fail2ban/fail2ban_abuse_mail.sh

#!/bin/bash

PATH="$PATH:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
LANG="C"
REMOTE_IP="$1"
SENDER_MAIL="$2"
DEST_MAIL="$3"
LOGFILE="$4"
DATE=$(date)
WHOIS_OUTPUT=$(whois $REMOTE_IP)
REVERSE_IP=$(echo $REMOTE_IP | awk 'BEGIN{FS=".";ORS="."} {for (i = NF; i > 0; i--){print $i}}')
LOG_LINES=$(grep $REMOTE_IP $LOGFILE)
BANNED_IP_PATH="/var/tmp/fail2ban_banned_ips"

# Skip sending email when an email was already sent out for that IP the last 24hours
if ! [ -d $BANNED_IP_PATH ]; then mkdir $BANNED_IP_PATH; else find ${BANNED_IP_PATH}/ -mtime +30 -type f -delete; fi
if [ -n "$(find ${BANNED_IP_PATH}/$REMOTE_IP -mtime -1 2>/dev/null)" ]; then exit 0; else touch ${BANNED_IP_PATH}/$REMOTE_IP; fi

# Get the Abuse email address from Abusix
if DNS_REPLY=$(host -t TXT ${REVERSE_IP}abuse-contacts.abusix.org); then
  ABUSE_ADDR=$(echo $DNS_REPLY | grep -Eio '\b[A-Z0-9._%+-]+@[A-Z0-9.-]+\.[A-Z]{2,}\b' | paste -sd ",")
fi

# Send email
if [ $ABUSE_ADDR ]; then
#sendmail -t -i -f $SENDER_MAIL $ABUSE_ADDR << EOF
swaks -f $SENDER_MAIL -t "$ABUSE_ADDR" --tlsc -au fail2ban -ap pass -s mail.hatthieves.es -p 465 \
--h-Subject "[Urgent]: Automatic abuse report for IP address $REMOTE_IP from hatthieves.es, please read" --h-From "Fail2Ban hatthieves.es <$SENDER_MAIL>" \
--h-Bcc "webmail@hatthieves.es" --h-To $ABUSE_ADDR --body \
"This is an automatic email abuse report about the IP address $REMOTE_IP generated at $DATE, please do not reply.
You get this email because you are listed as the official and popular abuse email contact for this concrete IP address.

The following intrusion attempts were detected by our systems:
$LOG_LINES

WHOIS report FYI:
$WHOIS_OUTPUT

Thanks for your time and curiosity... take care with botnets...
- ANTIBOTNET SYSTEM -
together will do a better and free world :-)
from postmaster@hatthieves.es
by www.HatThieves.es"
fi