forked from alerta/alerta-contrib
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathfail2ban-alerta.sh
executable file
·41 lines (36 loc) · 1.25 KB
/
fail2ban-alerta.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
#!/bin/bash
# Author: Milos Buncic <[email protected]>
# Date: 2018/12/01
# Description: Send Alerta event if user exist but invalid password is used
# Example: https://alerta.example.com/api/webhooks/fail2ban
ALERTA_URL=${1}
# API key has to be generated on the Alerta side
# Example: EXdp3haf4Xkk7Dpk5MFrqfafn6nYGgtz4JL4XzBY
ALERTA_API_KEY=${2}
# Will be passed to by fail2ban as action tags (see alerta.conf): <ip> <failures> <logpath>
BANNED_IP=${3}
FAILURES=${4}
LOGPATH=${5}
if [[ ${#} -ne 5 ]]; then
echo "Usage: $(basename ${0}) alerta_url alerta_api_key banned_ip failures logpath"
exit 1
fi
MSG=$(egrep "\[[0-9]*?\]: Failed password for [a-z][-a-z0-9_]* from ${BANNED_IP}" ${LOGPATH} | tail -1)
BANNED_USER=$(echo ${MSG} | awk '{print $9}')
FQDN=$(hostname -f)
curl -sSL -X POST -H "X-API-Key: ${ALERTA_API_KEY}" -H "Content-Type: application/json" -d \
'
{
"hostname": "'${FQDN}'",
"attributes": {
"bannedIp": "'${BANNED_IP}'",
"bannedUser": "'${BANNED_USER}'"
},
"severity": "warning",
"environment": "Development",
"resource": "sshd",
"event": "The IP '${BANNED_IP}' has just been banned by Fail2Ban after '${FAILURES}' attempts!",
"message": "'"${MSG}"'"
}
' \
${ALERTA_URL}