Reporting server break-in attempts automatically with fail2ban

From Mike A. Leonetti

Jump to: navigation, search

Fail2Ban is a really cool program that polls your log files and uses regex to look for pattens to detect "break in attempts."


Originally, as a dirty method to tone down the amount of unauthorized log in attempts a day through SSH on my server I used an iptables rule and limited the amount of connections for SSH in one minute to 3 with a burst rate of 1.


For example

iptables -A INPUT -p tcp --dport ssh -m limit --limit 3/minute --limit-burst 1 -j ACCEPT

This definitely slowed down the number of connections. However, if I attempted myself to connect to the server during a break-in attempt or just when I tried to connect my own server too many times I would get timeouts. So I soon learned that this method wasn't good.


Then I found Fail2ban and set it up, then took of my limit rule. I never had that issue again.


But, although they were being denied after 5 failed SSH login attempts, people were still trying to break into my server. That made me angry. I wanted to complain to somebody about them but I couldn't write an e-mail to address EVERY break-in attempt ever to the attacker's ISP. Then I found an interesting action script in the fail2ban action.d (/etc/fail2ban/action.d/) called "complain.conf" written by Russell Odom for mail.


This script searches the whois entry for the IP address for e-mail addresses to complain to and automatically e-mails them with log entries.


So I adapted the script to use sendmail and set it up. My adapted version can be found here: sendmail-complain.conf.


To use it just download and put the file in your /etc/fail2ban/action.d/ directory and then insert into the jail.conf under action

sendmail-complain[logpath=/path/to/logfile]

Where applicable. For example my SSH entry is:

[ssh-iptables]

enabled  = true
filter   = sshd
action   = iptables-allports[name=SSH]
              sendmail-complain[logpath=/var/log/messages]
logpath  = /var/log/messages
maxretry = 5

And now your server will send out complaints when ever an e-mail address is available in the whois for the IP of the attacker.

Just a note, if you're going to edit the "from" e-mail addresses in the sendmail-complain.conf config file to yours expect the occasional bounceback.

See also

Personal tools
Google AdSense