Use Fail2Ban to contact the IP provider’s of bruteforce attacks source
source: generationip.asia
Fail2ban is a very useful and powerful solution to limit the bruteforce on your server. but fail2ban doesn’t provide you a way to contact directly the IP provider’s of bruteforce attacks source. I have modify an fail2ban action file’s and create a script for that.
INSTALLATION
Go to the fail2ban action folders :
# cd /etc/fail2ban/action.d
Copy an existant file :
# cp mail-whois-lines.conf mail-whois-autosend-line.conf
Edit the file and change the actionban line like that :
# vim mail-whois-autosend-line.conf
...
actionban = /etc/fail2ban/action.d/mail-whois.sh <ip> <name> <logpath> <failures> <dest>
...
Don’t forget to customize the end of this file.
Now you have to create mail-whois.sh script :
# vim mail-whois.sh
01.for i in `whois $1 | perl -wne'while(/[\w\.\-]+@[\w\.\-]+\w+/g){print "$&\n"}' | sort | uniq` "$5"; do echo "Hi,02.03.The IP $1 has just been banned by Fail2Ban after $4 attempts against $2.04.Here are more information about $1:05.06. `whois $1`07.08.09.Lines containing IP: $1 in $310.11. `grep $1 $3`12.13.14.Regards,15.Fail2Ban"|mail -s "[Fail2Ban] $2: banned $1" $i; done;Activate execution right:
# chmod 750 mail-whois.sh
Now you have to edit jail.conf present in your fail2ban folder to change the mail action :
[ssh-iptables] enabled = true filter = sshd action = iptables[name=SSH, port=ssh, protocol=tcp] mail-whois-autosend-line[name=SSH, dest=root, sender=root] logpath = /var/log/secure maxretry = 5
Copy an existant file :
# cp mail-whois-lines.conf mail-whois-autosend-line.conf
Edit the file and change the actionban line like that :
# vim mail-whois-autosend-line.conf
...
actionban = /etc/fail2ban/action.d/mail-whois.sh <ip> <name> <logpath> <failures> <dest>
...
Don’t forget to customize the end of this file.
Now you have to create mail-whois.sh script :
# vim mail-whois.sh
01.for i in `whois $1 | perl -wne'while(/[\w\.\-]+@[\w\.\-]+\w+/g){print "$&\n"}' | sort | uniq` "$5"; do echo "Hi,02.03.The IP $1 has just been banned by Fail2Ban after $4 attempts against $2.04.Here are more information about $1:05.06. `whois $1`07.08.09.Lines containing IP: $1 in $310.11. `grep $1 $3`12.13.14.Regards,15.Fail2Ban"|mail -s "[Fail2Ban] $2: banned $1" $i; done;Activate execution right:
# chmod 750 mail-whois.sh
Now you have to edit jail.conf present in your fail2ban folder to change the mail action :
[ssh-iptables] enabled = true filter = sshd action = iptables[name=SSH, port=ssh, protocol=tcp] mail-whois-autosend-line[name=SSH, dest=root, sender=root] logpath = /var/log/secure maxretry = 5