How to send notifications from Linux fail2ban, ssh auth and other actions to Slack

For this approach i will use my slackpost.sh script to send messages to Slack. More info about it you can find – https://mindau.de/blog/en/en-post-messages-slack-linux/

fail2ban

How to install and configure fail2ban you can find for example here – https://www.digitalocean.com/community/tutorials/how-to-protect-ssh-with-fail2ban-on-ubuntu-14-04

Now edit fail2ban jail.local file

sudo nano /etc/fail2ban/jail.local

add “slack” hook where you want to use it. For example:

.
.
.
[ssh]

enabled = true
port = ssh,sftp,22
filter = sshd
logpath = /var/log/auth.log
bantime = 900
banaction = iptables-allports
findtime = 900
maxretry = 2
action   = iptables[name=SSH, port=12345, protocol=tcp]
           slack
.
.
.

Now create new config file for slack action:

sudo nano /etc/fail2ban/action.d/slack.conf

copy/paste it

.
.
.

# Option:  actionban
# Notes.:  command executed when banning an IP. Take care that the
#          command is executed with Fail2Ban user rights.
# Tags:    <ip>  IP address
#          <failures>  number of failures
#          <time>  unix timestamp of the ban time
# Values:  CMD
#
actionban = /path/to/slack-report.sh fail2ban ban <ip>

.
.
.

put slack-report.sh to bin folder & restart fail2ban service

sudo service fail2ban restart

SSH AUTH REPORT

sudo nano /etc/pam.d/sshd

add to file:

session optional pam_exec.so seteuid /path/to/slack-report.sh sshauth

and finaly slack-report.sh

And results:

slack post message example
slack post message example

Leave a Reply

Your email address will not be published. Required fields are marked *