lugh.ch

fail2ban with Jabber notifications

Configure sendxmpp

sendxmpp is a small Python script to send Jabber messages. Save this script to a place accessible for the fail2ban user and edit $tojid and $jidparams.

#!/usr/bin/python
import sys,os,xmpp,time

tojid="user@example.org"
text=' '.join(sys.argv[1:])

jidparams={}

jidparams['jid'] = "fail2ban@example.org/home"
jidparams['password'] = "changeme"
jid=xmpp.protocol.JID(jidparams['jid'])
cl=xmpp.Client(jid.getDomain(),debug=[])

con=cl.connect()
if not con:
    sys.exit()

auth=cl.auth(jid.getNode(),jidparams['password'],resource=jid.getResource())
if not auth:
    sys.exit()

#cl.SendInitPresence(requestRoster=0)   # you may need to uncomment this for old server
id=cl.send(xmpp.protocol.Message(tojid,text))

time.sleep(1)   # some older servers will not send the message if you disconnect immediately after sending

#cl.disconnect()

Define the "XMPP" action

In /etc/fail2ban/action.d/xmpp.conf, configure the action when a ban occurs:

[Definition]

actionstart = 
actionstop = 
actionban = /usr/local/bin/scripts/send_xmpp_fail2ban.py "[Fail2Ban]<time> Banned <ip> in Jail <name> after <failures> \
attempts `whois <ip>`" > /dev/null 2>&1
actionunban =

Set this action as default in /etc/fail2ban/jail.conf:

# ban & send jabber message
action_xmpp = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s]
                xmpp[name=%(__name__)s]

# Choose default action.  To change, just override value of 'action' with the
# interpolation to the chosen action shortcut (e.g.  action_mw, action_mwl, etc) in jail.local
# globally (section [DEFAULT]) or per specific section

action = %(action_xmpp)s

Testing fail2ban regexes

fail2ban-regex /var/log/logname.log /etc/fail2ban/filters.d/filtername.conf