From dcbafb292fe3d29add2efdfb44cca1212a926813 Mon Sep 17 00:00:00 2001
From: nachoparker <nacho@ownyourbits.com>
Date: Thu, 5 Oct 2017 12:19:33 +0200
Subject: fail2ban: email notification (Closes #232)

---
 changelog.md                         |  4 +++-
 etc/nextcloudpi-config.d/fail2ban.sh | 26 +++++++++++++++++++-------
 update.sh                            |  8 ++++++++
 3 files changed, 30 insertions(+), 8 deletions(-)

diff --git a/changelog.md b/changelog.md
index 821539d7..5ce54310 100644
--- a/changelog.md
+++ b/changelog.md
@@ -1,5 +1,7 @@
 
-[v0.31.11](https://github.com/nextcloud/nextcloudpi/commit/f4586a0) (2017-10-04) nc-backup: fix excludes
+[v0.31.12](https://github.com/nextcloud/nextcloudpi/commit/487e06e) (2017-10-05) fail2ban: email notification
+
+[v0.31.11](https://github.com/nextcloud/nextcloudpi/commit/3fc4d3c) (2017-10-04) nc-backup: fix excludes
 
 [v0.31.10](https://github.com/nextcloud/nextcloudpi/commit/c0c6b1b) (2017-10-04) nc-forward-ports: exit status on failure
 
diff --git a/etc/nextcloudpi-config.d/fail2ban.sh b/etc/nextcloudpi-config.d/fail2ban.sh
index e055761f..cef07fd2 100644
--- a/etc/nextcloudpi-config.d/fail2ban.sh
+++ b/etc/nextcloudpi-config.d/fail2ban.sh
@@ -24,12 +24,17 @@ FINDTIME_=600
 # bad attempts before banning an IP
 MAXRETRY_=6                                      
 
+# email to send notifications to
+EMAIL_=optional@email.com
+
+MAILALERTS_=no
+
 DESCRIPTION="Brute force protection for SSH and NextCloud"
 
 install()
 {
   apt-get update
-  apt-get install --no-install-recommends -y fail2ban 
+  apt-get install --no-install-recommends -y fail2ban whois
   update-rc.d fail2ban disable
   rm -f /etc/fail2ban/jail.d/defaults-debian.conf
 
@@ -54,6 +59,12 @@ exit 0
 EOF
     chmod +x /etc/cont-init.d/100-fail2ban-run.sh
   }
+
+  # tweak fail2ban email 
+  local F=/etc/fail2ban/action.d/sendmail-common.conf
+  sed -i 's|Fail2Ban|NextCloudPi|' /etc/fail2ban/action.d/sendmail-whois-lines.conf
+  grep -q actionstart_ "$F" || sed -i 's|actionstart|actionstart_|' "$F"
+  grep -q actionstop_  "$F" || sed -i 's|actionstop|actionstop_|'   "$F"
 }
 
 configure()
@@ -89,6 +100,7 @@ failregex = Login failed.*Remote IP.*'<HOST>'
 ignoreregex =
 EOF
 
+  [[ "$MAILALERTS_" == "yes" ]] && local ACTION=action_mwl || local ACTION=action_
 
   cat > /etc/fail2ban/jail.conf <<EOF
 # The DEFAULT allows a global definition of the options. They can be overridden
@@ -111,13 +123,13 @@ maxretry = $MAXRETRY_
 #
 # ACTIONS
 #
-banaction = iptables-multiport
-protocol = tcp
-chain = INPUT
-action_ = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
-action_mw = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
+banaction  = iptables-multiport
+protocol   = tcp
+chain      = INPUT
+action_    = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
 action_mwl = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
-action = %(action_)s
+           sendmail-whois-lines[name=%(__name__)s, dest=$EMAIL_, sender=ncp-fail2ban@ownyourbits.com]
+action = %($ACTION)s
 
 #
 # SSH
diff --git a/update.sh b/update.sh
index dcdb2068..9052a28d 100755
--- a/update.sh
+++ b/update.sh
@@ -252,6 +252,14 @@ EOF
     cat >> /etc/pip.conf <<<"extra-index-url=https://www.piwheels.hostedpi.com/simple/zope.components"
     /etc/letsencrypt/letsencrypt-auto --help
   }
+
+  # tweak fail2ban email 
+  F=/etc/fail2ban/action.d/sendmail-common.conf
+  sed -i 's|Fail2Ban|NextCloudPi|' /etc/fail2ban/action.d/sendmail-whois-lines.conf
+  grep -q actionstart_ "$F" || sed -i 's|actionstart|actionstart_|' "$F"
+  grep -q actionstop_  "$F" || sed -i 's|actionstop|actionstop_|'   "$F"
+  type whois &>/dev/null || { apt-get update; apt-get install --no-install-recommends -y whois; }
+  
 }
 
 # License
-- 
cgit v1.2.3