Use Fail2Ban to contact the IP provider’s of bruteforce attacks source
source: generationip.asia
Fail2ban is a very useful and powerful solution to limit the bruteforce on your server. but fail2ban doesn’t provide you a way to contact directly the IP provider’s of bruteforce attacks source. I have modify an fail2ban action file’s and create a script for that.
INSTALLATION
Go to the fail2ban action folders :
# cd /etc/fail2ban/action.d
Copy an existant file :
# cp mail-whois-lines.conf mail-whois-autosend-line.conf
Edit the file and change the actionban line like that :
# vim mail-whois-autosend-line.conf
...
actionban = /etc/fail2ban/action.d/mail-whois.sh <ip> <name> <logpath> <failures> <dest>
...
Don’t forget to customize the end of this file.
Now you have to create mail-whois.sh script :
# vim mail-whois.sh
01.
for
i
in
`whois $1 | perl -wne'
while
(/[\w\.\-]+@[\w\.\-]+\w+/g){print
"$&\n"
}' |
sort
|
uniq
`
"$5"
;
do
echo
"Hi,
02.
03.
The IP $1 has just been banned by Fail2Ban after $4 attempts against $2.
04.
Here are
more
information about $1:
05.
06.
`whois $1`
07.
08.
09.
Lines containing IP: $1
in
$3
10.
11.
`
grep
$1 $3`
12.
13.
14.
Regards,
15.
Fail2Ban
"|mail -s "
[Fail2Ban] $2: banned $1" $i;
done
;
Activate execution right:
# chmod 750 mail-whois.sh
Now you have to edit jail.conf present in your fail2ban folder to change the mail action :
[ssh-iptables] enabled = true filter = sshd action = iptables[name=SSH, port=ssh, protocol=tcp] mail-whois-autosend-line[name=SSH, dest=root, sender=root] logpath = /var/log/secure maxretry = 5
Copy an existant file :
# cp mail-whois-lines.conf mail-whois-autosend-line.conf
Edit the file and change the actionban line like that :
# vim mail-whois-autosend-line.conf
...
actionban = /etc/fail2ban/action.d/mail-whois.sh <ip> <name> <logpath> <failures> <dest>
...
Don’t forget to customize the end of this file.
Now you have to create mail-whois.sh script :
# vim mail-whois.sh
01.
for
i
in
`whois $1 | perl -wne'
while
(/[\w\.\-]+@[\w\.\-]+\w+/g){print
"$&\n"
}' |
sort
|
uniq
`
"$5"
;
do
echo
"Hi,
02.
03.
The IP $1 has just been banned by Fail2Ban after $4 attempts against $2.
04.
Here are
more
information about $1:
05.
06.
`whois $1`
07.
08.
09.
Lines containing IP: $1
in
$3
10.
11.
`
grep
$1 $3`
12.
13.
14.
Regards,
15.
Fail2Ban
"|mail -s "
[Fail2Ban] $2: banned $1" $i;
done
;
Activate execution right:
# chmod 750 mail-whois.sh
Now you have to edit jail.conf present in your fail2ban folder to change the mail action :
[ssh-iptables] enabled = true filter = sshd action = iptables[name=SSH, port=ssh, protocol=tcp] mail-whois-autosend-line[name=SSH, dest=root, sender=root] logpath = /var/log/secure maxretry = 5