Fail2ban - send Slack notifications

jail.local

...

action_with_slack_notification = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
                                 slack[name=%(__name__)s]
                                 
action = %(action_with_slack_notification)s

...

slack.conf

[Definition]

actioncheck =
actionstart = /bin/bash /etc/fail2ban/slack_notify.sh "The jail <name> has been started successfully." > /dev/null 2>&1
actionstop = /bin/bash /etc/fail2ban/slack_notify.sh "The jail <name> has been stopped." > /dev/null 2>&1
actionban = /bin/bash /etc/fail2ban/slack_notify.sh "Banned _country_ <ip> in the jail <name> after <failures> attempts" "<ip>" > /dev/null 2>&1
actionunban = /bin/bash /etc/fail2ban/slack_notify.sh "Unbanned _country_ <ip> in the jail <name>" "<ip>" > /dev/null 2>&1

# Default name of the chain
#
name = default

slack_notify.sh

#!/bin/bash

# message first command argument
MESSAGE=$1
HOOK_URL=https://hooks.slack.com/services/<your hook url>
HOST=$(hostname)

CHANNEL="#alerts"
USERNAME="fail2ban"
ICON=":cop:"

# ip second command argument
IP=$2
# lets find out from what country we have our hacker
COUNTRY=$(curl ipinfo.io/${IP}/country)
# converting country to lover case. I love you bash script =\
COUNTRY=$(echo "$COUNTRY" | tr -s  '[:upper:]'  '[:lower:]')
# slack emoji
COUNTRY=":flag-$COUNTRY:"

# replace _country_ template to the country emoji
MESSAGE="${MESSAGE/_country_/$COUNTRY}"

curl -X POST --data-urlencode "payload={\"channel\": \"${CHANNEL}\", \"username\": \"${USERNAME}\", \"text\": \"[${HOST}] ${MESSAGE}\", \"icon_emoji\": \"${ICON}\"}" ${HOOK_URL}

exit 0

Unfortunately, I have not gotten this to work :(
Fail2ban starts, but it's not sending anything to my Slack channel. Running the script manually works as expected.
Here's my jail.local

[sshd]
bantimer = 3600
findtime = 86400
enabled  = true
port     = ssh
filter   = sshd
logpath  = /var/log/auth.log
maxretry = 3
action_with_slack_notification = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
                                 slack[name=%(__name__)s]
action = %(action_with_slack_notification)s
banaction = iptables-multiport

Here's my slack.conf located in the action.d folder:

[Definition]

actioncheck =
actionstart = /bin/bash /etc/fail2ban/slack_notify.sh ":computer: The jail <name> has been started successfully. :computer:" > /dev/null 2>&1
actionstop = /bin/bash /etc/fail2ban/slack_notify.sh ":loudspeaker: The jail <name> has been stopped. :loudspeaker:" > /dev/null 2>&1
actionban = /bin/bash /etc/fail2ban/slack_notify.sh ":rotating_light: Banned _country_ <ip> in the jail <name> after <failures> attempts :rotating_light:" "<ip>" > /dev/null 2>&1
actionunban = /bin/bash /etc/fail2ban/slack_notify.sh ":heavy_check_mark: Unbanned _country_ <ip> in the jail <name> :heavy_check_mark:" "<ip>" > /dev/null 2>&1

# Default name of the chain
#
name = default

@I12crash

I ran into errors with this configuration also. I did find a working solution though:

Follow the steps (mostly) from this post instead: https://github.com/coleturner/fail2ban-slack-action
However, they seemed to be using a old/outdated method of webhooks.

• Create an app, and use the Incoming Webhooks feature within that app.
• Then convert all the curl calls in the slack-notify.conf to match the newer syntax (e.g. curl -X POST -H 'Content-type: application/json' --data '{"text":"Fail2Ban (<name>) jail has started"}' <slack_webhook_url>)
• You can remove the variables (slack_api_token and slack_channel) at the bottom of the slack-notify.conf file and add/initialize the <slack_webhook_url> variable that I used in the above curl statement (e.g. slack_webhook_url = https://hooks.slack.com/services/<yourwebhookpathgoeshere>

Thanks @mikey32230, I looked at this one as well. I may have to use that for now, but I was really hoping to get the Country Flag added to the messages just for the cool factor.

Thanks @mikey32230, I looked at this one as well. I may have to use that for now, but I was really hoping to get the Country Flag added to the messages just for the cool factor.

I originally got so frustrated with just trying to get any slack notifications to work at all I implemented the solution above and called it a day.

However, I then also noticed that it didn't get any location info, so I was thinking about adding that as well. Unless i'm missing something it should be pretty simple/straightforward to add that to what I posted above. Basically just add some of the code that is handling the Country/location lookup from the slack_notify.sh into the slack-notify.conf and add the info to the cURL request.

I may try to work on that in the next few days if I remember/have time.

Thanks @mikey32230, I looked at this one as well. I may have to use that for now, but I was really hoping to get the Country Flag added to the messages just for the cool factor.

I originally got so frustrated with just trying to get any slack notifications to work at all I implemented the solution above and called it a day.

However, I then also noticed that it didn't get any location info, so I was thinking about adding that as well. Unless i'm missing something it should be pretty simple/straightforward to add that to what I posted above. Basically just add some of the code that is handling the Country/location lookup from the slack_notify.sh into the slack-notify.conf and add the info to the cURL request.

I may try to work on that in the next few days if I remember/have time.

If I happen to figure it out I'll be sure to post it. Again, thanks for the reply.

@I12crash

All done, forked it and made the changes:
https://github.com/mikey32230/fail2ban-slack-action

@mickey32230 Thank you for this! I'm still having some issues when I start fail2ban with systemd, but progress is being made. Thanks for your insights and your fork with updates!

Hi @l12crash

Have you found the solution?