Fail2Ban is a robust tool. By default the system of Fail2Ban sends an email with each ban. There is an action there named mail-buffered. That action expects 5 ban (default) before sending you an email. But a summary report probably more practical. Here are the required steps on how to configure Fail2ban to send daily email report. This system needs to configure mail server on the server under question. However, one can configure the bash scripts to use any transactional email service (like SendGrid) based on their API.
Configure Fail2ban To Send Daily Email Reports
Based on the mail-buffered action, instead of having an email for x number of bans, we can send all bans as report every day at a specific time. We need something like this :
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 | [Definition] actionstart = echo -en "***** Fail2Ban *****\n\nNotification Type: RECOVERY\n\nService: <name>\nHost: <server>\nAddress: <serverip>\nState: STARTED\n\nDate/Time: `date`\n\nAdditional Info:\n\n" | mail -a "From: <from>" -s "** RECOVERY alert - <server>/<name> jail is STARTED **" <dest> actionstop = echo -en "***** Fail2Ban *****\n\nNotification Type: ALERT\n\nService: <name>\nHost: <server>\nAddress: <serverip>\nState: STOPPED\n\nDate/Time: `date`\n\nAdditional Info:\n\n" | mail -a "From: <dest>" -s "** ALERT alert - <server>/<name> jail is STOPPED **" <dest> actioncheck = actionban = echo `date | awk -F ' ' '{print $4}'`" - <ip> (<failures> attempts against <name>)" >> <tmpfile> actionunban = [Init] tmpfile = /tmp/fail2ban-mail.txt # default dest dest = root |
Notice the /tmp/fail2ban-mail.txt line. You probably will need to create the file and give proper permission to write :
---
1 2 | touch /tmp/fail2ban-mail.txt chmod 777 /tmp/fail2ban-mail.txt |
Next, we need a configaration for jail.conf :
1 2 3 4 5 6 7 8 9 10 11 12 13 | fromt = Fail2ban servert = host.example.com serveript = 127.0.0.1 emailt = webmaster@example.com [ssh-iptables] enabled = true filter = sshd action = iptables[name=SSH, port=ssh, protocol=tcp] mail-daily[name=SSH, dest=%(emailt)s, from=%(fromt)s, server=%(servert)s, serverip=%(serveript)s] logpath = /var/log/sshd/current maxretry = 3 |
Next we need a bash script to create the daily story :) :
1 2 3 4 5 6 7 8 9 10 11 12 13 | #!/bin/sh SERVER="host.example.com" IP="127.0.0.1" FROM="Fail2ban " TO="webmaster@example.com" TMP=/tmp/fail2ban-mail.txt if [ -f $TMP ]; then echo -en "***** Fail2Ban *****\n\nNotification Type: INFO\n\nService: *\nHost: $SERVER\nAddress: $IP\nState: OK\n\nDate/Time: `date`\n\nAdditional Info:\n\nThese hosts have been banned on `date --date '1 days ago' +"%a %d %b"`\n`cat $TMP`" | mail -a "From: $FROM" -s "** INFO alert - $SERVER jail REPORT **" $TO rm $TMP fi |
As final step, you need to create a cron :
1 | 10 0 * * * /etc/fail2ban/action.d/report.sh> / dev / null |
Alternate way
Actually there is many ways to do the same work. We can use a bash script to get the summary :
1 2 3 | !/bin/bash grep "Ban " /var/log/fail2ban.log | grep date +%Y-%m-%d -d yesterday | /usr/bin/sort | /usr/bin/logresolve | /usr/bin/uniq -c | /usr/bin/sort -n | mail -s "Fail2Ban Yesterday Summary date +%Y-%m-%d -d yesterday" name@example.com |
or this one :
1 2 3 4 5 6 | !/bin/bash grep "Ban " /var/log/fail2ban.log | grep $(date +%Y-%m-%d -d yesterday) | \ sed -e 's/Ban [0-9\.]*/Ban/' | sed -e 's/\( [0-2][0-9]\):[0-9]\{2\}:[0-9]\{2\},[0-9]\{3\}/\1h/' | \ /usr/bin/sort -n | /usr/bin/uniq -c | \ mail -s "Fail2Ban Summary $(date +%Y-%m-%d -d yesterday)" root |
However, the command will suck significant resource and take longer time. Logwatch has own plugin, that is probably a different discussion.
Tagged With fail2ban send email on ban , fail2ban report email , fail2ban email notifications , fail2ban email alert , fail2ban email , fail2ban configure action , fail2ban check mail , fail2ban alerts , fail2ban action mail , email fail2ban