How to trigger a fail2ban action to t6 ?

mathcoll

Mathieu Lory

Posted on July 17, 2022

How to trigger a fail2ban action to t6 ?

This recipe get you introduced to t6-iot and a fail2ban custom script that collect t6 datapoints from fail2ban jail.

Considering t6 and fail2ban are already installed and running ; all you need to do is to create the flow container on t6 and then customize the fail2ban jail & action.

Create a specific Flow on t6

Edit the following file:

vi /home/user/fail2ban2t6.sh
And add the content from the template.

Please note you might need to edit line 13 of this file according to the directory containing the file.

Then, you’d need to create the config file from the template.
And finally, edit this secret file according to your own settings:

vi /home/user/fail2ban2t6.secret.conf

Set the fail2ban jail

Edit the file so that action contains fail2ban2t6 e.g.:

vi /etc/fail2ban/jail.local

[apache-404]
enabled = true
filter = apache-404
logpath = /var/log/t6-error.log
/var/log/t6-access.log
maxretry = 4
findtime = 300
bantime = 86400
banaction = iptables-allports
action=iptables-allports
fail2ban2t6
port = smtp,465,submission,imap,imaps,pop3,pop3s,http,https

Create the action script

Create the file on your server from the template

/etc/fail2ban/action.d/fail2ban2t6.conf

Check all and restart fail2ban

Usually, this can be done using the following root command:

sudo systemctl restart fail2ban

And then, each time an IP address is found on apache-404 jail, it will be sent as a datapoint into t6 Flow.

💖 💪 🙅 🚩
mathcoll
Mathieu Lory

Posted on July 17, 2022

Join Our Newsletter. No Spam, Only the good stuff.

Sign up to receive the latest update from our blog.

Related