Блог

Я пытаюсь настроить fail2ban для получения электронной почты, когда IP-адрес запрещен.

Я изменил файл конфигурации jail.local. Я изменил параметр action на action_mwl. Я установил sendmail.

Я получаю электронные письма, когда fail2ban остановлен или запущен, но не когда IP-адрес запрещен, поэтому электронные письма можно отправлять с сервера.

Что я упускаю?

Спасибо

 mike@test:~$ sudo cat /etc/fail2ban/jail.local
# Fail2Ban configuration file.
#
# This file was composed for Debian systems from the original one
# provided now under /usr/share/doc/fail2ban/examples/jail.conf
# for additional examples.
#
# Comments: use '#' for comment lines and ';' for inline comments
#
# To avoid merges during upgrades DO NOT MODIFY THIS FILE
# and rather provide your changes in /etc/fail2ban/jail.local
#

# The DEFAULT allows a global definition of the options. They can be overridden
# in each jail afterwards.

[DEFAULT]

# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
# ban a host which matches an address in this list. Several addresses can be
# defined using space separator.
ignoreip = 127.0.0.1/8

# "bantime" is the number of seconds that a host is banned.
bantime  = 120

# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
findtime = 600
maxretry = 3

# "backend" specifies the backend used to get files modification.
# Available options are "pyinotify", "gamin", "polling" and "auto".
# This option can be overridden in each jail as well.
#
# pyinotify: requires pyinotify (a file alteration monitor) to be installed.
#            If pyinotify is not installed, Fail2ban will use auto.
# gamin:     requires Gamin (a file alteration monitor) to be installed.
#            If Gamin is not installed, Fail2ban will use auto.
# polling:   uses a polling algorithm which does not require external libraries.
# auto:      will try to use the following backends, in order:
#            pyinotify, gamin, polling.
backend = auto

# "usedns" specifies if jails should trust hostnames in logs,
#   warn when reverse DNS lookups are performed, or ignore all hostnames in logs
#
# yes:   if a hostname is encountered, a reverse DNS lookup will be performed.
# warn:  if a hostname is encountered, a reverse DNS lookup will be performed,
#        but it will be logged as a warning.
# no:    if a hostname is encountered, will not be used for banning,
#        but it will be logged as info.
usedns = warn

#
# Destination email address used solely for the interpolations in
# jail.{conf,local} configuration files.
destemail = mike@test.com

#
# Name of the sender for mta actions
sendername = Fail2Ban

#
# ACTIONS
#

# Default banning action (e.g. iptables, iptables-new,
# iptables-multiport, shorewall, etc) It is used to define
# action_* variables. Can be overridden globally or per
# section within jail.local file
banaction = iptables-multiport

# email action. Since 0.8.1 upstream fail2ban uses sendmail
# MTA for the mailing. Change mta configuration parameter to mail
# if you want to revert to conventional 'mail'.
mta = sendmail

# Default protocol
protocol = tcp

# Specify chain where jumps would need to be added in iptables-* actions
chain = INPUT

#
# Action shortcuts. To be used to define action parameter

# The simplest action to take: ban only
action_ = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]

# ban amp; send an e-mail with whois report to the destemail.
action_mw = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
              %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s", sendername="%(sendername)s"]

# ban amp; send an e-mail with whois report and relevant log lines
# to the destemail.
action_mwl = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
               %(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s", sendername="%(sendername)s"]

# Choose default action.  To change, just override value of 'action' with the
# interpolation to the chosen action shortcut (e.g.  action_mw, action_mwl, etc) in jail.local
# globally (section [DEFAULT]) or per specific section
action = %(action_mwl)s

#
# JAILS
#

# Next jails corresponds to the standard configuration in Fail2ban 0.6 which
# was shipped in Debian. Enable any defined here jail by including
#
# [SECTION_NAME]
# enabled = true

#
# in /etc/fail2ban/jail.local.
#
# Optionally you may override any other parameter (e.g. banaction,
# action, port, logpath, etc) in that section within jail.local

[ssh]

enabled  = true
port     = 23222
filter   = sshd
logpath  = /var/log/auth.log
maxretry = 4
  

Вот выдержка из моего журнала fail2ban, мы видим, что IP-адрес запрещен, но я не получил электронное письмо.

 2014-07-03 05:14:01,418 fail2ban.server : INFO   Stopping all jails
2014-07-03 05:15:02,140 fail2ban.jail   : INFO   Jail 'ssh' stopped
2014-07-03 05:15:02,144 fail2ban.server : INFO   Exiting Fail2ban
2014-07-03 05:15:13,245 fail2ban.server : INFO   Changed logging target to /var/log/fail2ban.log for Fail2ban v0.8.11
2014-07-03 05:15:13,246 fail2ban.jail   : INFO   Creating new jail 'ssh'
2014-07-03 05:15:13,270 fail2ban.jail   : INFO   Jail 'ssh' uses pyinotify
2014-07-03 05:15:13,294 fail2ban.jail   : INFO   Initiated 'pyinotify' backend
2014-07-03 05:15:13,295 fail2ban.filter : INFO   Added logfile = /var/log/auth.log
2014-07-03 05:15:13,297 fail2ban.filter : INFO   Set maxRetry = 4
2014-07-03 05:15:13,297 fail2ban.filter : INFO   Set findtime = 600
2014-07-03 05:15:13,298 fail2ban.actions: INFO   Set banTime = 120
2014-07-03 05:15:13,344 fail2ban.jail   : INFO   Jail 'ssh' started
2014-07-03 05:16:13,533 fail2ban.actions: WARNING [ssh] Ban x.x.x.x
2014-07-03 05:17:13,669 fail2ban.actions: INFO   [ssh] x.x.x.x already banned
2014-07-03 05:18:13,734 fail2ban.actions: WARNING [ssh] Unban x.x.x.x