| Line 1... |
Line 1... |
| 1 |
# Fail2Ban action for sending xarf Login-Attack messages to IP owner
|
1 |
# Fail2Ban action for sending xarf Login-Attack messages to IP owner
|
| 2 |
#
|
2 |
#
|
| 3 |
# IMPORTANT:
|
3 |
# IMPORTANT:
|
| 4 |
#
|
4 |
#
|
| 5 |
# Emailing a IP owner of abuse is a serious complain. Make sure that it is
|
5 |
# Emailing a IP owner of abuse is a serious complain. Make sure that it is
|
| 6 |
# serious. Fail2ban developers and network owners recommend you only use this
|
6 |
# serious. Fail2ban developers and network owners recommend you only use this
|
| 7 |
# action for:
|
7 |
# action for:
|
| 8 |
# * The recidive where the IP has been banned multiple times
|
8 |
# * The recidive where the IP has been banned multiple times
|
| 9 |
# * Where maxretry has been set quite high, beyond the normal user typing
|
9 |
# * Where maxretry has been set quite high, beyond the normal user typing
|
| Line 44... |
Line 44... |
| 44 |
SERVICE=<service>
|
44 |
SERVICE=<service>
|
| 45 |
FAILURES=<failures>
|
45 |
FAILURES=<failures>
|
| 46 |
REPORTID=<time>@`uname -n`
|
46 |
REPORTID=<time>@`uname -n`
|
| 47 |
TLP=<tlp>
|
47 |
TLP=<tlp>
|
| 48 |
PORT=<port>
|
48 |
PORT=<port>
|
| 49 |
DATE=`LC_TIME=C date --date=@<time> +"%%a, %%d %%h %%Y %%T %%z"`
|
49 |
DATE=`LC_ALL=C date --date=@<time> +"%%a, %%d %%h %%Y %%T %%z"`
|
| 50 |
if [ ! -z "$ADDRESSES" ]; then
|
50 |
if [ ! -z "$ADDRESSES" ]; then
|
| 51 |
(printf -- %%b "<header>\n<message>\n<report>\n";
|
51 |
(printf -- %%b "<header>\n<message>\n<report>\n";
|
| 52 |
date '+Note: Local timezone is %%z (%%Z)';
|
52 |
date '+Note: Local timezone is %%z (%%Z)';
|
| 53 |
printf -- %%b "<ipmatches>\n\n<footer>") | <mailcmd> <mailargs> ${ADDRESSES//,/\" \"}
|
53 |
printf -- %%b "<ipmatches>\n\n<footer>") | <mailcmd> <mailargs> ${ADDRESSES//,/\" \"}
|
| 54 |
fi
|
54 |
fi
|
| Line 68... |
Line 68... |
| 68 |
# Option: report
|
68 |
# Option: report
|
| 69 |
# Notes: Intended to be fixed
|
69 |
# Notes: Intended to be fixed
|
| 70 |
report = --Abuse-bfbb0f920793ac03cb8634bde14d8a1e\nMIME-Version: 1.0\nContent-Transfer-Encoding: 7bit\nContent-Type: text/plain; charset=utf-8; name=\"report.txt\";\n\n---\nReported-From: $FROM\nCategory: abuse\nReport-ID: $REPORTID\nReport-Type: login-attack\nService: $SERVICE\nVersion: 0.2\nUser-Agent: Fail2ban v0.9\nDate: $DATE\nSource-Type: ip-address\nSource: $IP\nPort: $PORT\nSchema-URL: http://www.x-arf.org/schema/abuse_login-attack_0.1.2.json\nAttachment: text/plain\nOccurances: $FAILURES\nTLP: $TLP\n\n\n--Abuse-bfbb0f920793ac03cb8634bde14d8a1e\nMIME-Version: 1.0\nContent-Transfer-Encoding: 7bit\nContent-Type: text/plain; charset=utf8; name=\"logfile.log\";
|
70 |
report = --Abuse-bfbb0f920793ac03cb8634bde14d8a1e\nMIME-Version: 1.0\nContent-Transfer-Encoding: 7bit\nContent-Type: text/plain; charset=utf-8; name=\"report.txt\";\n\n---\nReported-From: $FROM\nCategory: abuse\nReport-ID: $REPORTID\nReport-Type: login-attack\nService: $SERVICE\nVersion: 0.2\nUser-Agent: Fail2ban v0.9\nDate: $DATE\nSource-Type: ip-address\nSource: $IP\nPort: $PORT\nSchema-URL: http://www.x-arf.org/schema/abuse_login-attack_0.1.2.json\nAttachment: text/plain\nOccurances: $FAILURES\nTLP: $TLP\n\n\n--Abuse-bfbb0f920793ac03cb8634bde14d8a1e\nMIME-Version: 1.0\nContent-Transfer-Encoding: 7bit\nContent-Type: text/plain; charset=utf8; name=\"logfile.log\";
|
| 71 |
|
71 |
|
| 72 |
# Option: Message
|
72 |
# Option: Message
|
| 73 |
# Notes: This can be modified by the users
|
73 |
# Notes: This can be modified by the users
|
| 74 |
message = Dear Sir/Madam,\n\nWe have detected abuse from the IP address $IP, which according to abusix.com is on your network. We would appreciate if you would investigate and take action as appropriate.\n\nLog lines are given below, but please ask if you require any further information.\n\n(If you are not the correct person to contact about this please accept our apologies - your e-mail address was extracted from the whois record by an automated process.)\n\n This mail was generated by Fail2Ban in a X-ARF format! You can find more information about x-arf at http://www.x-arf.org/specification.html.\n\nThe recipient address of this report was provided by the Abuse Contact DB by abusix.com. abusix.com does not maintain the content of the database. All information which we pass out, derives from the RIR databases and is processed for ease of use. If you want to change or report non working abuse contacts please contact the appropriate RIR. If you have any further question, contact abusix.com directly via email (info@abusix.com). Information about the Abuse Contact Database can be found here: https://abusix.com/global-reporting/abuse-contact-db\nabusix.com is neither responsible nor liable for the content or accuracy of this message.\n
|
74 |
message = Dear Sir/Madam,\n\nWe have detected abuse from the IP address $IP, which according to abusix.com is on your network. We would appreciate if you would investigate and take action as appropriate.\n\nLog lines are given below, but please ask if you require any further information.\n\n(If you are not the correct person to contact about this please accept our apologies - your e-mail address was extracted from the whois record by an automated process.)\n\n This mail was generated by Fail2Ban in a X-ARF format! You can find more information about x-arf at http://www.x-arf.org/specification.html.\n\nThe recipient address of this report was provided by the Abuse Contact DB by abusix.com. abusix.com does not maintain the content of the database. All information which we pass out, derives from the RIR databases and is processed for ease of use. If you want to change or report non working abuse contacts please contact the appropriate RIR. If you have any further question, contact abusix.com directly via email (info@abusix.com). Information about the Abuse Contact Database can be found here: https://abusix.com/global-reporting/abuse-contact-db\nabusix.com is neither responsible nor liable for the content or accuracy of this message.\n
|
| 75 |
|
75 |
|
| 76 |
# Option: loglines
|
76 |
# Option: loglines
|
| 77 |
# Notes.: The number of log lines to search for the IP for the report
|
77 |
# Notes.: The number of log lines to search for the IP for the report
|
| 78 |
loglines = 9000
|
78 |
loglines = 9000
|
| Line 95... |
Line 95... |
| 95 |
mailargs = -f <sender>
|
95 |
mailargs = -f <sender>
|
| 96 |
|
96 |
|
| 97 |
# Option: tlp
|
97 |
# Option: tlp
|
| 98 |
# Notes.: Traffic light protocol defining the sharing of this information.
|
98 |
# Notes.: Traffic light protocol defining the sharing of this information.
|
| 99 |
# http://www.trusted-introducer.org/ISTLPv11.pdf
|
99 |
# http://www.trusted-introducer.org/ISTLPv11.pdf
|
| 100 |
# green is share to those involved in network security but it is not
|
100 |
# green is share to those involved in network security but it is not
|
| 101 |
# to be released to the public.
|
101 |
# to be released to the public.
|
| 102 |
tlp = green
|
102 |
tlp = green
|
| 103 |
|
103 |
|
| 104 |
# ALL of the following parameters should be set so the report contains
|
104 |
# ALL of the following parameters should be set so the report contains
|
| 105 |
# meaningful information
|
105 |
# meaningful information
|