Posts > How to trigger a fail2ban action to t6 ?

How to trigger a fail2ban action to t6 ?

This recipe get you introduced to t6 and a fail2ban custom script that collect t6 datapoints from fail2ban jail.

How to trigger a fail2ban action to t6 ?

Considering t6 and fail2ban are already installed and running ; all you need to do is to create the flow container on t6 and then customize the fail2ban jail & action.

Create a specific Flow on t6

The Flow on t6 needs to be a string datatype ; you can create the following with the Api :

{
    "name": "fail2ban 404 errors",
    "unit": "f7b31254-3bb6-468f-be90-57ae90a6be39",
    "data_type": "a394e18f-12bd-4c22-b9c3-74c387d1a8db",
    "require_signed": false,
    "require_encrypted": false,
    "retention": "retention1y",
}

Create the action script

vi /home/user/fail2ban2t6.sh

And add the content from the template Please note you might need to edit line 13 of this file according to the directory containing the file.

Then you’d need to create the config file from the template

vi /home/user/fail2ban2t6.secret.conf

And finally, edit this secret file according to your own settings

Set the fail2ban jail

Edit the file so that action contains fail2ban2t6 e.g.:

vi /etc/fail2ban/jail.local

[apache-404]
enabled = true
filter = apache-404
logpath = /var/log/t6-error.log
          /var/log/t6-access.log
maxretry = 4
findtime = 300
bantime = 86400
banaction = iptables-allports
action=iptables-allports
       fail2ban2t6
port = smtp,465,submission,imap,imaps,pop3,pop3s,http,https

Set the fail2ban action

Create the file on your server from the template

/etc/fail2ban/action.d/fail2ban2t6.conf

Check all and restart fail2ban

Usually, this can be done using the following root command:

sudo systemctl restart fail2ban

and then, each time an IP address is found on apache-404 jail, it will be sent as a datapoint into t6 Flow.

Tagged on #recipe, #fail2ban,