Use bash script in Fail2Ban Configuration

dannyvdberg · 03-14-2018, 08:43 AM

I would like to call a bash script in the mailing of Fail2Ban. The bash script calls a rest api to get the username of the blocked ip-address by fail2ban.

Code:

	# Fail2Ban configuration file
	#
	# Author: *
	#
	#

	[INCLUDES]

	before = sendmail-common.conf

	[Definition]

	# Option:  actionban
	# Notes.:  command executed when banning an IP. Take care that the
	#          command is executed with Fail2Ban user rights.
	# Tags:    See jail.conf(5) man page
	# Values:  CMD
	#
	actionban = printf %%b "Subject: [Fail2Ban] <name>: banned <ip> from `uname -n`
	            Date: `LC_ALL=C date +"%%a, %%d %%h %%Y %%T %%z"`
	            From: <sendername> <<sender>>
	            To: <dest>\n
	            The following IP <ip> has just been banned by Fail2Ban after <failures> attempts against the acceptance environment of <name> on server.\n
	            One or the following users could be the victim: \n 
				`/etc/fail2ban/restapi/getHttpSessions.sh | grep <ip>` \n | /usr/sbin/sendmail -f <sender> <dest>

	[Init]

But however I got errors in the fail2ban log that no e-mail is sended

Code:

	`/bin/sh /etc/fail2ban/scripts/getHttpSessions.sh | grep` 10.100.00.00 \n |/usr/sbin/sendmail -f fail2ban test@test.com -- returned 1

Is there some way to use a bash script in a fail2ban configuration file that lookups the IP-address in the bash created overview?

Thanks!

BW-userx · 03-14-2018, 09:37 AM

in there sight
http://www.the-art-of-web.com/system/fail2ban-sendmail/
something about send mail

https://www.fail2ban.org/wiki/index.php/Main_Page

under HOWTO's

dannyvdberg · 03-14-2018, 09:48 AM

Thank you for your answer but it says nothing about using a shell scripts with grep in a configuration file.

Quote:

Originally Posted by BW-userx

in there sight
http://www.the-art-of-web.com/system/fail2ban-sendmail/
something about send mail

https://www.fail2ban.org/wiki/index.php/Main_Page

under HOWTO's

scasey · 03-14-2018, 11:40 AM

Have you read

Code:

man 5 jail.conf

??

ondoho · 03-15-2018, 02:54 AM

Quote:

Originally Posted by dannyvdberg

Code:

	`/bin/sh /etc/fail2ban/scripts/getHttpSessions.sh | grep` 10.100.00.00 \n |/usr/sbin/sendmail -f fail2ban test@test.com -- returned 1

have you dissected this and made sure it works manually?

dannyvdberg · 03-15-2018, 03:18 AM

Yes, tested the script manually couple of times. This is the script that is called:

Code:

#!/bin/bash

USERNAME==
PASSWORD==
CONFL_URL=
CONFL_URL_MONITORING=
COOKIES=cookies.txt
HEADER="X-Atlassian-Token: no-check"

echo Logging in...
curl -s -c "$COOKIES" -H "$HEADER" -d "os_username=$USERNAME" -d "os_password=$PASSWORD" -d "os_cookie=true" -k $CONFL_URL/login.jsp --output login.html

echo Authenticating as administrator...
curl -si -c "$COOKIES" -b "$COOKIES" -H "$HEADER" -d "webSudoPassword=$PASSWORD" -d "os_cookie=true" -d "webSudoIsPost=false" -d "authenticate=Confirm" -k $CONFL_URL/authenticate.action --output auth.html

echo Lookup HTTP Sessions...
curl -s -b "$COOKIES" -H "$HEADER" -d "os_cookie=true" -d "webSudoIsPost=true" -k $CONFL_URL_MONITORING | awk -F "</*td>|</*tr>" '/<\/*t[rd]>.*[A-Z][A-Z]/ {print $10, $15 }' | cut -f 4,5,6 -d ' '

echo Cleaning up...
rm $COOKIES

Quote:

Originally Posted by ondoho

have you dissected this and made sure it works manually?

dannyvdberg · 03-15-2018, 03:30 AM

I got it working! Probably some issues with syntax, but the following code works:

Thanks guys!

Quote:

# Fail2Ban configuration file
#
# Author: Danny van den Berg
#
#

[INCLUDES]

before = sendmail-common.conf

[Definition]

# Option: actionban
# Notes.: command executed when banning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags: See jail.conf(5) man page
# Values: CMD
#
actionban = printf %%b "Subject: [Fail2Ban] <name>: banned <ip> from `uname -n`
Date: `LC_ALL=C date +"%%a, %%d %%h %%Y %%T %%z"`
From: <sendername> <<sender>>
To: <dest>\n
The following IP <ip> has just been banned by Fail2Ban after <failures> attempts against the production environment of <name> on server lrv154ec.\n
Blocked users = `/usr/bin/gethttpsessions | grep <ip> `\n\n" | /usr/sbin/sendmail -f <sender> <dest>

[Init]

# Default name of the chain
#
name = default

Habitual · 03-15-2018, 12:18 PM

Quote:

Originally Posted by dannyvdberg

the following code works:

but where, oh where did you edit?
/etc/fail2ban/action.d/<mycustom.conf>
or some core file from the fail2ban package??

If the latter, on fail2ban upgrade, you lose.

AwesomeMachine · 03-15-2018, 12:52 PM

Regarding Habitual's comment, just make as back-up of the new file in case fail2ban wipes it out on an upgrade. I know Debian checks for custom config files, but maybe not every distro does.

dannyvdberg · 03-15-2018, 01:39 PM

It's just only the configuration file for sending emails in a jail that has changed. I recovered the original file and started all over again.

Habitual · 03-15-2018, 05:49 PM

Quote:

Originally Posted by dannyvdberg

It's just only the configuration file for sending emails in a jail that has changed. I recovered the original file and started all over again.

Easier to manage a copy that will not be overwritten...

Code:

cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

and do your edits in /etc/fail2ban/jail.local which will NOT be overwritten if fail2ban is upgraded.

I only put enabled jails in jail.local

good luck.
#Unanswered