Created
August 21, 2015 18:00
-
-
Save Chocobozzz/b19c45d0bec218dec3d5 to your computer and use it in GitHub Desktop.
sendmail-complain.conf
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Fail2Ban configuration file | |
# | |
# Author: Russell Odom <russ@gloomytrousers.co.uk> | |
# Adapted for sendmail by: Mike A. Leonetti | |
# Sends a complaint e-mail to addresses listed in the whois record for an | |
# offending IP address. | |
# | |
# You should provide the <logpath> in the jail config - lines from the log | |
# matching the given IP address will be provided in the complaint as evidence. | |
# | |
# Note that we will try to use e-mail addresses that are most likely to be abuse | |
# addresses (based on various keywords). If they aren't found we fall back on | |
# any other addresses found in the whois record, with a few exceptions. | |
# If no addresses are found, no e-mail is sent. | |
# | |
# $Revision: 717 $ | |
# | |
[Definition] | |
# Option: actionstart | |
# Notes.: command executed once at the start of Fail2Ban. | |
# Values: CMD | |
# | |
actionstart = | |
# Option: actionstop | |
# Notes.: command executed once at the end of Fail2Ban | |
# Values: CMD | |
# | |
actionstop = | |
# Option: actioncheck | |
# Notes.: command executed once before each actionban command | |
# Values: CMD | |
# | |
actioncheck = | |
# Option: actionban | |
# Notes.: command executed when banning an IP. Take care that the | |
# command is executed with Fail2Ban user rights. | |
# Tags: <ip> IP address | |
# <failures> number of failures | |
# <failtime> unix timestamp of the last failure | |
# <bantime> unix timestamp of the ban time | |
# Values: CMD | |
# | |
actionban = ADDRESSES=`whois <ip> | perl -e 'while (<STDIN>) { next if /^changed|@(ripe|apnic)\.net/io; $m += (/abuse|trouble:|report|spam|security/io?3:0); if (/([a-z0-9_\-\.+]+@[a-z0-9\-]+(\.[[a-z0-9\-]+)+)/io) { while (s/([a-z0-9_\-\.+]+@[a-z0-9\-]+(\.[[a-z0-9\-]+)+)//io) { if ($m) { $a{lc($1)}=$m } else { $b{lc($1)}=$m } } $m=0 } else { $m && --$m } } if (%%a) {print join(",",keys(%%a))} else {print join(",",keys(%%b))}'` | |
IP=<ip> | |
if [ ! -z "$ADDRESSES" ]; then | |
printf %%b "Subject: Abuse from <ip> | |
From: <sendername> <<sender>> | |
To: $ADDRESSES\n | |
<message>\nAddresses to send to\n$ADDRESSES\n\n`date '+Note: Local timezone is %%z (%%Z)'`\n`grep '<ip>' <logpath>`" | /usr/sbin/sendmail -f <sender> $ADDRESSES | |
fi | |
# Option: actionunban | |
# Notes.: command executed when unbanning an IP. Take care that the | |
# command is executed with Fail2Ban user rights. | |
# Tags: <ip> IP address | |
# <bantime> unix timestamp of the ban time | |
# <unbantime> unix timestamp of the unban time | |
# Values: CMD | |
# | |
actionunban = | |
[Init] | |
message = Dear Sir/Madam,\n\nWe have detected abuse from the IP address $IP, which according to a whois lookup is on your network. We would appreciate if you would investigate and take action as appropriate.\n\nLog lines are given below, but please ask if you require any further information.\n\n(If you are not the correct person to contact about this please accept our apologies - your e-mail address was extracted from the whois record by an automated process. This mail was generated by Fail2Ban.)\n | |
# Path to the log files which contain relevant lines for the abuser IP | |
# | |
logpath = /var/log/{auth.log,mail.info,nginx/access.log} | |
# Option: sender | |
# Notes.: E-mail address that the e-mail will appear to come from | |
# Values: String (Default: root@fail2ban) | |
sender = yourmail@adress.com | |
# Option: sendername | |
# Notes.: Full name that the e-mail will appear to come from | |
# Values: String (Default: Fail2ban) | |
sendername = Fail2ban |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment