Installation
Unless otherwise noted, following is performed as root.
1) Install ntfy (better instructions at http://ntfy.readthedocs.io/en/latest/)
pip install ntfy
2) Create the config file for ntfy
cd
mkdir .config
cd .config
mkdir ntfy
cd ntfy
echo -e 'backends: ["pushbullet"]\npushbullet: {"access_token": "t0k3n"}' > ntfy.yml
chmod 600 ntfy.yml
3) Acquire your access token. On the Pushbullet site, click on "Settings in the gray menu". If "Account" isn't already selected, click on that. Under "Access Tokens" click on "Create Access Token" and copy & paste the resulting token to somewhere safe. Also edit the above ntfy.yml file and change "t0k3n" to whatever actually is your access token.
4) Install fail2ban
yum -y update
yum -y install epel-release
yum -y update
yum clean all
yum -y install fail2ban
systemctl start fail2ban
systemctl enable fail2ban
systemctl status fail2ban
In the above, "systemctl enable fail2ban" configures systemd to automatically start fail2ban at boot time. "systemctl status fail2ban" will tell you whether or not fail2ban is running.
5) Create a new jail configuration. (Note: this adds "jail.local" which will override the existing "jail.conf".)
cd /etc/fail2ban
cp jail.conf jail.local
6) Using your favorite text editor, edit jail.local and add "enabled = true" in the (un-commented) sshd section. It should look something like:
[sshd]
enabled = true
You may also want to change the entry for bantime (in the "DEFAULT" section) to something longer than 600 (which is only 10 minutes). It's also recommended that you edit the entries for the following controls: ignoreip, findtime, and maxretry. The "ignoreip" entry will exclude the given IP address from being banned by fail2ban (i.e., keeps you from banning yourself). The "findtime" entry is the timespan in the logs where fail2ban will search for failures. The "maxretry" entry is the number of failures in the timespan that will trigger a ban.
7) Restart fail2ban using:
sytemctl restart fail2ban
8) Check the status of fail2ban by running one, some, or all of the following:
systemctl status fail2ban
fail2ban-client status
fail2ban-client status sshd
iptables -L -n
9) Make a copy of fail2ban's iptables-multiport.conf file by running:
cd /etc/fail2ban/action.d
cp iptables-multiport.conf iptables-multiport-letmeknow.conf
10) Using your favorite text editor, find the action ban line and edit it so that it looks like:
actionban = <iptables> -I f2b-<name> 1 -s <ip> -j <blocktype>
/usr/local/etc/pb-f2b-notify <name> <ip>
11) Edit /etc/fail2ban/jail.local and change the following line:
banaction = iptables-multiport
so that it looks like:
banaction = iptables-multiport-letmeknow
12) Create the notify script "pb-f2b-notify" in the /usr/local/etc folder, so that it contains the following:
#!/bin/bash
ntfy -b pushbullet -t "fail2ban alert!" send "fail2ban for $1: blocked $2 for ten minutes"
13) Restart fail2ban via:
systemctl restart fail2ban
14) It's up to you to figure out how to test it. I used a separate machine (at another IP) and attempted multiple logins with incorrect passwords.
Above was adapted from the following sources:
- https://github.com/dschep/ntfy
- http://ntfy.readthedocs.io/en/latest/
- https://blog.meinside.pe.kr/How-to-get-Pushbullet-notification-on-Fail2ban-ban-actions/
No comments:
Post a Comment