Thursday, February 16, 2017

Fail2Ban notifications via Pushbullet (using nfty)

Following was built on a CentOS 7 VPS, configured to protect the ssh login from brute force authentication attempts.  This assumes that you already have a Pushbullet account and have your Pushbullet clients set up properly.

Installation

Unless otherwise noted, following is performed as root.

1) Install ntfy (better instructions at http://ntfy.readthedocs.io/en/latest/)

   pip install ntfy

2) Create the config file for ntfy

   cd
   mkdir .config
   cd .config
   mkdir ntfy
   cd ntfy
   echo -e 'backends: ["pushbullet"]\npushbullet: {"access_token": "t0k3n"}' > ntfy.yml
   chmod 600 ntfy.yml

3) Acquire your access token. On the Pushbullet site, click on "Settings in the gray menu".  If "Account" isn't already selected, click on that.  Under "Access Tokens" click on "Create Access Token" and copy & paste the resulting token to somewhere safe.  Also edit the above ntfy.yml file and change "t0k3n" to whatever actually is your access token.

4) Install fail2ban

   yum -y update
   yum -y install epel-release
   yum -y update
   yum clean all
   yum -y install fail2ban
   systemctl start fail2ban
   systemctl enable fail2ban
   systemctl status fail2ban

In the above, "systemctl enable fail2ban" configures systemd to automatically start fail2ban at boot time.  "systemctl status fail2ban" will tell you whether or not fail2ban is running.

5) Create a new jail configuration. (Note: this adds "jail.local" which will override the existing "jail.conf".)

  cd /etc/fail2ban
  cp jail.conf jail.local

6) Using your favorite text editor, edit jail.local and add "enabled = true" in the (un-commented) sshd section.  It should look something like:

   [sshd]
   enabled = true

You may also want to change the entry for bantime (in the "DEFAULT" section) to something longer than 600 (which is only 10 minutes).  It's also recommended that you edit the entries for the following controls: ignoreip, findtime, and maxretry.  The "ignoreip" entry will exclude the given IP address from being banned by fail2ban (i.e., keeps you from banning yourself).  The "findtime" entry is the timespan in the logs where fail2ban will search for failures.  The "maxretry" entry is the number of failures in the timespan that will trigger a ban.

7) Restart fail2ban using:

   sytemctl restart fail2ban

8) Check the status of fail2ban by running one, some, or all of the following:

   systemctl status fail2ban
   fail2ban-client status
   fail2ban-client status sshd
   iptables -L -n

9) Make a copy of fail2ban's iptables-multiport.conf file by running:

   cd /etc/fail2ban/action.d
   cp iptables-multiport.conf iptables-multiport-letmeknow.conf

10) Using your favorite text editor, find the action ban line and edit it so that it looks like:

   actionban = <iptables> -I f2b-<name> 1 -s <ip> -j <blocktype>
         /usr/local/etc/pb-f2b-notify <name> <ip>

11) Edit /etc/fail2ban/jail.local and change the following line:

   banaction = iptables-multiport

so that it looks like:

   banaction = iptables-multiport-letmeknow

12) Create the notify script "pb-f2b-notify" in the /usr/local/etc folder, so that it contains the following:

   #!/bin/bash
   ntfy -b pushbullet -t "fail2ban alert!" send "fail2ban for $1: blocked $2 for ten minutes"

13) Restart fail2ban via:

   systemctl restart fail2ban

14) It's up to you to figure out how to test it.  I used a separate machine (at another IP) and attempted multiple logins with incorrect passwords.

Above was adapted from the following sources: