mirror of https://github.com/fail2ban/fail2ban
ENH: add xarf email sender for login-attack type
Daniel Black
parent
f7504d5b64
commit
5cc7173fd4
|
|
@ -0,0 +1,88 @@
|
|||
# Fail2Ban action for sending xarf Login-Attack messages to IP owner
|
||||
#
|
||||
# This requires querycontact ( http://pypi.python.org/pypi/querycontacts/ )
|
||||
# sudo pip install querycontacts
|
||||
#
|
||||
# This uses the https://abusix.com/contactdb.html to lookup abuse contacts.
|
||||
#
|
||||
#
|
||||
# XARF is a specification for sending a formatted response
|
||||
# for non-messaging based abuse including:
|
||||
#
|
||||
# Login-Attack, Malware-Attack, Fraud (Phishing, etc.), Info DNSBL
|
||||
#
|
||||
# For details see:
|
||||
# https://github.com/abusix/xarf-specification
|
||||
# http://www.x-arf.org/schemata.html
|
||||
#
|
||||
#
|
||||
# Based on complain written by Russell Odom <russ@gloomytrousers.co.uk>
|
||||
#
|
||||
#
|
||||
|
||||
[Definition]
|
||||
|
||||
actionstart =
|
||||
|
||||
actionstop =
|
||||
|
||||
actioncheck =
|
||||
|
||||
actionban = ADDRESSES=`querycontacts <ip>`
|
||||
IP=<ip>
|
||||
FROM=<sender>
|
||||
SERVICE=<name>
|
||||
FAILURES=<failures>
|
||||
MATCHES=<matches>
|
||||
DATE=`LC_TIME=C date -u --date=@<time> +"%%a, %%d %%h %%Y %%T +0000"`
|
||||
if [ ! -z "$ADDRESSES" ]; then
|
||||
(printf %%b -- "<header>\n<message>\n<report>\n${MATCHES}\n"; date '+Note: Local timezone is %%z (%%Z)'; tail -n 9000 <logpath> | grep '[^0-9]<ip>[^0-9]'; printf %%b -- "<footer>") | <mailcmd> "abuse report about <ip> - $DATE" <mailargs> $ADDRESSES
|
||||
fi
|
||||
|
||||
actionunban =
|
||||
|
||||
[Init]
|
||||
|
||||
# Option: header
|
||||
# Notes: This is really a fixed value
|
||||
header = Auto-Submitted: auto-generated\nX-XARF: PLAIN\nContent-Transfer-Encoding: 7bit\nContent-Type: multipart/mixed; charset=utf8;\n boundary=Abuse-bfbb0f920793ac03cb8634bde14d8a1e;\n\n--Abuse-bfbb0f920793ac03cb8634bde14d8a1e\nMIME-Version: 1.0\nContent-Transfer-Encoding: 7bit\nContent-Type: text/plain; charset=utf-8;\n
|
||||
|
||||
# Option: footer
|
||||
# Notes: This is really a fixed value and needs to match the report and header
|
||||
# mime delimiters
|
||||
footer = --Abuse-bfbb0f920793ac03cb8634bde14d8a1e--
|
||||
|
||||
# Option: report
|
||||
# Notes: Intended to be fixed
|
||||
report = --Abuse-bfbb0f920793ac03cb8634bde14d8a1e\nMIME-Version: 1.0\nContent-Transfer-Encoding: 7bit\nContent-Type: text/plain; charset=utf-8; name="report.txt";\n\n---\nReported-From: $FROM\nCategory: abuse\nReport-Type: login-attack\nService: $SERVICE\nVersion: 0.1.2\nUser-Agent: Fail2ban v0.8\nDate: $DATE\nSource-Type: ip-address\nSource: $IP\nSchema-URL: http://www.x-arf.org/schema/abuse_login-attack_0.1.2.json\nAttachment: text/plain\nOccurances: $FAILURES\n\n\n--Abuse-bfbb0f920793ac03cb8634bde14d8a1e\nMIME-Version: 1.0\nContent-Transfer-Encoding: 7bit\nContent-Type: text/plain; charset=utf8; name="logfile.log";
|
||||
|
||||
# Option: Message
|
||||
# Notes: This cane be modified by the users
|
||||
message = Dear Sir/Madam,\n\nWe have detected abuse from the IP address $IP, which according to https://abusix.com/contactdb.html is on your network. We would appreciate if you would investigate and take action as appropriate.\n\nLog lines are given below, but please ask if you require any further information.\n\n(If you are not the correct person to contact about this please accept our apologies - your e-mail address was extracted from the whois record by an automated process. This mail was generated by Fail2Ban in a X-ARF format! You can find more information about x-arf at http://www.x-arf.org/specification.html.)\n
|
||||
|
||||
# Option: logpath
|
||||
# Notes: Path to the log files which contain relevant lines for the abuser IP
|
||||
# Values: Filename(s) space separated and can contain wildcards (these are
|
||||
# greped for the IP so make sure these aren't too long
|
||||
logpath = /dev/null
|
||||
|
||||
# Option: mailcmd
|
||||
# Notes.: Your system mail command. Is passed 2 args: subject and recipient
|
||||
# Values: CMD
|
||||
#
|
||||
mailcmd = mail -s
|
||||
|
||||
# Option: mailargs
|
||||
# Notes.: Additional arguments to mail command. e.g. for standard Unix mail:
|
||||
# CC reports to another address:
|
||||
# -c me@example.com
|
||||
# Appear to come from a different address - the '--' indicates
|
||||
# arguments to be passed to Sendmail:
|
||||
# -- -f me@example.com
|
||||
# Values: [ STRING ]
|
||||
#
|
||||
mailargs =
|
||||
|
||||
# Option: sender
|
||||
# Notes.: This is the sender that is included in the XARF report
|
||||
sender =
|
||||
Loading…
Reference in New Issue