Submitted by ckwsp101 on Mon, 02/13/2017 - 17:30
The fail2ban mail-whois-lines supports multiple email addresses in the dest parameter. The webmin module edit jail other parameters strips the needed double quotes associated with the dest string.
For example
dest="root,admin@example.com"
Will send mail to both root@localhost and admin@example.com.
[sshd-ddos]
This jail corresponds to the standard configuration in Fail2ban. The mail-whois action send a notification e-mail with a whois request in the body.port = ssh logpath = %(sshd_log)s enabled = true filter = sshd-ddos action = mail-whois-lines[name=SSHDOS, dest=root,logpath=%(sshd_log)s]
Status:
Active
Comments
Submitted by JamieCameron on Mon, 02/13/2017 - 21:32 Comment #1
Are you sure the parameter is called
destand notdestemail?Submitted by ckwsp101 on Tue, 02/14/2017 - 08:46 Comment #2
dest used in distribution available on Centos 7 from epel. Maybe other versions different?
fail2ban-all.noarch 0.9.5-3.el7 @epel
-sh-4.2$ cat mail-whois-lines.conf
Fail2Ban configuration file#
Author: Cyril Jaquier Modified-By: Yaroslav Halchenko to include grepping on IP over log files#
[INCLUDES]
before = mail-whois-common.conf
[Definition]
Option: actionstart Notes.: command executed once at the start of Fail2Ban. Values: CMD# actionstart = printf %%b "Hi,\n The jail has been started successfully.\n Regards,\n Fail2Ban"|mail -s "[Fail2Ban] : started on
Option: actionstop Notes.: command executed once at the end of Fail2Ban Values: CMDuname -n"# actionstop = printf %%b "Hi,\n The jail has been stopped.\n Regards,\n Fail2Ban"|mail -s "[Fail2Ban] : stopped on
Option: actioncheck Notes.: command executed once before each actionban command Values: CMDuname -n"# actioncheck =
Option: actionban Notes.: command executed when banning an IP. Take care that the command is executed with Fail2Ban user rights. Tags: See jail.conf(5) man page Values: CMD# actionban = printf %%b "Hi,\n The IP has just been banned by Fail2Ban after attempts against .\n\n Here is more information about :\n
Option: actionunban Notes.: command executed when unbanning an IP. Take care that the command is executed with Fail2Ban user rights. Tags: See jail.conf(5) man page Values: CMD%(_whois_command)s\n\n Lines containing IP: in \ngrep -E <grepopts> '(^|[^0-9])<ip>([^0-9]|$)' <logpath>\n\n Regards,\n Fail2Ban"|mail -s "[Fail2Ban] : banned fromuname -n"# actionunban =
[Init]
Default name of the chain# name = default
Destinataire of the mail# dest = root
Path to the log files which contain relevant lines for the abuser IP# logpath = /dev/null
Number of log lines to include in the email# grepopts = -m 1000 -sh-4.2$
Submitted by ckwsp101 on Tue, 02/14/2017 - 08:53 Comment #3
Hope this applies to other actions
https://github.com/fail2ban/fail2ban/issues/632
Submitted by andreychek on Tue, 02/14/2017 - 09:52 Comment #4
Jamie, I did a little looking into this -- it looks like "destemail" is a standalone parameter used in the jail.conf/jail.local files.
The "dest" parameter is used by various actions, such as sendmail-whois.
So you can have this line using dest email in the jail.conf:
destemail=me@myemail.com
But you'd use "dest" like this (note the "dest" param in the "action" section:
[ssh-iptables]#enabled = false
enabled = true
filter = sshd
action = iptables[name=SSH, port=ssh, protocol=tcp]
mail-whois[name=SSH, dest=yourmail@mail.com]
logpath = /var/log/auth.log
maxretry = 5
Submitted by andreychek on Tue, 02/14/2017 - 09:56 Comment #5
ckwsp101, what you could always do in the meantime is to setup an email alias on your server that goes to the multiple email addresses you need, and configure fail2ban to email to send the email to the email alias rather than directly to the two addresses.
Jamie will have to decide whether it's feasible to support the two email addresses you mentioned -- even if he does though that feature may take a little time to be released.
Submitted by ckwsp101 on Tue, 02/14/2017 - 10:07 Comment #6
I'm ok with the email alias work around.
Maybe add a note about the edit jail action other parameters input field strips out double quotes.
Online fail2ban postings contain examples with action dest="user1@example.com,user2@foo.com"