fail2ban: email notification (Closes #232)

nextcloud · Oct 6, 2017 · dcbafb2 · dcbafb2
1 parent a4e5df7
commit dcbafb2
Show file tree

Hide file tree

Showing 3 changed files with 30 additions and 8 deletions.
diff --git a/changelog.md b/changelog.md
@@ -1,5 +1,7 @@
 
-[v0.31.11](https://github.com/nextcloud/nextcloudpi/commit/f4586a0) (2017-10-04) nc-backup: fix excludes
+[v0.31.12](https://github.com/nextcloud/nextcloudpi/commit/487e06e) (2017-10-05) fail2ban: email notification
+
+[v0.31.11](https://github.com/nextcloud/nextcloudpi/commit/3fc4d3c) (2017-10-04) nc-backup: fix excludes
 
 [v0.31.10](https://github.com/nextcloud/nextcloudpi/commit/c0c6b1b) (2017-10-04) nc-forward-ports: exit status on failure
 

diff --git a/etc/nextcloudpi-config.d/fail2ban.sh b/etc/nextcloudpi-config.d/fail2ban.sh
@@ -24,12 +24,17 @@ FINDTIME_=600
 # bad attempts before banning an IP
 MAXRETRY_=6                                      
 
+# email to send notifications to
+[email protected]
+
+MAILALERTS_=no
+
 DESCRIPTION="Brute force protection for SSH and NextCloud"
 
 install()
 {
   apt-get update
-  apt-get install --no-install-recommends -y fail2ban 
+  apt-get install --no-install-recommends -y fail2ban whois
   update-rc.d fail2ban disable
   rm -f /etc/fail2ban/jail.d/defaults-debian.conf
 
@@ -54,6 +59,12 @@ exit 0
 EOF
     chmod +x /etc/cont-init.d/100-fail2ban-run.sh
   }
+
+  # tweak fail2ban email 
+  local F=/etc/fail2ban/action.d/sendmail-common.conf
+  sed -i 's|Fail2Ban|NextCloudPi|' /etc/fail2ban/action.d/sendmail-whois-lines.conf
+  grep -q actionstart_ "$F" || sed -i 's|actionstart|actionstart_|' "$F"
+  grep -q actionstop_  "$F" || sed -i 's|actionstop|actionstop_|'   "$F"
 }
 
 configure()
@@ -89,6 +100,7 @@ failregex = Login failed.*Remote IP.*'<HOST>'
 ignoreregex =
 EOF
 
+  [[ "$MAILALERTS_" == "yes" ]] && local ACTION=action_mwl || local ACTION=action_
 
   cat > /etc/fail2ban/jail.conf <<EOF
 # The DEFAULT allows a global definition of the options. They can be overridden
@@ -111,13 +123,13 @@ maxretry = $MAXRETRY_
 #
 # ACTIONS
 #
-banaction = iptables-multiport
-protocol = tcp
-chain = INPUT
-action_ = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
-action_mw = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
+banaction  = iptables-multiport
+protocol   = tcp
+chain      = INPUT
+action_    = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
 action_mwl = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
-action = %(action_)s
+           sendmail-whois-lines[name=%(__name__)s, dest=$EMAIL_, [email protected]]
+action = %($ACTION)s
 
 #
 # SSH

diff --git a/update.sh b/update.sh
@@ -252,6 +252,14 @@ EOF
     cat >> /etc/pip.conf <<<"extra-index-url=https://www.piwheels.hostedpi.com/simple/zope.components"
     /etc/letsencrypt/letsencrypt-auto --help
   }
+
+  # tweak fail2ban email 
+  F=/etc/fail2ban/action.d/sendmail-common.conf
+  sed -i 's|Fail2Ban|NextCloudPi|' /etc/fail2ban/action.d/sendmail-whois-lines.conf
+  grep -q actionstart_ "$F" || sed -i 's|actionstart|actionstart_|' "$F"
+  grep -q actionstop_  "$F" || sed -i 's|actionstop|actionstop_|'   "$F"
+  type whois &>/dev/null || { apt-get update; apt-get install --no-install-recommends -y whois; }
+
 }
 
 # License