GenerationIP

Type : System
Operating System : Linux

Fail2ban is a very useful and powerful solution to limit the bruteforce on your server. but fail2ban doesn't provide you a way to contact directly the IP provider's of bruteforce attacks source. I have modify an fail2ban action file's and create a script for that.

INSTALLATION

Go to the fail2ban action folders :

# cd /etc/fail2ban/action.d

Copy an existant file :

# cp mail-whois-lines.conf mail-whois-autosend-line.conf

Edit the file and change the actionban line like that :

# vim mail-whois-autosend-line.conf

...

actionban = /etc/fail2ban/action.d/mail-whois.sh <ip> <name> <logpath> <failures> <dest>

...

Don't forget to customize the end of this file.

Now you have to create mail-whois.sh script :

# vim mail-whois.sh

for i in `whois $1 | perl -wne'while(/[\w\.\-]+@[\w\.\-]+\w+/g){print "$&\n"}' | sort | uniq` "$5"; do echo "Hi,

The IP $1 has just been banned by Fail2Ban after $4 attempts against $2.
Here are more information about $1:

 `whois $1`


Lines containing IP: $1 in $3

 `grep $1 $3`


Regards,
Fail2Ban"|mail -s "[Fail2Ban] $2: banned $1" $i; done;

Activate execution right:

# chmod 750 mail-whois.sh

Now you have to edit jail.conf present in your fail2ban folder to change the mail action :

[ssh-iptables]

enabled  = true
filter   = sshd
action   = iptables[name=SSH, port=ssh, protocol=tcp]
mail-whois-autosend-line[name=SSH, dest=root, sender=root]
logpath  = /var/log/secure
maxretry = 5