# Fail2Ban configuration file## Author: Russell Odom <russ@gloomytrousers.co

1. # Fail2Ban configuration file
2. #
3. # Author: Russell Odom <[email protected]>
4. # Adapted for sendmail by: Mike A. Leonetti
5. # Sends a complaint e-mail to addresses listed in the whois record for an
6. # offending IP address.
7. #
8. # You should provide the <logpath> in the jail config - lines from the log
9. # matching the given IP address will be provided in the complaint as evidence.
10. #
11. # Note that we will try to use e-mail addresses that are most likely to be abuse
12. # addresses (based on various keywords). If they aren't found we fall back on
13. # any other addresses found in the whois record, with a few exceptions.
14. # If no addresses are found, no e-mail is sent.
15. #
16. # $Revision: 717 $
17. #
18.  
19. [Definition]
20.  
21. # Option: actionstart
22. # Notes.: command executed once at the start of Fail2Ban.
23. # Values: CMD
24. #
25. actionstart =
26.  
27. # Option: actionstop
28. # Notes.: command executed once at the end of Fail2Ban
29. # Values: CMD
30. #
31. actionstop =
32.  
33. # Option: actioncheck
34. # Notes.: command executed once before each actionban command
35. # Values: CMD
36. #
37. actioncheck =
38.  
39. # Option: actionban
40. # Notes.: command executed when banning an IP. Take care that the
41. # command is executed with Fail2Ban user rights.
42. # Tags: <ip> IP address
43. # <failures> number of failures
44. # <failtime> unix timestamp of the last failure
45. # <bantime> unix timestamp of the ban time
46. # Values: CMD
47. #
48. actionban = ADDRESSES=`whois <ip> | perl -e 'while (<STDIN>) { next if /^changed|@(ripe|apnic)\.net/io; $m += (/abuse|trouble:|report|spam|security/io?3:0); if (/([a-z0-9_\-\.+]+@[a-z0-9\-]+(\.[[a-z0-9\-]+)+)/io) { while (s/([a-z0-9_\-\.+]+@[a-z0-9\-]+(\.[[a-z0-9\-]+)+)//io) { if ($m) { $a{lc($1)}=$m } else { $b{lc($1)}=$m } } $m=0 } else { $m && --$m } } if (%%a) {print join(",",keys(%%a))} else {print join(",",keys(%%b))}'`
49. IP=<ip>
50. if [ ! -z "$ADDRESSES" ]; then
51. printf %%b "Subject: Suspected <name> abuse attempt from <ip>
52. From: <sendername> <<sender>>
53. To: $ADDRESSES
54. Cc: <dest>
55. Reply-To: <dest>
56.  
57. <message>\n\n`date '+Note: Local timezone is %%z (%%Z)'`\n`grep '<ip>' <logpath>`" | /usr/sbin/sendmail -f <sender> $ADDRESSES <dest>
58. fi
59.  
60. # Option: actionunban
61. # Notes.: command executed when unbanning an IP. Take care that the
62. # command is executed with Fail2Ban user rights.
63. # Tags: <ip> IP address
64. # <bantime> unix timestamp of the ban time
65. # <unbantime> unix timestamp of the unban time
66. # Values: CMD
67. #
68. actionunban =
69.  
70. [Init]
71. message = Dear Sir/Madam,\n\nOur monitoring system, Fail2ban, has detected potential abuse from the IP address $IP. According to a whois lookup, this IP address belongs to your network. We would appreciate if you would investigate and take action as appropriate.\n\nLog lines are given below, but please ask if you require any further information.\n\n(If you are not the correct person to contact about this please accept our apologies - your e-mail address was extracted from the whois record by an automated process. This mail was generated by Fail2Ban and was sent from an unmonitored account.)\n
72.  
73. # Path to the log files which contain relevant lines for the abuser IP
74. #
75. #logpath = /dev/null
76.  
77. # Defaut name of the chain
78. #
79. name = default
80.  
81. # Option: sender
82. # Notes.: E-mail address that the e-mail will appear to come from
83. # Values: String (Default: root@fail2ban)
84. sender = fail2ban
85.  
86. # Option: sendername
87. # Notes.: Full name that the e-mail will appear to come from
88. # Values: String (Default: Fail2ban)
89. sendername = Fail2ban
90.  
91. # Destination/Addressee of the mail
92. #
93. dest = root