-
Notifications
You must be signed in to change notification settings - Fork 0
/
fail2ban_serve_notice.sh
executable file
·64 lines (53 loc) · 2.12 KB
/
fail2ban_serve_notice.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
#!/bin/sh
#
# <azet@azet.org>
# MIT License (http://www.opensource.org/licenses/mit-license.php)
#
# checks fail2ban logs and mails admin/abuse@
# hacked this in 30 mins, not a nice code, i know.. but it works.
#
#################################################################
#debug:
#set -vx
#config:
fail2ban_serve_notice_addr="fail2ban_serve_notice@tartaros.azet.org"
replyto_addr="abuse@azet.org"
cleanup() {
echo ">> cleaning up TMP logfile"
[ -f /tmp/fail2ban_serve_notice.log ] && rm -f /tmp/fail2ban_serve_notice.log
exit 0
}
trap 'cleanup' 1 2 9 11 15
if [ "$(id -u)" != "0" ]; then echo 'no superuser privileges.' ; exit 1; fi
echo -e "\n>> current fail2ban log (uniq & sorted output):\n\n"
cat /var/log/fail2ban.log | sort -n | uniq
echo -e "\n>> proceeding with whois of banned IPs: "
for banned_ip in `egrep '(Ban|WARNING)' /var/log/fail2ban.log | tr -d 'Ban' | tr -d 'Unban' | awk '{ print $6 }' | uniq | sort -n -u`; do
echo "IP: $banned_ip" >> /tmp/fail2ban_serve_notice.log
whois $banned_ip | grep abuse@
whois -raA $banned_ip | grep e-mail
echo -n '.' 1>&2
done | grep -Eiorh '(mailto:|)([[:alnum:]_.-]+@[[:alnum:]_.-]+?\.[[:alpha:].]{2,6})' | sort | uniq >> /tmp/fail2ban_serve_notice.log
bannedips=`grep 'IP:' /tmp/fail2ban_serve_notice.log | uniq`
echo -e '\n\n'; for mail in `grep '@' /tmp/fail2ban_serve_notice.log | uniq`; do
echo ">> sending mail to $mail"
cat << EOM | /usr/sbin/sendmail -t
To: ${mail}
From: ${fail2ban_serve_notice_addr}
Reply-To: ${replyto_addr}
Subject: [ABUSE] Network Attack from your IP-Range detected!
Body:
Hi fellow Engineer/Admin/SysOp!
Please be aware that fail2ban banned one or more of your IPs due to Denial of Service or Break-In attempts!
You are obliged to fix this issue immediately (http://en.wikipedia.org/wiki/Denial-of-service_attack#Legality)
- http://tools.ietf.org/html/rfc4732
- http://www.technicallylegal.org/the-legality-of-denial-of-service-attacks/
- http://nakedsecurity.sophos.com/2010/12/09/are-ddos-distributed-denial-of-service-attacks-against-the-law/
This might be an distributed attack, all currently banned IPs:
${bannedips}
Thank You!
.
EOM
done
cleanup
#EOF