2008-10-13 14:56:54 +00:00
# Fail2Ban configuration file
#
2014-02-13 22:00:33 +00:00
# Author: Russell Odom <russ@gloomytrousers.co.uk>, Daniel Black
2008-10-13 14:56:54 +00:00
# Sends a complaint e-mail to addresses listed in the whois record for an
# offending IP address.
2014-02-13 22:00:33 +00:00
# This uses the https://abusix.com/contactdb.html to lookup abuse contacts.
#
2014-03-25 10:57:20 +00:00
# DEPENDENCIES:
2014-02-13 22:00:33 +00:00
# This requires the dig command from bind-utils
2008-10-13 14:56:54 +00:00
#
# You should provide the <logpath> in the jail config - lines from the log
# matching the given IP address will be provided in the complaint as evidence.
#
2012-08-14 03:00:23 +00:00
# WARNING
# -------
2008-10-13 14:56:54 +00:00
#
2012-08-14 03:00:23 +00:00
# Please do not use this action unless you are certain that fail2ban
# does not result in "false positives" for your deployment. False
# positive reports could serve a mis-favor to the original cause by
# flooding corresponding contact addresses, and complicating the work
# of administration personnel responsible for handling (verified) legit
# complains.
#
# Please consider using e.g. sendmail-whois-lines.conf action which
# would send the reports with relevant information to you, so the
# report could be first reviewed and then forwarded to a corresponding
# contact if legit.
#
2008-10-13 14:56:54 +00:00
2016-11-25 18:06:34 +00:00
[INCLUDES]
before = helpers-common.conf
2008-10-13 14:56:54 +00:00
[Definition]
2017-02-16 12:38:20 +00:00
# Used in test cases for coverage internal transformations
debug = 0
2017-01-16 08:40:48 +00:00
# bypass ban/unban for restored tickets
norestored = 1
2008-10-13 14:56:54 +00:00
# Option: actionstart
2018-09-12 14:00:40 +00:00
# Notes.: command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false).
2008-10-13 14:56:54 +00:00
# Values: CMD
#
actionstart =
# Option: actionstop
2018-09-12 14:00:40 +00:00
# Notes.: command executed at the stop of jail (or at the end of Fail2Ban)
2008-10-13 14:56:54 +00:00
# Values: CMD
#
actionstop =
# Option: actioncheck
# Notes.: command executed once before each actionban command
# Values: CMD
#
actioncheck =
# Option: actionban
# Notes.: command executed when banning an IP. Take care that the
# command is executed with Fail2Ban user rights.
2013-03-16 23:52:49 +00:00
# Tags: See jail.conf(5) man page
2008-10-13 14:56:54 +00:00
# Values: CMD
#
2017-02-16 12:38:20 +00:00
actionban = oifs=${IFS};
RESOLVER_ADDR="%(addr_resolver)s"
if [ "<debug>" -gt 0 ]; then echo "try to resolve $RESOLVER_ADDR"; fi
ADDRESSES=$(dig +short -t txt -q $RESOLVER_ADDR | tr -d '"')
2017-02-06 21:04:36 +00:00
IFS=,; ADDRESSES=$(echo $ADDRESSES)
2016-11-25 18:06:34 +00:00
IFS=${oifs}
IP=<ip>
2008-10-13 14:56:54 +00:00
if [ ! -z "$ADDRESSES" ]; then
2016-11-25 18:06:34 +00:00
( printf %%b "<message>\n"; date '+Note: Local timezone is %%z (%%Z)';
printf %%b "\nLines containing failures of <ip> (max <grepmax>)\n";
%(_grep_logs)s;
) | <mailcmd> "Abuse from <ip>" <mailargs> $ADDRESSES
2008-10-13 14:56:54 +00:00
fi
# Option: actionunban
# Notes.: command executed when unbanning an IP. Take care that the
# command is executed with Fail2Ban user rights.
2013-03-16 23:52:49 +00:00
# Tags: See jail.conf(5) man page
2008-10-13 14:56:54 +00:00
# Values: CMD
#
actionunban =
2017-02-16 12:38:20 +00:00
# Server as resolver used in dig command
#
addr_resolver = <ip-rev>abuse-contacts.abusix.org
# Default message used for abuse content
#
2014-02-13 22:00:33 +00:00
message = Dear Sir/Madam,\n\nWe have detected abuse from the IP address $IP, which according to a abusix.com is on your network. We would appreciate if you would investigate and take action as appropriate.\n\nLog lines are given below, but please ask if you require any further information.\n\n(If you are not the correct person to contact about this please accept our apologies - your e-mail address was extracted from the whois record by an automated process.)\n\n This mail was generated by Fail2Ban.\nThe recipient address of this report was provided by the Abuse Contact DB by abusix.com. abusix.com does not maintain the content of the database. All information which we pass out, derives from the RIR databases and is processed for ease of use. If you want to change or report non working abuse contacts please contact the appropriate RIR. If you have any further question, contact abusix.com directly via email (info@abusix.com). Information about the Abuse Contact Database can be found here: https://abusix.com/global-reporting/abuse-contact-db\nabusix.com is neither responsible nor liable for the content or accuracy of this message.\n
2008-10-13 14:56:54 +00:00
# Path to the log files which contain relevant lines for the abuser IP
#
logpath = /dev/null
# Option: mailcmd
# Notes.: Your system mail command. Is passed 2 args: subject and recipient
2013-10-14 20:29:16 +00:00
# Values: CMD
2008-10-13 14:56:54 +00:00
#
mailcmd = mail -s
# Option: mailargs
# Notes.: Additional arguments to mail command. e.g. for standard Unix mail:
# CC reports to another address:
# -c me@example.com
# Appear to come from a different address - the '--' indicates
# arguments to be passed to Sendmail:
# -- -f me@example.com
2013-10-14 20:29:16 +00:00
# Values: [ STRING ]
2008-10-13 14:56:54 +00:00
#
mailargs =
2016-11-25 18:06:34 +00:00
# Number of log lines to include in the email
#
#grepmax = 1000
#grepopts = -m <grepmax>
