How to trigger a fail2ban action to t6 ?
This recipe get you introduced to t6 and a fail2ban custom script that collect t6 datapoints from fail2ban jail.
Tagged on #recipe, #rules, #fail2ban,
Considering t6 and fail2ban are already installed and running ; all you need to do is to create the Flow container on t6 and then customize the fail2ban jail & action.
Create a specific Flow on t6
The Flow on t6 needs to be a string datatype ; you can create the following with the Api :
{
"name": "fail2ban 404 errors",
"unit": "f7b31254-3bb6-468f-be90-57ae90a6be39",
"data_type": "a394e18f-12bd-4c22-b9c3-74c387d1a8db",
"require_signed": false,
"require_encrypted": false,
"retention": "retention1y",
}
Create the action script
vi /home/user/fail2ban2t6.sh
And add the content from the template Please note you might need to edit line 13 of this file according to the directory containing the file.
Then you’d need to create the config file from the template
vi /home/user/fail2ban2t6.secret.conf
And finally, edit this secret file according to your own settings
Set the fail2ban jail
Edit the file so that action contains fail2ban2t6
e.g.:
vi /etc/fail2ban/jail.local
[apache-404]
enabled = true
filter = apache-404
logpath = /var/log/t6-error.log
/var/log/t6-access.log
maxretry = 4
findtime = 300
bantime = 86400
banaction = iptables-allports
action=iptables-allports
fail2ban2t6
port = smtp,465,submission,imap,imaps,pop3,pop3s,http,https
Set the fail2ban action
Create the file on your server from the template
/etc/fail2ban/action.d/fail2ban2t6.conf
Check all and restart fail2ban
Usually, this can be done using the following root command:
sudo systemctl restart fail2ban
and then, each time an IP address is found on apache-404 jail, it will be sent as a datapoint into t6 Flow.