# Fail2Ban action for sending xarf Login-Attack messages to IP owner
#
# IMPORTANT:
#
# Emailing a IP owner of abuse is a serious complain. Make sure that it is
# serious. Fail2ban developers and network owners recommend you only use this
# action for:
#   * The recidive where the IP has been banned multiple times
#   * Where maxretry has been set quite high, beyond the normal user typing
#     password incorrectly.
#   * For filters that have a low likelihood of receiving human errors
#
# DEPENDENCIES:
#
# This requires the dig command from bind-utils
#
# This uses the https://abusix.com/contactdb.html to lookup abuse contacts.
#
# XARF is a specification for sending a formatted response
# for non-messaging based abuse including:
#
# Login-Attack, Malware-Attack, Fraud (Phishing, etc.), Info DNSBL
#
# For details see:
# https://github.com/xarf/xarf-specification
# http://www.x-arf.org/schemata.html
#
# Author: Daniel Black
# Based on complain written by Russell Odom <russ@gloomytrousers.co.uk>
#
#

[Definition]

# bypass ban/unban for restored tickets
norestored = 1

actionstart =

actionstop =

actioncheck =

actionban = oifs=${IFS};
            RESOLVER_ADDR="%(addr_resolver)s"
            if [ "<debug>" -gt 0 ]; then echo "try to resolve $RESOLVER_ADDR"; fi
            ADDRESSES=$(dig +short -t txt -q $RESOLVER_ADDR | tr -d '"')
            IFS=,; ADDRESSES=$(echo $ADDRESSES)
            IFS=${oifs}
            IP=<ip>
            FROM=<sender>
            SERVICE=<service>
            FAILURES=<failures>
            REPORTID=<time>@<fq-hostname>
            TLP=<tlp>
            PORT=<port>
            DATE=`LC_ALL=C date --date=@<time> +"%%a, %%d %%h %%Y %%T %%z"`
            if [ ! -z "$ADDRESSES" ]; then
                oifs=${IFS}; IFS=,; ADDRESSES=$(echo $ADDRESSES)
                IFS=${oifs}
                (printf -- %%b "<header>\n<message>\n<report>\n\n";
                 date '+Note: Local timezone is %%z (%%Z)';
                 printf -- %%b "\n<ipmatches>\n\n<footer>") | <mailcmd> <mailargs> $ADDRESSES
            fi

actionunban =

# Server as resolver used in dig command
#
addr_resolver = <ip-rev>abuse-contacts.abusix.org

# Option: boundary
# Notes:  This can be overwritten to be safe for possible predictions
boundary = bfbb0f920793ac03cb8634bde14d8a1e

_boundary = Abuse<time>-<boundary>

# Option: header
# Notes:  This is really a fixed value
header  = Subject: abuse report about $IP - $DATE\nAuto-Submitted: auto-generated\nX-XARF: PLAIN\nContent-Transfer-Encoding: 7bit\nContent-Type: multipart/mixed; charset=utf8;\n  boundary=%(_boundary)s;\n\n--%(_boundary)s\nMIME-Version: 1.0\nContent-Transfer-Encoding: 7bit\nContent-Type: text/plain; charset=utf-8;\n

# Option: footer
# Notes:  This is really a fixed value and needs to match the report and header
#         mime delimiters
footer = \n\n--%(_boundary)s--

# Option: report
# Notes:  Intended to be fixed
report =  --%(_boundary)s\nMIME-Version: 1.0\nContent-Transfer-Encoding: 7bit\nContent-Type: text/plain; charset=utf-8; name=\"report.txt\";\n\n---\nReported-From: $FROM\nCategory: abuse\nReport-ID: $REPORTID\nReport-Type: login-attack\nService: $SERVICE\nVersion: 0.2\nUser-Agent: Fail2ban v0.9\nDate: $DATE\nSource-Type: ip-address\nSource: $IP\nPort: $PORT\nSchema-URL: http://www.x-arf.org/schema/abuse_login-attack_0.1.2.json\nAttachment: text/plain\nOccurances: $FAILURES\nTLP: $TLP\n\n\n--%(_boundary)s\nMIME-Version: 1.0\nContent-Transfer-Encoding: 7bit\nContent-Type: text/plain; charset=utf8; name=\"logfile.log\";

# Option: Message
# Notes:  This can be modified by the users
message = Dear Sir/Madam,\n\nWe have detected abuse from the IP address $IP, which according to abusix.com is on your network. We would appreciate if you would investigate and take action as appropriate.\n\nLog lines are given below, but please ask if you require any further information.\n\n(If you are not the correct person to contact about this please accept our apologies - your e-mail address was extracted from the whois record by an automated process.)\n\n This mail was generated by Fail2Ban in a X-ARF format! You can find more information about x-arf at http://www.x-arf.org/specification.html.\n\nThe recipient address of this report was provided by the Abuse Contact DB by abusix.com. abusix.com does not maintain the content of the database. All information which we pass out, derives from the RIR databases and is processed for ease of use. If you want to change or report non working abuse contacts please contact the appropriate RIR. If you have any further question, contact abusix.com directly via email (info@abusix.com). Information about the Abuse Contact Database can be found here: https://abusix.com/global-reporting/abuse-contact-db\nabusix.com is neither responsible nor liable for the content or accuracy of this message.\n

# Option:  loglines
# Notes.:  The number of log lines to search for the IP for the report
loglines = 9000

# Option:  mailcmd
# Notes.:  Your system mail command. It is passed the recipient
# Values:  CMD
#
mailcmd =  /usr/sbin/sendmail

# Option:  mailargs
# Notes.:  Additional arguments to mail command. e.g. for standard Unix mail:
#          CC reports to another address:
#              -c me@example.com
#          Appear to come from a different address - the '--' indicates
#          arguments to be passed to Sendmail:
#              -- -f me@example.com
# Values:  [ STRING ]
#
mailargs = -f <sender>

# Option:  tlp
# Notes.:  Traffic light protocol defining the sharing of this information.
#          http://www.trusted-introducer.org/ISTLPv11.pdf
#          green is share to those involved in network security but it is not
#          to be released to the public.
tlp = green

# ALL of the following parameters should be set so the report contains
# meaningful information

# Option: service
# Notes.: This is the service type that was attacked. e.g. ssh, pop3
service = unspecified

# Option:  logpath
# Notes:   Path to the log files which contain relevant lines for the abuser IP
# Values:  Filename(s) space separated and can contain wildcards (these are
#          greped for the IP so make sure these aren't too long
logpath = /dev/null

# Option:  sender
# Notes.:  This is the sender that is included in the XARF report
sender = fail2ban@<fq-hostname>

# Option:  port
# Notes.:  This is the port number that received the login-attack
port = 0