search

cjmling / findings

Notes on stuff i finds worth keeping for quick reference later on.
2 stars 0 forks source link

Nginx Fail2ban slack notification #120

Open cjmling opened 5 years ago

cjmling commented 5 years ago

We want to send notification to slack about IP address which seems sending too much request to our server.

1. Install Fail2ban

apt install fail2ban -y

2. Create a jail.local file in /etc/fail2ban/ folder

jail.local

[nginx-req-limit]

enabled = true
port = http,https
filter = nginx-req-limit
logpath = /var/log/nginx/access.log
maxretry = 6
findtime = 600
bantime = 7200
banaction = slack-notify

3. create nginx-req-limit.conf file in /etc/fail2ban/filter.d/ folder

nginx-req-limit.conf

# Fail2Ban configuration file

[Definition]

failregex = ^<HOST> -.*"(GET|POST).*HTTP.*"$

# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =

Regex Credit: https://gist.github.com/Swop/6049297

4. Create slack-notify.conf in /etc/fail2ban/action.d/ folder

slack-notify.conf

#
# Author: Cole Turner
# coleturner.me
# turner.cole@gmail.com
#

[Definition]

# Option:  actionstart
# Notes.:  command executed once at the start of Fail2Ban.
# Values:  CMD
#
actionstart = curl -s -o /dev/null 'https://slack.com/api/chat.postMessage' -d 'token=<slack_api_token>' -d 'channel=#<slack_channel>' -d 'text=Fail2Ban (<name>) jail has started'

# Option:  actionstop
# Notes.:  command executed once at the end of Fail2Ban
# Values:  CMD
#
actionstop = curl -s -o /dev/null 'https://slack.com/api/chat.postMessage' -d 'token=<slack_api_token>' -d 'channel=#<slack_channel>' -d 'text=Fail2Ban (<name>) jail has stopped'

# Option:  actioncheck
# Notes.:  command executed once before each actionban command
# Values:  CMD
#
actioncheck =

# Option:  actionban
# Notes.:  command executed when banning an IP. Take care that the
#          command is executed with Fail2Ban user rights.
# Tags:    <ip>  IP address
#          <failures>  number of failures
#          <time>  unix timestamp of the ban time
# Values:  CMD
#

actionban = curl -s -o /dev/null 'https://slack.com/api/chat.postMessage' -d 'token=<slack_api_token>' -d 'channel=#<slack_channel>' -d 'text=Fail2Ban (<name>) banned IP *<ip>* for <failures> failure(s)'

# Option:  actionunban
# Notes.:  command executed when unbanning an IP. Take care that the
#          command is executed with Fail2Ban user rights.
# Tags:    <ip>  IP address
#          <failures>  number of failures
#          <time>  unix timestamp of the ban time
# Values:  CMD
#
actionunban = curl -s -o /dev/null 'https://slack.com/api/chat.postMessage' -d 'token=<slack_api_token>' -d 'channel=#<slack_channel>' -d 'text=Fail2Ban (<name>) unbanned IP *<ip>*'

[Init]

init = 'Sending notification to Slack'

slack_api_token = YOUR_SLACK_API_TOKEN_GOES_HERE
slack_channel = general

credit : https://github.com/coleturner/fail2ban-slack-action

Screenshot_192

5. run service fail2ban restart to start the service and should get notification to slack that it get started

If you doesn't get notification then service fail2ban status to see if there was any error

6. use fail2ban-client status or fail2ban-client status nginx-req-limit to view its status

cjmling commented 5 years ago

You might want to put extra config about ssh in jail.local and set enabled to false because its enabled by default in jail.conf and putting that config in jail.local with enabled false will disabled it as we don't need.

So it become

jail.local

[nginx-req-limit]

enabled = true
port = http,https
filter = nginx-req-limit
logpath = /var/log/nginx/access.log
maxretry = 6
findtime = 600
bantime = 7200
banaction = slack-notify

[ssh]
enabled = false
cjmling commented 5 years ago

We can use fail2ban-regex <logfile> <filter> to test the filter regex if its matching any existing log or not.

fail2ban-regex /var/log/auth.log /etc/fail2ban/filter.d/sshd.conf

cjmling commented 5 years ago

We can pass param from jail to banaction

example

banaction = slack-notify[findtime=60, another_param=whatever]