fail2ban module should support multiple email addresses in mail-whois-line action

The fail2ban mail-whois-lines supports multiple email addresses in the dest parameter. The webmin module edit jail other parameters strips the needed double quotes associated with the dest string.

For example

dest="root,admin@example.com"

Will send mail to both root@localhost and admin@example.com.

[sshd-ddos]

This jail corresponds to the standard configuration in Fail2ban. The mail-whois action send a notification e-mail with a whois request in the body.

port = ssh logpath = %(sshd_log)s enabled = true filter = sshd-ddos action = mail-whois-lines[name=SSHDOS, dest=root,logpath=%(sshd_log)s]

Status: 
Active

Comments

Are you sure the parameter is called dest and not destemail ?

dest used in distribution available on Centos 7 from epel. Maybe other versions different?

fail2ban-all.noarch 0.9.5-3.el7 @epel

-sh-4.2$ cat mail-whois-lines.conf

Fail2Ban configuration file

#

Author: Cyril Jaquier Modified-By: Yaroslav Halchenko to include grepping on IP over log files

#

[INCLUDES]

before = mail-whois-common.conf

[Definition]

Option: actionstart Notes.: command executed once at the start of Fail2Ban. Values: CMD

# actionstart = printf %%b "Hi,\n The jail has been started successfully.\n Regards,\n Fail2Ban"|mail -s "[Fail2Ban] : started on uname -n"

Option: actionstop Notes.: command executed once at the end of Fail2Ban Values: CMD

# actionstop = printf %%b "Hi,\n The jail has been stopped.\n Regards,\n Fail2Ban"|mail -s "[Fail2Ban] : stopped on uname -n"

Option: actioncheck Notes.: command executed once before each actionban command Values: CMD

# actioncheck =

Option: actionban Notes.: command executed when banning an IP. Take care that the command is executed with Fail2Ban user rights. Tags: See jail.conf(5) man page Values: CMD

# actionban = printf %%b "Hi,\n The IP has just been banned by Fail2Ban after attempts against .\n\n Here is more information about :\n %(_whois_command)s\n\n Lines containing IP: in \n grep -E <grepopts> '(^|[^0-9])<ip>([^0-9]|$)' <logpath>\n\n Regards,\n Fail2Ban"|mail -s "[Fail2Ban] : banned from uname -n"

Option: actionunban Notes.: command executed when unbanning an IP. Take care that the command is executed with Fail2Ban user rights. Tags: See jail.conf(5) man page Values: CMD

# actionunban =

[Init]

Default name of the chain

# name = default

Destinataire of the mail

# dest = root

Path to the log files which contain relevant lines for the abuser IP

# logpath = /dev/null

Number of log lines to include in the email

# grepopts = -m 1000 -sh-4.2$

Jamie, I did a little looking into this -- it looks like "destemail" is a standalone parameter used in the jail.conf/jail.local files.

The "dest" parameter is used by various actions, such as sendmail-whois.

So you can have this line using dest email in the jail.conf:

destemail=me@myemail.com

But you'd use "dest" like this (note the "dest" param in the "action" section:

[ssh-iptables]
#enabled  = false
enabled  = true
filter   = sshd
action   = iptables[name=SSH, port=ssh, protocol=tcp]
          mail-whois[name=SSH, dest=yourmail@mail.com]
logpath  = /var/log/auth.log
maxretry = 5

ckwsp101, what you could always do in the meantime is to setup an email alias on your server that goes to the multiple email addresses you need, and configure fail2ban to email to send the email to the email alias rather than directly to the two addresses.

Jamie will have to decide whether it's feasible to support the two email addresses you mentioned -- even if he does though that feature may take a little time to be released.

I'm ok with the email alias work around.

Maybe add a note about the edit jail action other parameters input field strips out double quotes.

Online fail2ban postings contain examples with action dest="user1@example.com,user2@foo.com"