26

Re: Activating fail2ban to send emails

What specifically in the action_mwl method do you want to add to the report?
If you check the files in /etc/fail2ban/action.d/sendmail* then you will see all the code used for each type of action/report method

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

27

Re: Activating fail2ban to send emails

MuPp3t33r wrote:

What specifically in the action_mwl method do you want to add to the report?
If you check the files in /etc/fail2ban/action.d/sendmail* then you will see all the code used for each type of action/report method

First of all thanks for your helping hand.
What I need regarding the sshd blocking action email, is to have full report for banned IP see a sample from my other sarver below:
===== QUOTE =====
Hi,

The IP 185.234.216.85 has just been banned by Fail2Ban after
1 attempts against exim.


Here is more information about 185.234.216.85 :

% This is the RIPE Database query service.
% The objects are in RPSL format.
%
% The RIPE Database is subject to Terms and Conditions.
% See http://www.ripe.net/db/support/db-terms-conditions.pdf

% Note: this output has been filtered.
%       To receive output for a database update, use the "-B" flag.

% Information related to '185.234.216.0 - 185.234.216.255'

% Abuse contact for '185.234.216.0 - 185.234.216.255' is 'abuse@worldhostingfarm.com'

inetnum:        185.234.216.0 - 185.234.216.255
org:            ORG-WHFL1-RIPE
netname:        WHF-NETWORK
country:        IE
admin-c:        JD9902-RIPE
tech-c:         JD9902-RIPE
status:         ASSIGNED PA
mnt-routes:     SPRINT-PL-MNT
mnt-by:         ie-whf-1-mnt
created:        2017-12-01T15:17:34Z
last-modified:  2017-12-01T15:17:34Z
source:         RIPE

organisation:   ORG-WHFL1-RIPE
org-name:       WORLD HOSTING FARM LIMITED
org-type:       LIR
address:        Unit 3d North Point House, North Point Business Park,
                New Mallow Road
address:        T23
address:        Cork
address:        IRELAND
admin-c:        JD9902-RIPE
tech-c:         JD9902-RIPE
abuse-c:        AR44049-RIPE
mnt-ref:        ie-whf-1-mnt
mnt-by:         RIPE-NCC-HM-MNT
mnt-by:         ie-whf-1-mnt
created:        2017-11-29T08:39:42Z
last-modified:  2017-11-30T12:23:10Z
source:         RIPE # Filtered
phone:          +353212028075

person:         Janusz Dybko
address:        Unit 3d North Point House, North Point Business Park, New Mallow Road
address:        T23
address:        Cork
address:        IRELAND
phone:          +353212028075
nic-hdl:        JD9902-RIPE
mnt-by:         ie-whf-1-mnt
created:        2017-11-29T08:39:42Z
last-modified:  2017-12-01T22:05:18Z
source:         RIPE # Filtered

% Information related to '185.234.216.0/24AS197226'

route:          185.234.216.0/24
mnt-routes:     SPRINT-PL-MNT
origin:         AS197226
descr:          WHF-NETWORK
descr:          World Hosting Farm LTD
mnt-by:         SPRINT-PL-MNT
created:        2017-12-06T19:29:21Z
last-modified:  2017-12-06T19:29:21Z
source:         RIPE

% This query was served by the RIPE Database Query Service version 1.97.1 (WAGYU)


Lines containing IP:185.234.216.85 in /var/log/exim4/mainlog

2020-06-04 08:37:29 no host name found for IP address 185.234.216.85
2020-06-04 08:37:29 TLS error on connection from [185.234.216.85] (gnutls_handshake): The TLS connection was non-properly terminated.
2020-06-04 08:37:29 no host name found for IP address 185.234.216.85
2020-06-04 08:38:37 no IP address found for host __LOCAL_IP__ (during SMTP connection from (win-nt9dhv1hpcj.domain) [185.234.216.85])
2020-06-04 08:38:37 H=(win-nt9dhv1hpcj.domain) [185.234.216.85] sender verify fail for <test@example.com>: an MX or SRV record indicated no SMTP service
2020-06-04 08:38:37 H=(win-nt9dhv1hpcj.domain) [185.234.216.85] X=TLS1.0:DHE_RSA_AES_256_CBC_SHA1:256 CV=no F=<test@example.com> rejected RCPT <newkingrazaq@outlook.com>: Sender verify failed
2020-06-04 08:38:37 no host name found for IP address 185.234.216.85
2020-06-04 08:39:05 auth_login authenticator failed for (win-nt9dhv1hpcj.domain) [185.234.216.85]: 535 Incorrect authentication data (set_id=info)


Regards,

Fail2Ban
===== UNQUOTE =====

Unfortunately, I have almost zero python experience, so I can not understand what is necessary to do in order to implement / achive the above result.
Apart of this, my question remain, why the "standard" action / method "action_mwl" does not work?
Many thanks !

28

Re: Activating fail2ban to send emails

ah ok, so you want the whois information, try this one:

[sshd]
enabled     = true
filter      = sshd
logpath     = /var/log/auth.log
action      = iptables-multiport[name=sshd, port="22", protocol=tcp]
              banned_db[name=sshd, port="22", protocol=tcp]
              sendmail-whois-lines[name=sshd, sendername=root@bioeshop.gr, dest=mikek@openforall.com]

Basically the "action" is the name of the conf file in /etc/fail2ban/action.d (minus the .conf extension)

29

Re: Activating fail2ban to send emails

MuPp3t33r wrote:

ah ok, so you want the whois information, try this one:

[sshd]
enabled     = true
filter      = sshd
logpath     = /var/log/auth.log
action      = iptables-multiport[name=sshd, port="22", protocol=tcp]
              banned_db[name=sshd, port="22", protocol=tcp]
              sendmail-whois-lines[name=sshd, sendername=root@bioeshop.gr, dest=mikek@openforall.com]

Basically the "action" is the name of the conf file in /etc/fail2ban/action.d (minus the .conf extension)

Dear Sir,
yes I change the ssh.local file according to your suggestion and I have it almost as I want. The only thing that is missing, is the copy of related log part that it seems empty as you can see below.
===== QUOTE =====
Lines containing failures of 109.178.173.178 (max 1000)


===== UNQUOTE =====

Again, I thank you for your help.

30

Re: Activating fail2ban to send emails

Check under /etc/fail2ban/action.d/sendmail-whois-lines.conf for line logpath = /dev/null
change it to logpath = /var/log/auth.log

(I think that should be the right path for SSH logs by default, assuming it's exactly the same as my Debian setup)

31

Re: Activating fail2ban to send emails

MuPp3t33r wrote:

Check under /etc/fail2ban/action.d/sendmail-whois-lines.conf for line logpath = /dev/null
change it to logpath = /var/log/auth.log

(I think that should be the right path for SSH logs by default, assuming it's exactly the same as my Debian setup)

Brilliant,  I will make the change later on. My only wondering,  because in the etc/fail2ban/jail.d/sshd.local. there is:
logpath = /var/log/auth.log
why doesn't taking into consideration at sendmail-whois-lines.conf ?
Anyway, you really help me very much and I express my gratitude to you.
Cheers!

32

Re: Activating fail2ban to send emails

The logpath defined in the jails (/etc/fail2ban/jail.d/*) specifies where fail2ban looks for events that are happening. When it sees events matching the jail conditions in that logpath then it processes the action associated with that jail

33

Re: Activating fail2ban to send emails

MuPp3t33r wrote:

The logpath defined in the jails (/etc/fail2ban/jail.d/*) specifies where fail2ban looks for events that are happening. When it sees events matching the jail conditions in that logpath then it processes the action associated with that jail

Many many thanks, your are excellent helper!

34

Re: Activating fail2ban to send emails

You're welcome smile