{"id":1082,"date":"2014-06-25T11:37:37","date_gmt":"2014-06-25T11:37:37","guid":{"rendered":"http:\/\/www.nooblet.org\/blog\/?p=1082"},"modified":"2014-06-25T11:43:02","modified_gmt":"2014-06-25T11:43:02","slug":"adding-extra-fields-to-fail2ban-mails","status":"publish","type":"post","link":"https:\/\/www.nooblet.org\/blog\/2014\/adding-extra-fields-to-fail2ban-mails\/","title":{"rendered":"Adding extra fields to Fail2Ban mails"},"content":{"rendered":"

I needed fail2ban to give the full hostname in an email and not just the short system name to reduce ambiguity.<\/p>\n

To do this I copied the action “sendmail-whois” to “local_sendmail-whois”<\/p>\n

cp \/etc\/fail2ban\/actions.d\/sendmail-whois.conf \/etc\/fail2ban\/actions.d\/sendmail-whois.conf<\/pre>\n
And then adjusted \/etc\/fail2ban\/actions.d\/sendmail-whois.conf by editing the actionstart, actionstop and actionban sections. These simply run the sendmail command with the given Subject, Date, From, To and body. I swapped `uname -n` with `<hostname>` and adjusted the format for each section.<\/p>\n
[Definition]\r\n\r\n# Option:  actionstart\r\n# Notes.:  command executed once at the start of Fail2Ban.\r\n# Values:  CMD\r\n#\r\nactionstart = printf %%b \"Subject: Fail2Ban \/ <hostname> \/ <name> \/ Started\r\n              Date: `LC_TIME=C date -u +\"%%a, %%d %%h %%Y %%T +0000\"`\r\n              From: <sendername> <<sender>>\r\n              To: <dest>\\n\r\n              Hi,\\n\r\n              The jail <name> has been started successfully on <hostname>.\\n\r\n              Regards,\\n\r\n              Fail2Ban\" | \/usr\/sbin\/sendmail -f <sender> <dest>\r\n\r\n# Option:  actionstop\r\n# Notes.:  command executed once at the end of Fail2Ban\r\n# Values:  CMD\r\n#\r\nactionstop = printf %%b \"Subject: Fail2Ban \/ <hostname> \/ <name> \/ Stopped\r\n             Date: `LC_TIME=C date -u +\"%%a, %%d %%h %%Y %%T +0000\"`\r\n             From: <sendername> <<sender>>\r\n             To: <dest>\\n\r\n             Hi,\\n\r\n             The jail <name> has been stopped on <hostname>.\\n\r\n             Regards,\\n\r\n             Fail2Ban\" | \/usr\/sbin\/sendmail -f <sender> <dest>\r\n\r\n# Option:  actioncheck\r\n# Notes.:  command executed once before each actionban command\r\n# Values:  CMD\r\n#\r\nactioncheck =\r\n\r\n# Option:  actionban\r\n# Notes.:  command executed when banning an IP. Take care that the\r\n#          command is executed with Fail2Ban user rights.\r\n# Tags:    See jail.conf(5) man page\r\n# Values:  CMD\r\n#\r\nactionban = printf %%b \"Subject: Fail2Ban \/ <hostname> \/ <name> \/  Banned <ip>\r\n            Date: `LC_TIME=C date -u +\"%%a, %%d %%h %%Y %%T +0000\"`\r\n            From: <sendername> <<sender>>\r\n            To: <dest>\\n\r\n            Hi,\\n\r\n            The IP <ip> has just been banned by Fail2Ban on <hostname> after\r\n            <failures> attempts against <name>.\\n\\n\r\n            Here is more information about <ip>:\\n\r\n            `\/usr\/bin\/whois <ip> || echo missing whois program`\\n\r\n            Regards,\\n\r\n            Fail2Ban\" | \/usr\/sbin\/sendmail -f <sender> <dest>\r\n<\/pre>\n
I then added this new action to jail.conf<\/p>\n
action_local_sendmail-whois = %(banaction)s[name=%(__name__)s, port=\"%(port)s\", protocol=\"%(protocol)s\", chain=\"%(chain)s\"]\r\n                        local_sendmail-whois[name=%(__name__)s, dest=\"%(destemail)s\", protocol=\"%(protocol)s\", chain=\"%(chain)s\", sendername=\"%(sendername)s\", hostname=\"`hostname --fqdn`\"]<\/pre>\n
By default I use the “action_” action, which doesn’t send an email. And then in the jails that I do want an email I just put<\/p>\n
action = %(local_sendmail-whois)s<\/pre>\n","protected":false},"excerpt":{"rendered":"
I needed fail2ban to give the full hostname in an email and not just the short system name to reduce ambiguity. To do this I copied the action “sendmail-whois” to “local_sendmail-whois” cp \/etc\/fail2ban\/actions.d\/sendmail-whois.conf \/etc\/fail2ban\/actions.d\/sendmail-whois.conf And then adjusted \/etc\/fail2ban\/actions.d\/sendmail-whois.conf by editing the actionstart, actionstop and actionban sections. These simply run the sendmail command with the given […]<\/p>\n","protected":false},"author":1,"featured_media":648,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[5],"tags":[222,223,224],"class_list":["post-1082","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-linux","tag-fail2ban","tag-hostname","tag-sendmail"],"_links":{"self":[{"href":"https:\/\/www.nooblet.org\/blog\/wp-json\/wp\/v2\/posts\/1082","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.nooblet.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.nooblet.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.nooblet.org\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.nooblet.org\/blog\/wp-json\/wp\/v2\/comments?post=1082"}],"version-history":[{"count":4,"href":"https:\/\/www.nooblet.org\/blog\/wp-json\/wp\/v2\/posts\/1082\/revisions"}],"predecessor-version":[{"id":1086,"href":"https:\/\/www.nooblet.org\/blog\/wp-json\/wp\/v2\/posts\/1082\/revisions\/1086"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.nooblet.org\/blog\/wp-json\/wp\/v2\/media\/648"}],"wp:attachment":[{"href":"https:\/\/www.nooblet.org\/blog\/wp-json\/wp\/v2\/media?parent=1082"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.nooblet.org\/blog\/wp-json\/wp\/v2\/categories?post=1082"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.nooblet.org\/blog\/wp-json\/wp\/v2\/tags?post=1082"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}