Reporting server break-in attempts automatically with fail2ban
From Mike A. Leonetti
Fail2Ban is a really cool program that polls your log files and uses regex to look for pattens to detect "break in attempts."
Originally, as a dirty method to tone down the amount of unauthorized log in attempts a day through SSH on my server I used an iptables rule and limited the amount of connections for SSH in one minute to 3 with a burst rate of 1.
iptables -A INPUT -p tcp --dport ssh -m limit --limit 3/minute --limit-burst 1 -j ACCEPT
This definitely slowed down the number of connections. However, if I attempted myself to connect to the server during a break-in attempt or just when I tried to connect my own server too many times I would get timeouts. So I soon learned that this method wasn't good.
Then I found Fail2ban and set it up, then took of my limit rule. I never had that issue again.
But, although they were being denied after 5 failed SSH login attempts, people were still trying to break into my server. That made me angry. I wanted to complain to somebody about them but I couldn't write an e-mail to address EVERY break-in attempt ever to the attacker's ISP. Then I found an interesting action script in the fail2ban action.d (/etc/fail2ban/action.d/) called "complain.conf" written by Russell Odom for mail.
This script searches the whois entry for the IP address for e-mail addresses to complain to and automatically e-mails them with log entries.
So I adapted the script to use sendmail and set it up. My adapted version can be found here: sendmail-complain.conf.
To use it just download and put the file in your /etc/fail2ban/action.d/ directory and then insert into the jail.conf under action
Where applicable. For example my SSH entry is:
[ssh-iptables] enabled = true filter = sshd action = iptables-allports[name=SSH] sendmail-complain[logpath=/var/log/messages] logpath = /var/log/messages maxretry = 5
And now your server will send out complaints when ever an e-mail address is available in the whois for the IP of the attacker.
Just a note, if you're going to edit the "from" e-mail addresses in the sendmail-complain.conf config file to yours expect the occasional bounceback.