OpenMediaVault-Plugin-Developers / openmediavault-fail2ban

11 stars 5 forks source link

Send daily summary of actions taken by Fail2Ban #5

Open HotBlack77 opened 9 years ago

HotBlack77 commented 9 years ago

The default logging mechanism of Fail2Ban is quite noisy. It would be great is the plugin supported sending a daily summary instead of actions taken instead of an individual email for each action.

The script below does what I describe. I have never gotten round to understanding how to make a OMV plugin, but I imagine should be pretty easy to have the plugin add this as a cron job and then set Fail2Ban not send mails itself.

Send Summary of last 24H Fail2Ban Actions taken

!/bin/bash

grep "Ban " /var/log/fail2ban.log | grep date +%Y-%m-%d -d yesterday | /usr/bin/sort | /usr/bin/logresolve | /usr/bin/uniq -c | /usr/bin/sort -n | mail -s "Fail2Ban Yesterday Summary date +%Y-%m-%d -d yesterday" name@example.com

LeeNX commented 9 years ago

Another option would be to just use logwatch, which is in a cron
/etc/cron.d/fail2ban-reports

# Security repors for Server
#MAILTO=root

# Weekly fail2ban reports - 01h01 Monday
1 01 * * 1 root /usr/sbin/logwatch  --service fail2ban --detail low --range 'between -1 week and today'

# Monthly fail2ban reports - 01h05 1st of the Month
5 01 1 * * root /usr/sbin/logwatch --service fail2ban --detail low --range 'between -1 month and today'

# Yearly fail2ban reports - 01h10 1st day of the Year
10 01 1 01 * root /usr/sbin/logwatch --service fail2ban --detail low --range 'between -1 year and today'
HotBlack77 commented 9 years ago

Yes, but dont you feel that logwatch would be worthy of being a whole plugin of its own?

LeeNX commented 9 years ago

Logwatch's own plugin, that is a different discussion.

I like the idea of only getting fail2ban reports that are useful. Using logwatch just makes that easier for this use case.

prbond commented 9 years ago

You can change Action = actionmw to Action = action if you don't want email report. You can add your cron job now.

You needn't logwatch OVM plugin to use it, just use it. ;)

HotBlack77 commented 9 years ago

@prbond that's exactly what I do. I just thought others might like a simple way to do the same.

lorrin commented 7 years ago

Here's a slightly adapted version. It:

  1. omits the IP addresses (and thus also the impetus to call logresolve)
  2. groups by hour of the day and indicates how many were banned that hour
grep "Ban " /var/log/fail2ban.log | grep $(date +%Y-%m-%d -d yesterday) | \
sed -e 's/Ban [0-9\.]*/Ban/' | sed -e 's/\( [0-2][0-9]\):[0-9]\{2\}:[0-9]\{2\},[0-9]\{3\}/\1h/' | \
/usr/bin/sort -n | /usr/bin/uniq -c | \
mail -s "Fail2Ban Summary $(date +%Y-%m-%d -d yesterday)" root