How to trigger a fail2ban action to t6 ?
Mathieu Lory
Posted on July 17, 2022
This recipe get you introduced to t6-iot and a fail2ban custom script that collect t6 datapoints from fail2ban jail.
Considering t6 and fail2ban are already installed and running ; all you need to do is to create the flow container on t6 and then customize the fail2ban jail & action.
Create a specific Flow on t6
Edit the following file:
vi /home/user/fail2ban2t6.sh
And add the content from the template.
Please note you might need to edit line 13 of this file according to the directory containing the file.
Then, you’d need to create the config file from the template.
And finally, edit this secret file according to your own settings:
vi /home/user/fail2ban2t6.secret.conf
Set the fail2ban jail
Edit the file so that action contains fail2ban2t6 e.g.:
vi /etc/fail2ban/jail.local
[apache-404]
enabled = true
filter = apache-404
logpath = /var/log/t6-error.log
/var/log/t6-access.log
maxretry = 4
findtime = 300
bantime = 86400
banaction = iptables-allports
action=iptables-allports
fail2ban2t6
port = smtp,465,submission,imap,imaps,pop3,pop3s,http,https
Create the action script
Create the file on your server from the template
/etc/fail2ban/action.d/fail2ban2t6.conf
Check all and restart fail2ban
Usually, this can be done using the following root command:
sudo systemctl restart fail2ban
And then, each time an IP address is found on apache-404 jail, it will be sent as a datapoint into t6 Flow.
Posted on July 17, 2022
Join Our Newsletter. No Spam, Only the good stuff.
Sign up to receive the latest update from our blog.