Fail2ban – send email with msmtp

fail2ban

How do I set up fail2ban to send emails using msmtp?

I tried changing the mta = sendmail line to mta = msmtp and the action = %(action_)s line to action = %(action_mwl)s.

I think /etc/fail2ban/action.d/msmtp-whois-lines.conf file, but I'm not sure what to put in it.

I can normally send mail from the command line with echo -e "Subject: subject\nMessage contents" | msmtp recipient@hotmail.com without a password.

Best Answer

What I would do is the following:

First thing is to copy all action.d/sendmail-*.conf files to action.d/msmtp-*.conf files:

for file in /etc/fail2ban/action.d/sendmail*.conf; do cp "$file" "${file/sendmail/msmtp}"; done

Next step is to change the occurrences of before = sendmail to before = msmtp in the action.d/msmtp-*.conf files:

sed -i 's/before = sendmail/before = msmtp/' /etc/fail2ban/action.d/msmtp-*.conf

This will correct the references to other sendmail configuration files like before = sendmail-common.conf.

Followed by changing all occurrences of sendmail -f <sender> to msmtp in action.d/msmtp-*.conf:

sed -i 's/sendmail -f <sender>/msmtp/p' /etc/fail2ban/action.d/msmtp-*.conf

This will correct the lines where sendmail is called like Fail2Ban | /usr/sbin/sendmail -f <sender> <dest>.

The final step is changing the mta = msmtp in the action.d/jail.conf file. Then reload fail2ban to test whether these modifications work.

Another thing to keep in mind is the user context of fail2ban with respect to the msmtp configuration. If you have a local msmtprc file configured, it might not be applied when fail2ban tries to run msmtp due to other user context. In that case, configure msmtp with a global configuration, or create a separate configuration for the user that runs fail2ban.

Related Solutions

How to configure fail2ban with systemd journal

For systemd systems:

You have to specify the backend in /etc/fail2ban/jail.conf to use systemd as follows:

backend = systemd

Then restart fail2ban:

systemctl restart fail2ban

Edit:

I'm a heavy CentOS/RHEL/Fedora guy so you may have to adapt what I say a bit. As far as this answer, you may have to update the fail2ban package to a version that supports systemd as a backend or you'll have to install rsyslog and add the following to your /etc/rsyslog.conf:

authpriv.*      /var/log/auth.log

This will make sure sshd auth logs are logging to /var/log/auth.log which will be read by the default pyinotify backend in fail2ban:

fail2ban – Is a Large fail2ban Database Normal?

I just discovered this issue on my own servers. My dbpurgeage is also set to the default 24 hours, yet my fail2ban.sqlite3 grew to 400MB and has 800,000 bans from the last 2 years.

It turns out fail2ban didn't actually have code to purge the DB until v0.11. It was added in this commit. dbpurgeage does nothing before then.

To see how many bans are in the DB:

sqlite3 /var/lib/fail2ban/fail2ban.sqlite3 "select count(*) from bans"

To see how old your oldest DB entry is:

sqlite3 /var/lib/fail2ban/fail2ban.sqlite3 "select datetime(min(timeofban), 'unixepoch') from bans"

To cleanup the DB, for example keep only the last week of data:

sqlite3 /var/lib/fail2ban/fail2ban.sqlite3 "delete from bans where timeofban < strftime('%s', 'now', '-7 days')"
sqlite3 /var/lib/fail2ban/fail2ban.sqlite3 "vacuum"

The deletion might take several minutes, during which fail2ban will get blocked if it tries to access the database. Perhaps you may want to delete in smaller batches (first everything older than 2 years, then 1 year, etc), to give fail2ban a chance to run in between, and vacuum at the end.

Best Answer

Related Solutions

How to configure fail2ban with systemd journal

fail2ban – Is a Large fail2ban Database Normal?

Related Question