#!/bin/bash PATH="$PATH:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" LANG="C" REMOTE_IP="$1" SENDER_MAIL="$2" DEST_MAIL="$3" LOGFILE="$4" DATE=$(date) WHOIS_OUTPUT=$(whois $REMOTE_IP) REVERSE_IP=$(echo $REMOTE_IP | awk 'BEGIN{FS=".";ORS="."} {for (i = NF; i > 0; i--){print $i}}') LOG_LINES=$(grep $REMOTE_IP $LOGFILE) BANNED_IP_PATH="/var/tmp/fail2ban_banned_ips" # Skip sending email when an email was already sent out for that IP the last 24hours if ! [ -d $BANNED_IP_PATH ]; then mkdir $BANNED_IP_PATH; else find ${BANNED_IP_PATH}/ -mtime +30 -type f -delete; fi if [ -n "$(find ${BANNED_IP_PATH}/$REMOTE_IP -mtime -1 2>/dev/null)" ]; then exit 0; else touch ${BANNED_IP_PATH}/$REMOTE_IP; fi # Get the Abuse email address from Abusix if DNS_REPLY=$(host -t TXT ${REVERSE_IP}abuse-contacts.abusix.org); then ABUSE_ADDR=$(echo $DNS_REPLY | grep -Eio '\b[A-Z0-9._%+-]+@[A-Z0-9.-]+\.[A-Z]{2,}\b' | paste -sd ",") fi # Send email if [ $ABUSE_ADDR ]; then swaks -f $SENDER_MAIL -t "$ABUSE_ADDR" --tlsc -au fail2ban -ap pass -s mail.hatthieves.es -p 465 \ --h-Subject "[Urgent]: Automatic abuse report for IP address $REMOTE_IP from hatthieves.es" --h-From "Fail2Ban hatthieves.es <$SENDER_MAIL>" \ --h-Bcc "webmail@hatthieves.es" --h-To $ABUSE_ADDR --body \ "This is an automatic email abuse report about the IP address $REMOTE_IP generated at $DATE, please do not reply. You get this email because you are listed as the official and popular abuse email contact for this concrete IP address. The following intrusion attempts were detected by our systems: $LOG_LINES WHOIS report FYI: $WHOIS_OUTPUT Thanks for your time and curiosity... take care with botnets... - ANTIBOTNET SYSTEM - together will do a better and free world :-) from postmaster@hatthieves.es by www.HatThieves.es" fi