Skip to content

Instantly share code, notes, and snippets.

@Dman46
Last active July 15, 2020 20:20
Show Gist options
  • Save Dman46/92178d519a7b3ea1e49cbcb7b8fda954 to your computer and use it in GitHub Desktop.
Save Dman46/92178d519a7b3ea1e49cbcb7b8fda954 to your computer and use it in GitHub Desktop.
Fail2ban - send Slack notifications
...
action_with_slack_notification = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
slack[name=%(__name__)s]
action = %(action_with_slack_notification)s
...
[Definition]
actioncheck =
actionstart = /bin/bash /etc/fail2ban/slack_notify.sh "The jail <name> has been started successfully." > /dev/null 2>&1
actionstop = /bin/bash /etc/fail2ban/slack_notify.sh "The jail <name> has been stopped." > /dev/null 2>&1
actionban = /bin/bash /etc/fail2ban/slack_notify.sh "Banned _country_ <ip> in the jail <name> after <failures> attempts" "<ip>" > /dev/null 2>&1
actionunban = /bin/bash /etc/fail2ban/slack_notify.sh "Unbanned _country_ <ip> in the jail <name>" "<ip>" > /dev/null 2>&1
# Default name of the chain
#
name = default
#!/bin/bash
# message first command argument
MESSAGE=$1
HOOK_URL=https://hooks.slack.com/services/<your hook url>
HOST=$(hostname)
CHANNEL="#alerts"
USERNAME="fail2ban"
ICON=":cop:"
# ip second command argument
IP=$2
# lets find out from what country we have our hacker
COUNTRY=$(curl ipinfo.io/${IP}/country)
# converting country to lover case. I love you bash script =\
COUNTRY=$(echo "$COUNTRY" | tr -s '[:upper:]' '[:lower:]')
# slack emoji
COUNTRY=":flag-$COUNTRY:"
# replace _country_ template to the country emoji
MESSAGE="${MESSAGE/_country_/$COUNTRY}"
curl -X POST --data-urlencode "payload={\"channel\": \"${CHANNEL}\", \"username\": \"${USERNAME}\", \"text\": \"[${HOST}] ${MESSAGE}\", \"icon_emoji\": \"${ICON}\"}" ${HOOK_URL}
exit 0
@I12crash
Copy link

Thanks @mikey32230, I looked at this one as well. I may have to use that for now, but I was really hoping to get the Country Flag added to the messages just for the cool factor.

I originally got so frustrated with just trying to get any slack notifications to work at all I implemented the solution above and called it a day.

However, I then also noticed that it didn't get any location info, so I was thinking about adding that as well. Unless i'm missing something it should be pretty simple/straightforward to add that to what I posted above. Basically just add some of the code that is handling the Country/location lookup from the slack_notify.sh into the slack-notify.conf and add the info to the cURL request.

I may try to work on that in the next few days if I remember/have time.

If I happen to figure it out I'll be sure to post it. Again, thanks for the reply.

@mikey32230
Copy link

@I12crash

All done, forked it and made the changes:
https://github.com/mikey32230/fail2ban-slack-action

@I12crash
Copy link

@mickey32230 Thank you for this! I'm still having some issues when I start fail2ban with systemd, but progress is being made. Thanks for your insights and your fork with updates!

@a-ml
Copy link

a-ml commented Jul 15, 2020

Hi @l12crash

Have you found the solution?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment