alerta-contrib/integrations/fail2ban/README.md
2018-12-02 20:26:57 +01:00

1.2 KiB

Fail2Ban

Send Alerta event (alarm) if source IP is banned (valid user is using invalid password via SSHD or SFTP).

Configuration

Alerta webhook module and documentation can be found here

Clone git repo on the server where fail2ban is installed and execute following commands as root:

Copy action script

cp -a fail2ban-alerta.sh /usr/local/bin/
chown root:root /usr/local/bin/fail2ban-alerta.sh
chmod +x /usr/local/bin/fail2ban-alerta.sh

Copy fail2ban action configuration file

cp -a alerta.conf /etc/fail2ban/action.d/
chown root:root /etc/fail2ban/action.d/alerta.conf

Modify configuration of sshd jail in the existing /etc/fail2ban/jail.local file by adding additional alerta action, also be sure to modify action input parameters accordingly (alertaurl and alertaapikey).

Note: Example jail.local file is also provided

[sshd]

enabled  = true
port     = ssh
logpath  = %(sshd_log)s
action   = %(action_mwl)s
           alerta[alertaurl=https://alerta.example.com/api/webhooks/fail2ban, alertaapikey=EXdp3haf4Xkk7Dpk5MFrqfafn6nYGgtz4JL4XzBY]
maxretry = 4

Restart fail2ban service

systemctl restart fail2ban