# Fail2Ban configuration file # # Author: Russell Odom # Sends a complaint e-mail to addresses listed in the whois record for an # offending IP address. # # You should provide the in the jail config - lines from the log # matching the given IP address will be provided in the complaint as evidence. # # Note that we will try to use e-mail addresses that are most likely to be abuse # addresses (based on various keywords). If they aren't found we fall back on # any other addresses found in the whois record, with a few exceptions. # If no addresses are found, no e-mail is sent. # # WARNING # ------- # # Please do not use this action unless you are certain that fail2ban # does not result in "false positives" for your deployment. False # positive reports could serve a mis-favor to the original cause by # flooding corresponding contact addresses, and complicating the work # of administration personnel responsible for handling (verified) legit # complains. # # Please consider using e.g. sendmail-whois-lines.conf action which # would send the reports with relevant information to you, so the # report could be first reviewed and then forwarded to a corresponding # contact if legit. # [Definition] # Option: actionstart # Notes.: command executed once at the start of Fail2Ban. # Values: CMD # actionstart = # Option: actionstop # Notes.: command executed once at the end of Fail2Ban # Values: CMD # actionstop = # Option: actioncheck # Notes.: command executed once before each actionban command # Values: CMD # actioncheck = # Option: actionban # Notes.: command executed when banning an IP. Take care that the # command is executed with Fail2Ban user rights. # Tags: See jail.conf(5) man page # Values: CMD # actionban = ADDRESSES=`whois | perl -e 'while () { next if /^changed|@(ripe|apnic)\.net/io; $m += (/abuse|trouble:|report|spam|security/io?3:0); if (/([a-z0-9_\-\.+]+@[a-z0-9\-]+(\.[[a-z0-9\-]+)+)/io) { while (s/([a-z0-9_\-\.+]+@[a-z0-9\-]+(\.[[a-z0-9\-]+)+)//io) { if ($m) { $a{lc($1)}=$m } else { $b{lc($1)}=$m } } $m=0 } else { $m && --$m } } if (%%a) {print join(",",keys(%%a))} else {print join(",",keys(%%b))}'` IP= if [ ! -z "$ADDRESSES" ]; then (printf %%b "\n"; date '+Note: Local timezone is %%z (%%Z)'; grep '' ) | "Abuse from " $ADDRESSES fi # Option: actionunban # Notes.: command executed when unbanning an IP. Take care that the # command is executed with Fail2Ban user rights. # Tags: See jail.conf(5) man page # Values: CMD # actionunban = [Init] message = Dear Sir/Madam,\n\nWe have detected abuse from the IP address $IP, which according to a whois lookup is on your network. We would appreciate if you would investigate and take action as appropriate.\n\nLog lines are given below, but please ask if you require any further information.\n\n(If you are not the correct person to contact about this please accept our apologies - your e-mail address was extracted from the whois record by an automated process. This mail was generated by Fail2Ban.)\n # Path to the log files which contain relevant lines for the abuser IP # logpath = /dev/null # Option: mailcmd # Notes.: Your system mail command. Is passed 2 args: subject and recipient # Values: CMD Default: mail -s # mailcmd = mail -s # Option: mailargs # Notes.: Additional arguments to mail command. e.g. for standard Unix mail: # CC reports to another address: # -c me@example.com # Appear to come from a different address - the '--' indicates # arguments to be passed to Sendmail: # -- -f me@example.com # Values: [ STRING ] Default: (empty) # mailargs =