Skip to content

Instantly share code, notes, and snippets.

@bistoco

bistoco/jail.local

Forked from Dman46/jail.local
Last active April 23, 2019 10:27
Show Gist options
  • Save bistoco/0442a800208ebccf028d925e69c3a553 to your computer and use it in GitHub Desktop.
Save bistoco/0442a800208ebccf028d925e69c3a553 to your computer and use it in GitHub Desktop.
Download ZIP
Fail2ban - send Slack notifications
Raw
jail.local
...
action_with_slack_notification = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
slack[name=%(__name__)s]
action = %(action_with_slack_notification)s
...
Raw
slack.conf
# ADD THIS FILE INTO /etc/fail2ban/actions.d/slack.conf
[Definition]
actioncheck =
actionstart = /bin/bash /etc/fail2ban/slack_notify.sh "The jail <name> has been started successfully." > /dev/null 2>&1
actionstop = /bin/bash /etc/fail2ban/slack_notify.sh "The jail <name> has been stopped." > /dev/null 2>&1
actionban = /bin/bash /etc/fail2ban/slack_notify.sh "Banned _country_ <ip> in the jail <name> after <failures> attempts" "<ip>" > /dev/null 2>&1
actionunban = /bin/bash /etc/fail2ban/slack_notify.sh "Unbanned _country_ <ip> in the jail <name>" "<ip>" > /dev/null 2>&1
# Default name of the chain
#
name = default
Raw
slack_notify.sh
#!/bin/bash
# message first command argument
MESSAGE=$1
HOOK_URL=https://hooks.slack.com/services/<your hook url>
HOST=$(hostname)
CHANNEL="#alerts"
USERNAME="fail2ban"
ICON=":cop:"
# ip second command argument
IP=$2
# lets find out from what country we have our hacker
COUNTRY=$(curl ipinfo.io/${IP}/country)
# converting country to lover case. I love you bash script =\
COUNTRY=$(echo "$COUNTRY" | tr -s '[:upper:]' '[:lower:]')
# slack emoji
COUNTRY=":flag-$COUNTRY:"
# replace _country_ template to the country emoji
MESSAGE="${MESSAGE/_country_/$COUNTRY}"
curl -X POST --data-urlencode "payload={\"channel\": \"${CHANNEL}\", \"username\": \"${USERNAME}\", \"text\": \"[${HOST}] ${MESSAGE}\", \"icon_emoji\": \"${ICON}\"}" ${HOOK_URL}
exit 0
@salvadeaquiyalla
Copy link

Hi, I can not get your integration to work.
I edit the jail.local and add the line
action_with_slack_notification =% (banaction) s [name =% (__ name __) s, bantime ="% (bantime) s ", port ="% (port) s ", protocol ="% (protocol) s ", chain =" % (chain) s "] slack [name =% (__ name __) s]

In the same file, I go to the service that I control (SSH).
I add the line
action =% (action_with_slack_notification) s

Now I create in action.d the file slack.conf and I add the lines that you indicate above.
[Definition]

actioncheck =
actionstart = / bin / bash /etc/fail2ban/slack_notify.sh "The jail <name> has been started successfully." > / dev / null 2> & 1
actionstop = / bin / bash /etc/fail2ban/slack_notify.sh "The jail <name> has been stopped." > / dev / null 2> & 1
actionban = / bin / bash /etc/fail2ban/slack_notify.sh "Banned _country_ <ip> in the jail <name> after <failures> attempts" "<ip>"> / dev / null 2> & 1
actionunban = / bin / bash /etc/fail2ban/slack_notify.sh "Unbanned _country_ <ip> in the jail <name>" "<ip>"> / dev / null 2> & 1
# Default name of the chain
name = default

Finally, inside / etc / fail2ban, I create the file slack_notify.sh.
I copy the code you indicate.
I only modify
HOOK_URL = https: //hooks.slack.com/services/XXXXXXXXX/YYYYYYYYY/ZZZZZZZZZZZZZZZZZZZZZZZZ
CHANNEL = "# forexample"

I try to perform a blocking test, but I do not receive the message in the slack channel.

Can you help me with the problem?
Thank you

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment