How to Configure Fail2Ban to Send Email Notifications When Banning IP Addresses

Fail2Ban is a powerful tool for protecting your server against brute-force attacks by banning IP addresses that repeatedly fail authentication attempts. While it can efficiently ban these IPs, you might also want to receive email notifications when such bans occur. This guide will walk you through configuring Fail2Ban to send email notifications when it bans an IP address.

Prerequisites

Before you begin, ensure you have the following:

• A server running Fail2Ban (you can install it using your package manager).
• A working email setup on your server (you can use a local MTA like Postfix or an external SMTP server).
• Basic knowledge of editing configuration files.

Configuration Steps

1. Open the Jail Configuration File

First, open the Fail2Ban jail configuration file. This is usually located at /etc/fail2ban/jail.local or /etc/fail2ban/jail.conf.

1
2

[jail.local]
...

2. Configure the Jail

Find the jail configuration section for the service you want to protect. In your example, it’s [auth-login].

1
2
3
4
5
6
7
8

[auth-login]
enabled = true
filter = auth-login
logpath = /var/log/apache2/access.log
action = iptables-multiport[name=NoAuthFailures, port="http,https"]
banTime = 3600
findtime = 60
maxRetry = 3

3. Configure the Email Action

Add an email action to the jail configuration using the mail-whois action. Make sure to set the dest parameter to your desired email address, where you want to receive notifications.

1
2
3
4
5
6
7
8
9

[auth-login]
enabled = true
filter = auth-login
logpath = /var/log/apache2/access.log
action = iptables-multiport[name=NoAuthFailures, port="http,https"]
         mail-whois[name=NoAuthFailures, [email protected]]
banTime = 3600
findtime = 60
maxRetry = 3

4. Configure Email Settings

You need to configure your email settings in Fail2Ban. This involves specifying the SMTP server details. This can usually be done in the jail.local file or in the jail.d/defaults-debian.conf (or equivalent) file. Here’s an example:

1
2
3
4
5

[DEFAULT]
# Email settings
destemail = [email protected]
sendername = Fail2Ban
mta = sendmail

• destemail: The email address where you want to receive notifications.
• sendername: The name that will appear as the sender of the email.
• mta: The mail transfer agent to use. Set it to your server’s mail system (e.g., sendmail for a local Postfix setup).

5. Restart Fail2Ban

After making these changes, restart Fail2Ban to apply the new configuration:

1

sudo systemctl restart fail2ban

6. Test the Configuration

You can test if the email notifications are working by triggering a ban. Try deliberately failing authentication a few times (e.g., incorrect login attempts) to exceed the maxRetry value specified in the jail configuration. Fail2Ban should then ban the IP address and send you an email notification.

That’s it! You’ve successfully configured Fail2Ban to send email notifications when it bans IP addresses. This can be a valuable addition to your server’s security monitoring setup.