Accueil > Réseau, Sécurité > Use Fail2Ban to contact the IP provider’s of bruteforce attacks source

Use Fail2Ban to contact the IP provider’s of bruteforce attacks source

28/01/2014 Categories: Réseau, Sécurité Tags: , ,

source: generationip.asia

Fail2ban is a very useful and powerful solution to limit the bruteforce on your server. but fail2ban doesn’t provide you a way to contact directly the IP provider’s of bruteforce attacks source. I have modify an fail2ban action file’s and create a script for that.

INSTALLATION

Go to the fail2ban action folders :

# cd /etc/fail2ban/action.d

Copy an existant file :

# cp mail-whois-lines.conf mail-whois-autosend-line.conf

Edit the file and change the actionban line like that :

# vim mail-whois-autosend-line.conf
...
actionban = /etc/fail2ban/action.d/mail-whois.sh <ip> <name> <logpath> <failures> <dest>
...

Don’t forget to customize the end of this file.

Now you have to create mail-whois.sh script :

# vim mail-whois.sh

 

01.for i in `whois $1 | perl -wne'while(/[\w\.\-]+@[\w\.\-]+\w+/g){print "$&\n"}' | sort | uniq` "$5"; do echo "Hi,
02.
03.The IP $1 has just been banned by Fail2Ban after $4 attempts against $2.
04.Here are more information about $1:
05.
06. `whois $1`
07.
08.
09.Lines containing IP: $1 in $3
10.
11. `grep $1 $3`
12.
13.
14.Regards,
15.Fail2Ban"|mail -s "[Fail2Ban] $2: banned $1" $i; done;

Activate execution right:

# chmod 750 mail-whois.sh

Now you have to edit jail.conf present in your fail2ban folder to change the mail action :

[ssh-iptables]

enabled  = true
filter   = sshd
action   = iptables[name=SSH, port=ssh, protocol=tcp]
 mail-whois-autosend-line[name=SSH, dest=root, sender=root]
logpath  = /var/log/secure
maxretry = 5


Copy an existant file :

# cp mail-whois-lines.conf mail-whois-autosend-line.conf

Edit the file and change the actionban line like that :

# vim mail-whois-autosend-line.conf
...
actionban = /etc/fail2ban/action.d/mail-whois.sh <ip> <name> <logpath> <failures> <dest>
...

Don’t forget to customize the end of this file.

Now you have to create mail-whois.sh script :

# vim mail-whois.sh

 

01.for i in `whois $1 | perl -wne'while(/[\w\.\-]+@[\w\.\-]+\w+/g){print "$&\n"}' | sort | uniq` "$5"; do echo "Hi,
02.
03.The IP $1 has just been banned by Fail2Ban after $4 attempts against $2.
04.Here are more information about $1:
05.
06. `whois $1`
07.
08.
09.Lines containing IP: $1 in $3
10.
11. `grep $1 $3`
12.
13.
14.Regards,
15.Fail2Ban"|mail -s "[Fail2Ban] $2: banned $1" $i; done;

Activate execution right:

# chmod 750 mail-whois.sh

Now you have to edit jail.conf present in your fail2ban folder to change the mail action :

[ssh-iptables]

enabled  = true
filter   = sshd
action   = iptables[name=SSH, port=ssh, protocol=tcp]
 mail-whois-autosend-line[name=SSH, dest=root, sender=root]
logpath  = /var/log/secure
maxretry = 5

Print Friendly, PDF & Email

Related Post

Les commentaires sont fermés.