From 1846056606d24abe4e7d3f2e1cf56407c65b9008 Mon Sep 17 00:00:00 2001 From: Daniel Black Date: Tue, 3 Dec 2013 20:40:42 +1100 Subject: [PATCH] DOC: when to use xarf messages to network owner --- config/action.d/xarf-login-attack.conf | 13 ++++++++++++- config/jail.conf | 2 ++ 2 files changed, 14 insertions(+), 1 deletion(-) diff --git a/config/action.d/xarf-login-attack.conf b/config/action.d/xarf-login-attack.conf index 568d9d5c..98cf47ed 100644 --- a/config/action.d/xarf-login-attack.conf +++ b/config/action.d/xarf-login-attack.conf @@ -1,10 +1,21 @@ # Fail2Ban action for sending xarf Login-Attack messages to IP owner # +# IMPORTANT: +# +# Emailing a IP owner of abuse is a serious complain. Make sure that it is +# serious. Fail2ban developers and network owners recommend you only use this +# action for: +# * The recidive where the IP has been banned multiple times +# * Where maxretry has been set quite high, beyond the normal user typing +# password incorrectly. +# * For filters that have a low likelyhood of receiving human errors +# +# DEPENDANCIES: +# # This requires the dig command from bind-utils # # This uses the https://abusix.com/contactdb.html to lookup abuse contacts. # -# # XARF is a specification for sending a formatted response # for non-messaging based abuse including: # diff --git a/config/jail.conf b/config/jail.conf index 8e76856f..5d98f73d 100644 --- a/config/jail.conf +++ b/config/jail.conf @@ -151,6 +151,8 @@ action_mw = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protoc action_mwl = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] %(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"] +# See the IMPORTANT note in action.d/xarf-login-attack for when to use this action +# # ban & send a xarf e-mail to abuse contact of IP address and include relevant log lines # to the destemail. action_xarf = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]