fail2ban配置邮件发送whios信息


配置fail2ban发送ip的具体信息

安装whois

yum -y install whois

测试:whois 8.8.8.8

配置邮件信息:

vim /etc/mail.rc

最后加上这几行:

set from=xxx@126.com
set smtp=smtp.126.com:25
set smtp-auth-user=xxx@126.com
set smtp-auth-password=xxx
set smtp-auth=login
set nss-config-dir=/root/.certs
set ssl-verify=ignore

fail2ban添加邮件配置:

vim /etc/fail2ban/jail.d/nginx-iyunv.conf

[iyunv-get-10m]
enabled = true
port = http,https
filter = nginx-bansniffer
action = iptables[name=IYunV, port=https, protocol=tcp]
mail-whois[name=IYunV-10m, dest=kefu@xx.com, sender=xxxx@126.com, sendername="nginx-deny"]
logpath = /home/wwwlogs/www.iyunv.com443.log
maxretry = 20000
findtime = 600
bantime = 7200
[iyunv-get-1hours]
enabled = true
port = http,https
filter = nginx-bansniffer
action = iptables[name=IYunV, port=https, protocol=tcp]
mail-whois[name=IYunV-1hours, dest=kefu@xx.com, sender=xxxx@126.com, sendername="nginx-deny"]
logpath = /home/wwwlogs/www.iyunv.com443.log
maxretry = 30000
findtime = 3600
bantime = 7200

fail2ban主配置文件:

vim /etc/fail2ban/jail.conf

137 destemail = kefu@xxx.com
138
139 # Sender email address used solely for some actions
140 sender = xxx@126.com
141
142 # E-mail action. Since 0.8.1 Fail2Ban uses sendmail MTA for the
143 # mailing. Change mta configuration parameter to mail if you want to
144 # revert to conventional 'mail'.
145 mta = mail
146

重新加载配置文件

service fail2ban reload

邮件效果如下:

Hi,

 

The IP 101.206.70.136 has just been banned by Fail2Ban after

8000 attempts against iyunv-12hours.

 

 

Here is more information about 101.206.70.136 :

 

[Querying whois.apnic.net]

[whois.apnic.net]

% [whois.apnic.net]

% Whois data copyright terms    http://www.apnic.net/db/dbcopyright.html

 

% Information related to '101.204.0.0 - 101.207.255.255'

 

% Abuse contact for '101.204.0.0 - 101.207.255.255' is 'hqs-ipabuse@chinaunicom.cn'

 

inetnum:        101.204.0.0 - 101.207.255.255

netname:        UNICOM-SC

descr:          UNICOM Sichuan province network

descr:          China Unicom

descr:          No.21,Jin-Rong Street

descr:          Beijing 100033

country:        CN

admin-c:        CH1302-AP

tech-c:         XX288-AP

remarks:        service provider

mnt-by:         APNIC-HM

mnt-lower:      MAINT-CNCGROUP-SC

mnt-routes:     MAINT-CNCGROUP-RR

mnt-irt:        IRT-CU-CN

status:         ALLOCATED PORTABLE

remarks:        --------------------------------------------------------

remarks:        To report network abuse, please contact mnt-irt

remarks:        For troubleshooting, please contact tech-c and admin-c

remarks:        Report invalid contact via www.apnic.net/invalidcontact

remarks:        --------------------------------------------------------

last-modified:  2016-05-04T00:27:41Z

source:         APNIC

 

irt:            IRT-CU-CN

address:        No.21,Financial Street

address:        Beijing,100033

address:        P.R.China

e-mail:         hqs-ipabuse@chinaunicom.cn

abuse-mailbox:  hqs-ipabuse@chinaunicom.cn

admin-c:        CH1302-AP

tech-c:         CH1302-AP

auth:           # Filtered

mnt-by:         MAINT-CNCGROUP

last-modified:  2017-10-23T05:59:13Z

source:         APNIC

 

person:         ChinaUnicom Hostmaster

nic-hdl:        CH1302-AP

e-mail:         hqs-ipabuse@chinaunicom.cn

address:        No.21,Jin-Rong Street

address:        Beijing,100033

address:        P.R.China

phone:          +86-10-66259764

fax-no:         +86-10-66259764

country:        CN

mnt-by:         MAINT-CNCGROUP

last-modified:  2017-08-17T06:13:16Z

source:         APNIC

 

person:         Xifei Xie

nic-hdl:        XX288-AP

e-mail:         sc-sjwg@chinaunicom.cn

address:        Tianfu Road High-Tec international square C,Chengdu,Sichuan 610041,China

phone:          +86-28-66850327

fax-no:         +86-28-66850327

country:        CN

mnt-by:         MAINT-CNCGROUP-SC

last-modified:  2010-12-27T03:36:01Z

source:         APNIC

 

% Information related to '101.204.0.0/14AS4837'

 

route:          101.204.0.0/14

descr:          China Unicom Sichuan Province Network

country:        CN

origin:         AS4837

mnt-by:         MAINT-CNCGROUP-RR

last-modified:  2010-12-31T02:58:02Z

source:         APNIC

 

% This query was served by the APNIC Whois Service version 1.88.15-46 (WHOIS-NODE1)

 

Regards,

 

Fail2Ban


Whatever is worth doing is worth doing well.