[Fail2ban-users] SOLUTION: Making an http post from a fail2ban action

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

Thanks everyone who responded with advice.    Redirecting the wget stderr to a file showed me this error:

*   Trying 192.168.0.116... Failed to connect to 192.168.0.116: Permission denied

Searching on that error pointed me to SELinux.  I found this in /var/log/audit/audit.log:

type=AVC msg=audit(1386961382.694:3611): avc:  denied  { name_connect } for  pid=9545 comm="wget" dest=80 scontext=unconfined_u:system_r:fail2ban_t:s0 tcontext=system_u:object_r:http_port_t:s0 tclass=tcp_socket

Based on advice at http://wiki.centos.org/HowTos/SELinux, I was able to adjust the policy to allow curl to make network connections from fail2ban.

From: Tom Faber
Sent: Thursday, December 12, 2013 1:06 PM
To: 'fai...@li...'
Cc: Tom Faber
Subject: Making an http post from a fail2ban action

Hi -

I'm running fail2ban on CentOS.  I want to have an action that posts to a web service on banning.   I've tried both wget and curl, neither one is working.   In the fail2ban logs it just says
                fail2ban.actions.action: ERROR  curl -X POST -d "true" http://myserver/path --header "Content-Type:application/json" returned 700
For the same action using wget, it says "returned 400".   I already have the fail2ban logging up to debug level, and I don't see any other information on what's happening.    When I try passing in -d to wget to trigger wget debug logging, I get an error message that it couldn't write to the log.

Both curl and wget, the exact same command line that fails in the action succeeds when I run it from the bash prompt.

The destination server (windows with IIS - so I've checked both IIS logs and Network Monitor) isn't receiving the post, so at first I thought perhaps it just wasn't resolving the host name - but using FQDN or IP Address gives the same results.

My questions are:

-          Is there any fail2ban documentation of these error codes?  I searched the http://www.fail2ban.org/ site and found nothing.

-          Are there specific restrictions of what can be done from a custom action?   Is there something about the context that changes how network operations work?

-          Any trick to getting wget debug logging working from inside an action?

-          Anything obvious you see that I'm doing wrong?

Thanks
-Tom