Sending FAIL2BAN notifications using a Telegram Bot

To install fail2ban just execute the following command:

apt-get install fail2ban

After install fail2ban there is nothing important to do to let it works, it’s just simply works. For the SSH daemon the default configuration is that after 5 failed logins the IP address get banned during 10 minutes.

Every time an IP address get banned we can send a notifications using the Telegram bot, in order to do this we need to configure the file /etc/fail2ban/jail.conf, and in this case I will do it with the SSH daemon, so we need to find: [sshd] and add the lines 10 and 11 of the following code:

[sshd]
# To use more aggressive sshd modes set filter parameter "mode" in jail.local:
# normal (default), ddos, extra or aggressive (combines all).
# See "tests/files/logs/sshd" or "filter.d/sshd.conf" for usage example and details.
#mode   = normal
port    = ssh
logpath = %(sshd_log)s
backend = %(sshd_backend)s
action  = iptables[name=SSH, port=22, protocol=tcp]
			telegram

Make sure to tab the word “telegram”.

Now create the file /etc/fail2ban/action.d/telegram.conf with the following content:

[Definition]
actionstart = /etc/fail2ban/scripts/send_telegram_notif.sh -a start 
actionstop = /etc/fail2ban/scripts/send_telegram_notif.sh -a stop
actioncheck = 
actionban = /etc/fail2ban/scripts/send_telegram_notif.sh -b <ip>
actionunban = /etc/fail2ban/scripts/send_telegram_notif.sh -u <ip>
[Init]
init = 123

This file its read every time when an alert is generated by SSH. You will find the script send_telegram_notif.sh update in my GitHub.

#!/bin/bash
# Version 1.0
# Send Fail2ban notifications using a Telegram Bot
# Add to the /etc/fail2ban/jail.conf:
# [sshd]
# ***
# action  = iptables[name=SSH, port=22, protocol=tcp]
#			telegram
# Create a new file in /etc/fail2ban/action.d with the following information:
# [Definition]
# actionstart = /etc/fail2ban/scripts/send_telegram_notif.sh -a start 
# actionstop = /etc/fail2ban/scripts/send_telegram_notif.sh -a stop
# actioncheck = 
# actionban = /etc/fail2ban/scripts/send_telegram_notif.sh -b <ip>
# actionunban = /etc/fail2ban/scripts/send_telegram_notif.sh -u <ip>
# 
# [Init]
# init = 123
# Telegram BOT Token 
telegramBotToken='YOUR_BOT_TOKEN'
# Telegram Chat ID (must include the dash (-23232323)
telegramChatID='YOUR_CHAT_ID'
function talkToBot() {
	message=$1
	curl -s -X POST https://api.telegram.org/bot${telegramBotToken}/sendMessage -d text="${message}" -d chat_id=${telegramChatID} > /dev/null 2>&1
}
if [ $# -eq 0 ]; then
	echo "Usage $0 -a ( start || stop ) || -b $IP || -u $IP"
	exit 1;
fi
while getopts "a:b:u:" opt; do
	case "$opt" in
		a)
			action=$OPTARG
		;;
		b)
			ban=y
			ip_add_ban=$OPTARG
		;;
		u)
			unban=y
			ip_add_unban=$OPTARG
		;;
		?) 
			echo "Invalid option. -$OPTARG" 
			exit 1
		;;
	esac
done
if [[ ! -z ${action} ]]; then
	case "${action}" in
		start)
			talkToBot "Fail2ban has been started"
		;;
		stop)
			talkToBot "Fail2ban has been stopped"
		;;
		*)
			echo "Incorrect option"
			exit 1;
		;;
	esac
elif [[ ${ban} == "y" ]]; then
	talkToBot "The IP: ${ip_add_ban} has been banned"
	exit 0;
elif [[ ${unban} == "y" ]]; then
	talkToBot "The IP: ${ip_add_unban} has been unbanned"
	exit 0;
else
	info
fi

Take into account that the script needs execution permissions:

chmod +x /etc/fail2ban/scripts/send_telegram_notif.sh

Now just restart the service:

systemctl restart fail2ban

POC

I did some failed logins from a Kali VM:

These failed logins and the exact time when the IP get banned can be checked in the fail2ban log file: /var/log/fail2ban.log:

And these are the messages I received in Telegram:

That’s all, stay tuned!


Responder

Introduce tus datos o haz clic en un icono para iniciar sesión:

Logo de WordPress.com

Estás comentando usando tu cuenta de WordPress.com. Salir /  Cambiar )

Google photo

Estás comentando usando tu cuenta de Google. Salir /  Cambiar )

Imagen de Twitter

Estás comentando usando tu cuenta de Twitter. Salir /  Cambiar )

Foto de Facebook

Estás comentando usando tu cuenta de Facebook. Salir /  Cambiar )

Conectando a %s