Send notifications to the Slack
Using Fail2Ban, we can receive Slack notifications when a jail executes a ban or unban action. When the action is trigger, a notification will be sent to the slack channel of your choice with the corresponding jail name and offending IP.
Slack Fail2Ban CURL
The first thing you will need is an API token that will allow us to issue commands to the Slack API.
Create a new ban action for Fail2Ban
With root, copy or use your favorite editor to create the following file:
vim /etc/fail2ban/action.d/slack-notify.conf
Replace YOUR_SLACK_API_TOKEN_GOES_HERE with the API token you created. And where it says “notifications,” that’s the channel name (without the pound sign). Also you may want to change slack_username and slack_icon
Save the file. Now it’s time to add this action to one of our jails.
Apply the action to your jail(s)
For this demonstration we are going to be using the SSH and Asterisk jails. If you haven’t already, create a jail.local file for Fail2Ban in case a package update overwrite the default configuration:
vim /etc/fail2ban/jail.local
Now let’s add the Slack notification action.
[asterisk]
enabled = true
filter = asterisk
action = iptables-asterisk[name=asterisk]
slack-notify[name=SIP]
logpath = /var/log/asterisk/security_log
maxretry = 3
bantime = 1800
[ssh]
enabled = true
port = ssh
filter = sshd
action = iptables-multiport[name=SSH]
slack-notify[name=SSH]
logpath = /var/log/auth.log
maxretry = 5
bantime = 1800
Save and close the file.
Now restart the Fail2Ban service and you should see your jails starting up:
service fail2ban restart
Fail2Ban SSH jail has started Fail2Ban Asterisk jail has started
Generate an Incoming WebHook for Slack:
Create a new ban action for Fail2Ban
With root, copy or use your favorite editor to create the following files:
vim /etc/fail2ban/action.d/slack.conf
vim /etc/fail2ban/action.d/slack.ssh
In slack.sh replace with the your WebHook URL. And where it says “notifications,” that’s the channel name.
Save the file and run chmod.
chmod 755 /etc/fail2ban/action.d/slack.sh
Apply the action to your jail(s)
For this demonstration we are going to be using the SSH and Asterisk jail. If you haven’t already, create a jail.local file for Fail2Ban in case a package update overwrite the default configuration:
vim /etc/fail2ban/jail.local
Now let’s add the Slack notification action.
[asterisk]
enabled = true
filter = asterisk
action = iptables-asterisk[name=asterisk]
slack[name=SIP]
logpath = /var/log/asterisk/security_log
maxretry = 3
bantime = 1800
[ssh]
enabled = true
port = ssh
filter = sshd
action = iptables-multiport[name=SSH]
slack[name=SSH]
logpath = /var/log/auth.log
maxretry = 5
bantime = 1800
Save and close the file.
Optional: You may want to upload custom icon for notification. Type a name: fail2ban and select picture with maximum size of 128x128.
Now restart the Fail2Ban service and you should see your jails starting up:
service fail2ban restart
Fail2Ban SSH jail has started Fail2Ban Asterisk jail has started
Both methods has tested on RasPBX – Asterisk for Raspberry Pi which is based on Debian Jessie (Raspbian).