1

Topic: Activating fail2ban to send emails

==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (check /etc/iredmail-release): today version from github
- Deployed with iRedMail Easy or the downloadable installer? using iRedMail.sh
- Linux/BSD distribution name and version: Ubuntu server 20.04
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MYSQL (mariadb-server-10.3}
- Web server (Apache or Nginx): Nginx
- Manage mail accounts with iRedAdmin-Pro? No
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====
Dear Sirs, I need a little help.
Please give me a short how to in order to get an email notification for each of the banning that fail2ban does, in my external email address ex demo@gmail.com

Thanks and best Regards,
Mike Kranidis

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2

Re: Activating fail2ban to send emails

are you wanting notifications for every banned action immediately? You might end up regretting that, you should anticipate getting hundreds of them daily.

iRedMail does send out a daily report to the postmaster (which you can also do a forwarding to your external address if you specifically want it there) which contains a listing of all the blocked IP's

3

Re: Activating fail2ban to send emails

MuPp3t33r wrote:

are you wanting notifications for every banned action immediately? You might end up regretting that, you should anticipate getting hundreds of them daily.

iRedMail does send out a daily report to the postmaster (which you can also do a forwarding to your external address if you specifically want it there) which contains a listing of all the blocked IP's

First of all thanks for your answer.
Yes, during a test period I want this banned notifications in my external email. Maybe after that period I will keep only the standard daily report.
So can I activate it?

Thanks and Best Regards,
Mike Kranidis

4

Re: Activating fail2ban to send emails

Hello there.
Any help hand in my question?
Thanks

5

Re: Activating fail2ban to send emails

Use the “sendmail” action in jails. smile

6

Re: Activating fail2ban to send emails

ZhangHuangbin wrote:

Use the “sendmail” action in jails. smile

Thanks but what is the steps to follow?

7

Re: Activating fail2ban to send emails

Check file /etc/fail2ban/action.d/sendmail.conf to understand how to configure it, then add action “sendmail” in the jails under /etc/fail2ban/jail.d/*.local to enable it.

8

Re: Activating fail2ban to send emails

ZhangHuangbin wrote:

Check file /etc/fail2ban/action.d/sendmail.conf to understand how to configure it, then add action “sendmail” in the jails under /etc/fail2ban/jail.d/*.local to enable it.

Yes, I will follow your suggestion and I will report back here the result.
Thanks and Best Regards,
Mike Kranidis

9

Re: Activating fail2ban to send emails

ZhangHuangbin wrote:

Check file /etc/fail2ban/action.d/sendmail.conf to understand how to configure it, then add action “sendmail” in the jails under /etc/fail2ban/jail.d/*.local to enable it.

Dear Sir,
I did the adding of action = %(action_mwl)s  in the bottom of /etc/fail2ban/jail.local  ( please see it bellow.

root@mail:~#  cat /etc/fail2ban/jail.local
[DEFAULT]
# time is in seconds. 3600 = 1 hour, 86400 = 24 hours (1 day)
findtime    = 3600
bantime     = 86400
maxretry    = 2
ignoreip    = 127.0.0.1 127.0.0.0/8 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16

action = %(action_mwl)s


No matter what, I definitely can not get emails for the banned actions.
I tested from console that sendmail command is working ( sendmail -t )
I even tested the case to put inside the jail.local the :
destemail = mikek@"mydomain.com"
sender = root@"boxdomain.com"

Nothing worked.

Please help me to short out the problem.

Thanks and Best Regards,
Mike Kranidis

10

Re: Activating fail2ban to send emails

I think you may need to do it in each specific jail.
Example: /etc/fail2ban/jail.d/sshd.local

11

Re: Activating fail2ban to send emails

MuPp3t33r wrote:

I think you may need to do it in each specific jail.
Example: /etc/fail2ban/jail.d/sshd.local

Dear Sir,
thanks I will try it and I will let you know.

Best Regards

12

Re: Activating fail2ban to send emails

Well looking further to my problem, I focused to activate the email sending in the case of ban for an IP address in send jail.
I realized that the iredmail has its own configuration files inside the /etc/fail2ban/jail.d/ directory. The file that I need to possible modify is: sshd.local with content :
root@mail:~#  cat /etc/fail2ban/jail.d/sshd.local
[sshd]
enabled     = true
filter      = sshd
logpath     = /var/log/auth.log
action      = iptables-multiport[name=sshd, port="22", protocol=tcp]
              banned_db[name=sshd, port="22", protocol=tcp]

So I think in this stage I need to integrate or implement the related action that according to manual is:
%(action_mw)s

The question is how?
Please guide me.

Thanks and Best Regards.

13

Re: Activating fail2ban to send emails

mikekgr wrote:

I realized that the iredmail has its own configuration files inside the /etc/fail2ban/jail.d/ directory.

I clearly mentioned this in my reply sad
https://forum.iredmail.org/post74701.html#p74701

Try this in /etc/fail2ban/jail.d/sshd.local (or other jail config files):

[sshd]
...
action = iptables-multiport[...]
             banned_db[...]
             sendmail[name=sshd, dest=your@email.com

14

Re: Activating fail2ban to send emails

Dear Mr. Huangbin,
first of all many thanks for your answer.
As you suggested to me I added to /etc/fail2ban/jail.d/sshd.local one last line with:
sendmail[name=sshd, sendername=root@... , dest=mikek@...]

and I restarted the fail2ban
systemctl reload fail2ban.service-fail2ban.service

I ensured that fail2ban is restarted by looking at his log: /var/log/fail2ban.log

Then from another external server, I did the a ssh connection with bad password till I see my servers ip banned in iredmail server.

Unfortunately no email was created (I saw the sendmail log:  /var/log/mail.log) and ofcourse I did not receive something...
Please tell me what I did wrong?

Thanks and Best Regards

15

Re: Activating fail2ban to send emails

What's the related log in /var/log/mail.log?
Please always post related log / info so that others can help troubleshoot, otherwise others have no interest to GUESS.

16

Re: Activating fail2ban to send emails

Ok here is the related fail2ban files:

root@mail:/etc/fail2ban/jail.d# cat ./sshd.local
[sshd]
enabled     = true
filter      = sshd
logpath     = /var/log/auth.log
action      = iptables-multiport[name=sshd, port="22", protocol=tcp]
#action      = iptables-multiport[name=sshd, port="22", protocol=tcp]
              banned_db[name=sshd, port="22", protocol=tcp]
              sendmail[name=sshd, sendername=root@xxxx.xx, dest=mikek@xxxx.xx]

root@mail:/etc/fail2ban# cat jail.local
[DEFAULT]
# time is in seconds. 3600 = 1 hour, 86400 = 24 hours (1 day)
findtime    = 3600
bantime     = 86400
maxretry    = 2
ignoreip    = 127.0.0.1 127.0.0.0/8 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16


When I do the ssh connection with the mistake password input, I confirm that fail2ban has been banned the external server ip but looking at the /var/log/mail.log ( doing tail -f  /var/log/mail.log ) NOTHING SHOWS.

What do you think?

Thanks

17

Re: Activating fail2ban to send emails

Your actions are all hashed out

[sshd]
enabled     = true
filter      = sshd
logpath     = /var/log/auth.log
action      = iptables-multiport[name=sshd, port="22", protocol=tcp]
#action      = iptables-multiport[name=sshd, port="22", protocol=tcp]
              banned_db[name=sshd, port="22", protocol=tcp]
              sendmail[name=sshd, sendername=root@xxxx.xx, dest=mikek@xxxx.xx]

18 (edited by mikekgr 2020-06-02 19:31:48)

Re: Activating fail2ban to send emails

MuPp3t33r wrote:

Your actions are all hashed out

[sshd]
enabled     = true
filter      = sshd
logpath     = /var/log/auth.log
action      = iptables-multiport[name=sshd, port="22", protocol=tcp]
#action      = iptables-multiport[name=sshd, port="22", protocol=tcp]
              banned_db[name=sshd, port="22", protocol=tcp]
              sendmail[name=sshd, sendername=root@xxxx.xx, dest=mikek@xxxx.xx]

that was a mistake, I paste a previous not correct snippet, anyway I recheck it and see:
root@mail:/etc/fail2ban/jail.d# cat sshd.local
[sshd]
enabled     = true
filter      = sshd
logpath     = /var/log/auth.log
action      = iptables-multiport[name=sshd, port="22", protocol=tcp]
#action      = iptables-multiport[name=sshd, port="22", protocol=tcp]
              banned_db[name=sshd, port="22", protocol=tcp]
              sendmail[name=sshd, sendername=root@xxxx.xx , dest=mikek@xxxx.xx]

Nothing change, I triggered an ssh block / banning, I saw that the fail2ban.log  tooks the ip ban action but looking at the mail.log  nothing was send  and nothing received to me email...

What else?
Thanks

19 (edited by MuPp3t33r 2020-06-02 20:01:47)

Re: Activating fail2ban to send emails

No idea what you did wrong, but it's working perfect for me
This is my jail and related logs (I did one for all of them and got good results, actually you should get an email as soon as you restart the service stating that the service has started)

by the way, "sendername=" is the display name field, not the "from" email address, just fyi smile

[dovecot-iredmail]
enabled     = true
filter      = dovecot.iredmail
action      = iptables-multiport[name=dovecot, port="http,https,smtp,submission,465,pop3,pop3s,imap,imaps,sieve", protocol=tcp]
              sendmail[name=dovecot.iredmail, sendername=Fail2Ban, dest=email@domain.tld]
logpath     = /var/log/dovecot/*.log

Jun  2 13:42:38 mail roundcube: <t6ud4o86> IMAP Error: Login failed for ************ from ************. LOGIN: Authentication failed. in /opt/www/roundcubemail-1.3.8/program/lib/Roundcube/rcube_imap.php on line 196 (POST /mail/?_task=login&_action=login)
Jun  2 13:42:39 mail postfix/pickup[1627]: 49bqsW0kWjz31ZC: uid=0 from=<fail2ban>
Jun  2 13:42:39 mail postfix/cleanup[3155]: 49bqsW0kWjz31ZC: message-id=<*******************>
Jun  2 13:42:39 mail postfix/qmgr[32016]: 49bqsW0kWjz31ZC: from=<fail2ban@*************>, size=532, nrcpt=1 (queue active)
Jun  2 13:42:39 mail postfix/smtp[3167]: Trusted TLS connection established to *******************:25: TLSv1.2 with cipher DHE-RSA-AES256-SHA256 (256/256 bits)
Jun  2 13:42:39 mail postfix/smtp[3167]: 49bqsW0kWjz31ZC: to=<**************>, relay=***************:25, delay=0.91, delays=0.12/0.05/0.74/0.01, dsn=2.0.0, status=sent (250 OK id=1jg5IP-0001DG-0v)
Jun  2 13:42:39 mail postfix/qmgr[32016]: 49bqsW0kWjz31ZC: removed

Post's attachments

Capture.PNG
Capture.PNG 13.82 kb, file has never been downloaded. 

You don't have the permssions to download the attachments of this post.

20

Re: Activating fail2ban to send emails

MuPp3t33r wrote:

No idea what you did wrong, but it's working perfect for me
This is my jail and related logs (I did one for all of them and got good results, actually you should get an email as soon as you restart the service stating that the service has started)

by the way, "sendername=" is the display name field, not the "from" email address, just fyi smile

[dovecot-iredmail]
enabled     = true
filter      = dovecot.iredmail
action      = iptables-multiport[name=dovecot, port="http,https,smtp,submission,465,pop3,pop3s,imap,imaps,sieve", protocol=tcp]
              sendmail[name=dovecot.iredmail, sendername=Fail2Ban, dest=email@domain.tld]
logpath     = /var/log/dovecot/*.log

Jun  2 13:42:38 mail roundcube: <t6ud4o86> IMAP Error: Login failed for ************ from ************. LOGIN: Authentication failed. in /opt/www/roundcubemail-1.3.8/program/lib/Roundcube/rcube_imap.php on line 196 (POST /mail/?_task=login&_action=login)
Jun  2 13:42:39 mail postfix/pickup[1627]: 49bqsW0kWjz31ZC: uid=0 from=<fail2ban>
Jun  2 13:42:39 mail postfix/cleanup[3155]: 49bqsW0kWjz31ZC: message-id=<*******************>
Jun  2 13:42:39 mail postfix/qmgr[32016]: 49bqsW0kWjz31ZC: from=<fail2ban@*************>, size=532, nrcpt=1 (queue active)
Jun  2 13:42:39 mail postfix/smtp[3167]: Trusted TLS connection established to *******************:25: TLSv1.2 with cipher DHE-RSA-AES256-SHA256 (256/256 bits)
Jun  2 13:42:39 mail postfix/smtp[3167]: 49bqsW0kWjz31ZC: to=<**************>, relay=***************:25, delay=0.91, delays=0.12/0.05/0.74/0.01, dsn=2.0.0, status=sent (250 OK id=1jg5IP-0001DG-0v)
Jun  2 13:42:39 mail postfix/qmgr[32016]: 49bqsW0kWjz31ZC: removed

Thanks a lot for your help. I will try to see what is possible wrong in my case. If I found something I will report it back here.

21

Re: Activating fail2ban to send emails

Dear all,
Yesterday night I rebooted my test server and -without changing something, see my latest fail2ban settings- the emails start to send without problems... I don't understand why the command systemctl reload fail2ban.service doesn't reload the configuration ...
Anyway, I have it working now and sincerely thanks to all of you.
The only thing that I cannot understand is why the "standard" pre-set action %(action_mwl)s doesn't work. This still under investigation.

Thanks and Best Regards,
Mike Kranidis

22

Re: Activating fail2ban to send emails

that's odd, it should effectively do the same thing, but I restart my services like this: /etc/init.d/fail2ban reload
But at least it is working smile

23

Re: Activating fail2ban to send emails

Dear Sirs,
now that I have the send emails in case of sshd banning activated, I am looking the way to have inside these emails the maximum information that I can get.

My current /etc/fail2ban/jail.d/sshd.local file consisting of:
cat /etc/fail2ban/jail.d/sshd.local
[sshd]
enabled     = true
filter      = sshd
logpath     = /var/log/auth.log
action      = iptables-multiport[name=sshd, port="22", protocol=tcp]
              banned_db[name=sshd, port="22", protocol=tcp]
              sendmail[name=sshd, sendername=root@bioeshop.gr, dest=mikek@openforall.com]

But ultimately I want to have the equivalent resulting content in these emails, of this action that for some reason it does not work, possible due to special configuration that iRedMail has been done in fail2ban:

action_mwl = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
             %(mta)s-whois-lines[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", logpath="%(logpath)s", chain="%(chain)s"]

The question is: How can achieve that?

Thanks and Best Regards,
Mike Kranidis

24

Re: Activating fail2ban to send emails

/etc/fail2ban/action.d/sendmail.conf

Check here for the sample text that fail2ban uses for the notification email, you can edit as desired

25

Re: Activating fail2ban to send emails

MuPp3t33r wrote:

/etc/fail2ban/action.d/sendmail.conf

Check here for the sample text that fail2ban uses for the notification email, you can edit as desired

Thanks, yes I will do that but still remains why we can't use the action_mwl that take care all of these automatically...