#52 sending abuse email to IP owner of Banned IP

open
nobody
5
2009-12-10
2009-12-10
Anonymous
No

Hi,
I am using fail2ban for about some month and did get much mails on ssh attacks.
Therefor I wrote a script to send an abuse mail to the IP owner, greping from the ripe email fail2ban provides on ban.

on first step the scipt greps for an abuse email address,
if not found greps for other provider emails.

I did use a mailbox for receiving emails and an other for reply to.
The email send also an output of /var/log/messages concerning the blocked IP.

Could please prove If you could add this feater in on of the next fail2ban releases?

I am running the script by an hourly cronjob.

the script is attached.

I am using fail2ban
rpm -q fail2ban
fail2ban-0.8.4-0.pm.1.1
installed by rpm on openSUSE 11.0

Best Regards

Andrej Semen

Discussion


  • Anonymous
    2009-12-10

    scipt for sending abuse email to IP owner of Banned IP

     
    Attachments

  • Anonymous
    2009-12-10

    • milestone: --> Next Release (example)
     

  • Anonymous
    2009-12-10

    did some bug fix an improvement to fix.
    Here the latest script running on my server by cron every hour.

    #!/bin/bash
    ## Andrej Semen
    ## mail@semen.de
    ## send email to provider of IP
    ## which customer attacks server
    ##

    DIR=/var/spool/mail/mail2/new
    DCUR=/var/spool/mail/mail2/cur
    LOG1=/var/log/messages
    FMAIL=mail2@example.de

    cd $DIR

    for i in `ls $DIR`
    do
    echo " i is = $i ----------------"
    ## check if mail is stop/start email from fail2ban ##
    BAN=`grep Subject: $DIR/$i | awk '{print $4}'`
    echo $BAN
    if [ $BAN == "banned" ]
    then

    #ab1=`grep abuse@ $DIR/$i | awk '{print $3}'`
    ab1=`grep abuse@ $DIR/$i | grep -E -o [[:alnum:]]+@[[:alnum:]]+\.[[:alnum:]]+\.[[:alnum:]]+`
    echo "ab1 is = $ab1"
    if [ -z $ab1 ]
    then ab1=`grep -i e-mail: $i | awk '{print $2}'`
    echo "run2 ab1 is = $ab1"
    else
    echo "found abuse mail"
    fi

    ## IP of attacker
    IPa=`grep Subject $DIR/$i | awk '{print $5}'`
    DAT=`/bin/date`
    echo "IP $IPa Datum $DAT"
    grep_log=`/usr/bin/grep $IPa $LOG1`
    TEXT="Looks like your custommer with IP $IPa is doing ssh attacks to my server. \n Please take care about \n Best Regards \n \n here some logfile output D
    ate \n $DAT \n $grep_log"
    if [ -z $ab1 ]
    then echo " no email "
    else
    echo " mail will be send to $ab1"
    echo -e "$TEXT" | /usr/bin/mail -s "ssh attacks from your customer with IP $IPa" -r $FMAIL $ab1
    fi

    else
    echo -e "Not a banned email it is a $BAN email /n"
    fi
    ### move mails to cur dir ##
    echo "mv $DIR/$i $DCUR/"
    mv $DIR/$i $DCUR/

    echo "+++++++++++++++++++++++++++"

    done

     
    Last edit: Anonymous 2014-05-27