fail2ban

production/fail2ban/fail2ban_abuse_mail.sh

@@ -0,0 +1,43 @@
+#!/bin/bash
+
+PATH="$PATH:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
+LANG="C"
+REMOTE_IP="$1"
+SENDER_MAIL="$2"
+DEST_MAIL="$3"
+LOGFILE="$4"
+DATE=$(date)
+WHOIS_OUTPUT=$(whois $REMOTE_IP)
+REVERSE_IP=$(echo $REMOTE_IP | awk 'BEGIN{FS=".";ORS="."} {for (i = NF; i > 0; i--){print $i}}')
+LOG_LINES=$(grep $REMOTE_IP $LOGFILE)
+BANNED_IP_PATH="/var/tmp/fail2ban_banned_ips"
+
+# Skip sending email when an email was already sent out for that IP the last 24hours
+if ! [ -d $BANNED_IP_PATH ]; then mkdir $BANNED_IP_PATH; else find ${BANNED_IP_PATH}/ -mtime +30 -type f -delete; fi
+if [ -n "$(find ${BANNED_IP_PATH}/$REMOTE_IP -mtime -1 2>/dev/null)" ]; then exit 0; else touch ${BANNED_IP_PATH}/$REMOTE_IP; fi
+
+# Get the Abuse email address from Abusix
+if DNS_REPLY=$(host -t TXT ${REVERSE_IP}abuse-contacts.abusix.org); then
+  ABUSE_ADDR=$(echo $DNS_REPLY | grep -Eio '\b[A-Z0-9._%+-]+@[A-Z0-9.-]+\.[A-Z]{2,}\b' | paste -sd ",")
+fi
+
+# Send email
+if [ $ABUSE_ADDR ]; then
+swaks -f $SENDER_MAIL -t "$ABUSE_ADDR" --tlsc -au fail2ban -ap pass -s mail.hatthieves.es -p 465 \
+--h-Subject "[Urgent]: Automatic abuse report for IP address $REMOTE_IP from hatthieves.es, please read" --h-From "Fail2Ban hatthieves.es <$SENDER_MAIL>" \
+--h-Bcc "webmail@hatthieves.es" --h-To $ABUSE_ADDR --body \
+"This is an automatic email abuse report about the IP address $REMOTE_IP generated at $DATE, please do not reply.
+You get this email because you are listed as the official and popular abuse email contact for this concrete IP address.
+
+The following intrusion attempts were detected by our systems:
+$LOG_LINES
+
+WHOIS report FYI:
+$WHOIS_OUTPUT
+
+Thanks for your time and curiosity... take care with botnets...
+- ANTIBOTNET SYSTEM -
+together will do a better and free world :-)
+from postmaster@hatthieves.es
+by www.HatThieves.es"
+fi