From 5cc7173fd4ad7c1e468e4cd71a9880946df64df0 Mon Sep 17 00:00:00 2001
From: Daniel Black <grooverdan@users.sourceforge.net>
Date: Sat, 30 Nov 2013 14:16:26 +1100
Subject: [PATCH] ENH: add xarf email sender for login-attack type

---
 config/action.d/xarf-login-attack.conf | 88 ++++++++++++++++++++++++++
 1 file changed, 88 insertions(+)
 create mode 100644 config/action.d/xarf-login-attack.conf

diff --git a/config/action.d/xarf-login-attack.conf b/config/action.d/xarf-login-attack.conf
new file mode 100644
index 00000000..bbc97ea8
--- /dev/null
+++ b/config/action.d/xarf-login-attack.conf
@@ -0,0 +1,88 @@
+# Fail2Ban action for sending xarf Login-Attack messages to IP owner
+#
+# This requires querycontact ( http://pypi.python.org/pypi/querycontacts/ )
+# sudo pip install querycontacts
+#
+# This uses the https://abusix.com/contactdb.html to lookup abuse contacts.
+#
+#
+# XARF is a specification for sending a formatted response
+# for non-messaging based abuse including:
+#
+# Login-Attack, Malware-Attack, Fraud (Phishing, etc.), Info DNSBL
+#
+# For details see:
+# https://github.com/abusix/xarf-specification
+# http://www.x-arf.org/schemata.html
+#
+#
+# Based on complain written by Russell Odom <russ@gloomytrousers.co.uk>
+#
+#
+
+[Definition]
+
+actionstart =
+
+actionstop =
+
+actioncheck =
+
+actionban = ADDRESSES=`querycontacts <ip>`
+	          IP=<ip>
+            FROM=<sender>
+            SERVICE=<name>
+            FAILURES=<failures>
+            MATCHES=<matches>
+            DATE=`LC_TIME=C date -u --date=@<time> +"%%a, %%d %%h %%Y %%T +0000"`
+            if [ ! -z "$ADDRESSES" ]; then
+                (printf %%b -- "<header>\n<message>\n<report>\n${MATCHES}\n"; date '+Note: Local timezone is %%z (%%Z)'; tail -n 9000 <logpath> | grep '[^0-9]<ip>[^0-9]'; printf %%b -- "<footer>") | <mailcmd> "abuse report about <ip> - $DATE" <mailargs> $ADDRESSES
+            fi
+
+actionunban =
+
+[Init]
+
+# Option: header
+# Notes:  This is really a fixed value
+header  = Auto-Submitted: auto-generated\nX-XARF: PLAIN\nContent-Transfer-Encoding: 7bit\nContent-Type: multipart/mixed; charset=utf8;\n  boundary=Abuse-bfbb0f920793ac03cb8634bde14d8a1e;\n\n--Abuse-bfbb0f920793ac03cb8634bde14d8a1e\nMIME-Version: 1.0\nContent-Transfer-Encoding: 7bit\nContent-Type: text/plain; charset=utf-8;\n
+
+# Option: footer
+# Notes:  This is really a fixed value and needs to match the report and header
+#         mime delimiters
+footer = --Abuse-bfbb0f920793ac03cb8634bde14d8a1e--
+
+# Option: report
+# Notes:  Intended to be fixed
+report =  --Abuse-bfbb0f920793ac03cb8634bde14d8a1e\nMIME-Version: 1.0\nContent-Transfer-Encoding: 7bit\nContent-Type: text/plain; charset=utf-8; name="report.txt";\n\n---\nReported-From: $FROM\nCategory: abuse\nReport-Type: login-attack\nService: $SERVICE\nVersion: 0.1.2\nUser-Agent: Fail2ban v0.8\nDate: $DATE\nSource-Type: ip-address\nSource: $IP\nSchema-URL: http://www.x-arf.org/schema/abuse_login-attack_0.1.2.json\nAttachment: text/plain\nOccurances: $FAILURES\n\n\n--Abuse-bfbb0f920793ac03cb8634bde14d8a1e\nMIME-Version: 1.0\nContent-Transfer-Encoding: 7bit\nContent-Type: text/plain; charset=utf8; name="logfile.log";
+
+# Option: Message
+# Notes:  This cane be modified by the users 
+message = Dear Sir/Madam,\n\nWe have detected abuse from the IP address $IP, which according to https://abusix.com/contactdb.html is on your network. We would appreciate if you would investigate and take action as appropriate.\n\nLog lines are given below, but please ask if you require any further information.\n\n(If you are not the correct person to contact about this please accept our apologies - your e-mail address was extracted from the whois record by an automated process. This mail was generated by Fail2Ban in a X-ARF format! You can find more information about x-arf at http://www.x-arf.org/specification.html.)\n
+
+# Option:  logpath
+# Notes:   Path to the log files which contain relevant lines for the abuser IP
+# Values:  Filename(s) space separated and can contain wildcards (these are
+#          greped for the IP so make sure these aren't too long
+logpath = /dev/null
+
+# Option:  mailcmd
+# Notes.:  Your system mail command. Is passed 2 args: subject and recipient
+# Values:  CMD
+#
+mailcmd = mail -s
+
+# Option:  mailargs
+# Notes.:  Additional arguments to mail command. e.g. for standard Unix mail:
+#          CC reports to another address:
+#              -c me@example.com
+#          Appear to come from a different address - the '--' indicates
+#          arguments to be passed to Sendmail:
+#              -- -f me@example.com
+# Values:  [ STRING ]
+#
+mailargs =
+
+# Option:  sender
+# Notes.:  This is the sender that is included in the XARF report
+sender =