#52 sending abuse email to IP owner of Banned IP

open
nobody
5
2009-12-10
2009-12-10
Anonymous
No

Hi,
I am using fail2ban for about some month and did get much mails on ssh attacks.
Therefor I wrote a script to send an abuse mail to the IP owner, greping from the ripe email fail2ban provides on ban.

on first step the scipt greps for an abuse email address,
if not found greps for other provider emails.

I did use a mailbox for receiving emails and an other for reply to.
The email send also an output of /var/log/messages concerning the blocked IP.

Could please prove If you could add this feater in on of the next fail2ban releases?

I am running the script by an hourly cronjob.

the script is attached.

I am using fail2ban
rpm -q fail2ban
fail2ban-0.8.4-0.pm.1.1
installed by rpm on openSUSE 11.0

Best Regards

Andrej Semen

Discussion

  • Comment has been marked as spam. 
    Undo

    You can see all pending comments posted by this user  here

    Anonymous - 2009-12-10

    scipt for sending abuse email to IP owner of Banned IP

     
  • Comment has been marked as spam. 
    Undo

    You can see all pending comments posted by this user  here

    Anonymous - 2009-12-10
    • milestone: --> Next Release (example)
     
  • Comment has been marked as spam. 
    Undo

    You can see all pending comments posted by this user  here

    Anonymous - 2009-12-10

    did some bug fix an improvement to fix.
    Here the latest script running on my server by cron every hour.

    #!/bin/bash
    ## Andrej Semen
    ## mail@semen.de
    ## send email to provider of IP
    ## which customer attacks server
    ##

    DIR=/var/spool/mail/mail2/new
    DCUR=/var/spool/mail/mail2/cur
    LOG1=/var/log/messages
    FMAIL=mail2@example.de

    cd $DIR

    for i in `ls $DIR`
    do
    echo " i is = $i ----------------"
    ## check if mail is stop/start email from fail2ban ##
    BAN=`grep Subject: $DIR/$i | awk '{print $4}'`
    echo $BAN
    if [ $BAN == "banned" ]
    then

    #ab1=`grep abuse@ $DIR/$i | awk '{print $3}'`
    ab1=`grep abuse@ $DIR/$i | grep -E -o [[:alnum:]]+@[[:alnum:]]+\.[[:alnum:]]+\.[[:alnum:]]+`
    echo "ab1 is = $ab1"
    if [ -z $ab1 ]
    then ab1=`grep -i e-mail: $i | awk '{print $2}'`
    echo "run2 ab1 is = $ab1"
    else
    echo "found abuse mail"
    fi

    ## IP of attacker
    IPa=`grep Subject $DIR/$i | awk '{print $5}'`
    DAT=`/bin/date`
    echo "IP $IPa Datum $DAT"
    grep_log=`/usr/bin/grep $IPa $LOG1`
    TEXT="Looks like your custommer with IP $IPa is doing ssh attacks to my server. \n Please take care about \n Best Regards \n \n here some logfile output D
    ate \n $DAT \n $grep_log"
    if [ -z $ab1 ]
    then echo " no email "
    else
    echo " mail will be send to $ab1"
    echo -e "$TEXT" | /usr/bin/mail -s "ssh attacks from your customer with IP $IPa" -r $FMAIL $ab1
    fi

    else
    echo -e "Not a banned email it is a $BAN email /n"
    fi
    ### move mails to cur dir ##
    echo "mv $DIR/$i $DCUR/"
    mv $DIR/$i $DCUR/

    echo "+++++++++++++++++++++++++++"

    done

     
    Last edit: Anonymous 2014-05-27

Log in to post a comment.

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:

JavaScript is required for this form.





No, thanks