I needed fail2ban to give the full hostname in an email and not just the short system name to reduce ambiguity.
To do this I copied the action “sendmail-whois” to “local_sendmail-whois”
|
1 |
cp /etc/fail2ban/actions.d/sendmail-whois.conf /etc/fail2ban/actions.d/sendmail-whois.conf |
And then adjusted /etc/fail2ban/actions.d/sendmail-whois.conf by editing the actionstart, actionstop and actionban sections. These simply run the sendmail command with the given Subject, Date, From, To and body. I swapped uname -n with <hostname> and adjusted the format for each section.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 |
[Definition] # Option: actionstart # Notes.: command executed once at the start of Fail2Ban. # Values: CMD # actionstart = printf %%b "Subject: Fail2Ban / <hostname> / <name> / Started Date: `LC_TIME=C date -u +"%%a, %%d %%h %%Y %%T +0000"` From: <sendername> <<sender>> To: <dest>\n Hi,\n The jail <name> has been started successfully on <hostname>.\n Regards,\n Fail2Ban" | /usr/sbin/sendmail -f <sender> <dest> # Option: actionstop # Notes.: command executed once at the end of Fail2Ban # Values: CMD # actionstop = printf %%b "Subject: Fail2Ban / <hostname> / <name> / Stopped Date: `LC_TIME=C date -u +"%%a, %%d %%h %%Y %%T +0000"` From: <sendername> <<sender>> To: <dest>\n Hi,\n The jail <name> has been stopped on <hostname>.\n Regards,\n Fail2Ban" | /usr/sbin/sendmail -f <sender> <dest> # Option: actioncheck # Notes.: command executed once before each actionban command # Values: CMD # actioncheck = # Option: actionban # Notes.: command executed when banning an IP. Take care that the # command is executed with Fail2Ban user rights. # Tags: See jail.conf(5) man page # Values: CMD # actionban = printf %%b "Subject: Fail2Ban / <hostname> / <name> / Banned <ip> Date: `LC_TIME=C date -u +"%%a, %%d %%h %%Y %%T +0000"` From: <sendername> <<sender>> To: <dest>\n Hi,\n The IP <ip> has just been banned by Fail2Ban on <hostname> after <failures> attempts against <name>.\n\n Here is more information about <ip>:\n `/usr/bin/whois <ip> || echo missing whois program`\n Regards,\n Fail2Ban" | /usr/sbin/sendmail -f <sender> <dest> |
I then added this new action to jail.conf
|
1 2 |
action_local_sendmail-whois = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] local_sendmail-whois[name=%(__name__)s, dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s", sendername="%(sendername)s", hostname="`hostname --fqdn`"] |
By default I use the “action_” action, which doesn’t send an email. And then in the jails that I do want an email I just put
|
1 |
action = %(local_sendmail-whois)s |