d/mail-whois-common.local

sudo ln -s /etc/fail2ban/action.d/stop-start.local /etc/fail2ban/action.d/mail-whois-lines.local

sudo ln -s /etc/fail2ban/action.d/stop-start.local /etc/fail2ban/action.d/mail-whois.local

sudo ln -s /etc/fail2ban/action.d/stop-start.local /etc/fail2ban/action.d/mail.local

If fail2ban uses "sendmail" to send emails:

sudo ln -s /etc/fail2ban/action.d/stop-start.local /etc/fail2ban/action.d/sendmail-buffered.local

sudo ln -s /etc/fail2ban/action.d/stop-start.local /etc/fail2ban/action.d/sendmail-common.local

sudo ln -s /etc/fail2ban/action.d/stop-start.local /etc/fail2ban/action.d/sendmail-geoip-lines.local

sudo ln -s /etc/fail2ban/action.d/stop-start.local /etc/fail2ban/action.d/sendmail-whois-ipjailmatches.local

sudo ln -s /etc/fail2ban/action.d/stop-start.local /etc/fail2ban/action.d/sendmail-whois-ipmatches.local

sudo ln -s /etc/fail2ban/action.d/stop-start.local /etc/fail2ban/action.d/sendmail-whois-lines.local

sudo ln -s /etc/fail2ban/action.d/stop-start.local /etc/fail2ban/action.d/sendmail-whois-matches.local

sudo ln -s /etc/fail2ban/action.d/stop-start.local /etc/fail2ban/action.d/sendmail-whois.local

sudo ln -s /etc/fail2ban/action.d/stop-start.local /etc/fail2ban/action.d/sendmail.local

4. Restart to apply changes:

sudo service fail2ban restart

Final note: In the first time after applying these changes, you'll still see the "stop" messages, because the new changes hasn't applied yet.

This is my solution for what it worth,Create a bash file , and run it :

echo Start ...
echo $FILES
for f in $FILES
        awk '/^[^   ]/ { comment=0 }
             /^actionstart/ { comment=1 } 
             comment {$0 = "#" $0}
             { print }' $f > $temp1 && mv -f $temp1 $f || rm -f $temp1
        awk '/^[^   ]/ { comment=0 }
             /^actionstop/ { comment=1 } 
             comment {$0 = "#" $0}
             { print }' $f > $temp2 && mv -f $temp2 $f || rm -f $temp2

First part of the code defines a list of files you want to change, second half basically commenting out those sections by using awk command.

It could be done in one line code/command which iterate all files and loops over the words, but I tried to make it as clear as possible.

