配置fail2ban发送ip的具体信息
安装whois
yum -y install whois
测试:whois 8.8.8.8
配置邮件信息:
vim /etc/mail.rc
最后加上这几行:
set [email protected]
set smtp=smtp.126.com:25
set [email protected]
set smtp-auth-password=xxx
set smtp-auth=login
set nss-config-dir=/root/.certs
set ssl-verify=ignore
fail2ban添加邮件配置:
vim /etc/fail2ban/jail.d/nginx-iyunv.conf
[iyunv-get-10m]
enabled = true
port = http,https
filter = nginx-bansniffer
action = iptables[name=IYunV, port=https, protocol=tcp]
mail-whois[name=IYunV-10m, [email protected], [email protected], sendername="nginx-deny"]
logpath = /home/wwwlogs/www.iyunv.com443.log
maxretry = 20000
findtime = 600
bantime = 7200
[iyunv-get-1hours]
enabled = true
port = http,https
filter = nginx-bansniffer
action = iptables[name=IYunV, port=https, protocol=tcp]
mail-whois[name=IYunV-1hours, [email protected], [email protected], sendername="nginx-deny"]
logpath = /home/wwwlogs/www.iyunv.com443.log
maxretry = 30000
findtime = 3600
bantime = 7200
fail2ban主配置文件:
vim /etc/fail2ban/jail.conf
137 destemail = [email protected]
138
139 # Sender email address used solely for some actions
140 sender = [email protected]
141
142 # E-mail action. Since 0.8.1 Fail2Ban uses sendmail MTA for the
143 # mailing. Change mta configuration parameter to mail if you want to
144 # revert to conventional 'mail'.
145 mta = mail
146
重新加载配置文件
service fail2ban reload
邮件效果如下:
Hi,
The IP 101.206.70.136 has just been banned by Fail2Ban after
8000 attempts against iyunv-12hours.
Here is more information about 101.206.70.136 :
[Querying whois.apnic.net]
[whois.apnic.net]
% [whois.apnic.net]
% Whois data copyright terms http://www.apnic.net/db/dbcopyright.html
% Information related to '101.204.0.0 - 101.207.255.255'
% Abuse contact for '101.204.0.0 - 101.207.255.255' is [email protected]'
inetnum: 101.204.0.0 - 101.207.255.255
netname: UNICOM-SC
descr: UNICOM Sichuan province network
descr: China Unicom
descr: No.21,Jin-Rong Street
descr: Beijing 100033
country: CN
admin-c: CH1302-AP
tech-c: XX288-AP
remarks: service provider
mnt-by: APNIC-HM
mnt-lower: MAINT-CNCGROUP-SC
mnt-routes: MAINT-CNCGROUP-RR
mnt-irt: IRT-CU-CN
status: ALLOCATED PORTABLE
remarks: --------------------------------------------------------
remarks: To report network abuse, please contact mnt-irt
remarks: For troubleshooting, please contact tech-c and admin-c
remarks: Report invalid contact via www.apnic.net/invalidcontact
remarks: --------------------------------------------------------
last-modified: 2016-05-04T00:27:41Z
source: APNIC
irt: IRT-CU-CN
address: No.21,Financial Street
address: Beijing,100033
address: P.R.China
e-mail: [email protected]
abuse-mailbox: [email protected]
admin-c: CH1302-AP
tech-c: CH1302-AP
auth: # Filtered
mnt-by: MAINT-CNCGROUP
last-modified: 2017-10-23T05:59:13Z
source: APNIC
person: ChinaUnicom Hostmaster
nic-hdl: CH1302-AP
e-mail: [email protected]
address: No.21,Jin-Rong Street
address: Beijing,100033
address: P.R.China
phone: +86-10-66259764
fax-no: +86-10-66259764
country: CN
mnt-by: MAINT-CNCGROUP
last-modified: 2017-08-17T06:13:16Z
source: APNIC
person: Xifei Xie
nic-hdl: XX288-AP
e-mail: [email protected]
address: Tianfu Road High-Tec international square C,Chengdu,Sichuan 610041,China
phone: +86-28-66850327
fax-no: +86-28-66850327
country: CN
mnt-by: MAINT-CNCGROUP-SC
last-modified: 2010-12-27T03:36:01Z
source: APNIC
% Information related to '101.204.0.0/14AS4837'
route: 101.204.0.0/14
descr: China Unicom Sichuan Province Network
country: CN
origin: AS4837
mnt-by: MAINT-CNCGROUP-RR
last-modified: 2010-12-31T02:58:02Z
source: APNIC
% This query was served by the APNIC Whois Service version 1.88.15-46 (WHOIS-NODE1)
Regards,
Fail2Ban
