System admins can have fail2ban alerts sent to a Rocket.Chat channel fairly easily.
First, create a channel called #alerts
Second, create the integration. I gave mine the name Fail2Ban, posting to channel #alerts, Post as rocket.chat, alias Fail2Ban, copy the curl command under Example: and save.
Third, on the server on which fail2ban is running, create a script, ‘/usr/local/bin/rocket.sh’, pasting the copied curl command into it with a few edits to capture variables and to remove unnecessary details:
#!/bin/bash
curl -X POST -H 'Content-Type: application/json' --data '{"username":"Fail2Ban","text":"The IP '"$1"' has
been banned","attachments":[{"title":"Fail2Ban Alert for '"$HOSTNAME"' ","color":"#764FA5"}]}'
https://rocket.mydomnain.com/hooks/WETKBGFDRTKJHFDEWQADFBMLLJHGGFFVBNJMKKK
The quote marks around the two variables $1 (passed by F2B) and $HOSTNAME (local machine) must be correct.
Fourth, create rocket.conf under ‘/etc/fail2ban/action.d’ as follows:
[Definition]
actionstart =
actionflush =
actionstop =
actioncheck =
actionban = /usr/local/bin/rocket.sh <ip>
actionunban =
[Init]
You can obviously do more, but this is to get started.
Fifth, add the action to your jail. For example:
port = ssh
logpath = %(sshd_log)s
backend = %(sshd_backend)s
action = %(action_)s
rocket
Lastly, reload fail2ban, test, and you should generate a result as follows:
The IP 192.168.1.9 has been banned
Fail2Ban Alert for Sever01