Fail2ban and Rocket.Chat integration


#1

System admins can have fail2ban alerts sent to a Rocket.Chat channel fairly easily.

First, create a channel called #alerts

Second, create the integration. I gave mine the name Fail2Ban, posting to channel #alerts, Post as rocket.chat, alias Fail2Ban, copy the curl command under Example: and save.

Third, on the server on which fail2ban is running, create a script, ‘/usr/local/bin/rocket.sh’, pasting the copied curl command into it with a few edits to capture variables and to remove unnecessary details:

#!/bin/bash

curl -X POST -H 'Content-Type: application/json' --data '{"username":"Fail2Ban","text":"The IP '"$1"' has 
been banned","attachments":[{"title":"Fail2Ban Alert for '"$HOSTNAME"' ","color":"#764FA5"}]}' 
https://rocket.mydomnain.com/hooks/WETKBGFDRTKJHFDEWQADFBMLLJHGGFFVBNJMKKK

The quote marks around the two variables $1 (passed by F2B) and $HOSTNAME (local machine) must be correct.

Fourth, create rocket.conf under ‘/etc/fail2ban/action.d’ as follows:

[Definition]

actionstart = 
actionflush = 
actionstop = 
actioncheck = 
actionban = /usr/local/bin/rocket.sh <ip>
actionunban =

[Init]

You can obviously do more, but this is to get started.

Fifth, add the action to your jail. For example:

port    = ssh
logpath = %(sshd_log)s
backend = %(sshd_backend)s
action = %(action_)s
         rocket

Lastly, reload fail2ban, test, and you should generate a result as follows:

The IP 192.168.1.9 has been banned
Fail2Ban Alert for Sever01


#2

Wazuh/OSSEC alerts may also be sent to Rocket.Chat using the existing Slack script, FYI. If anyone is interested in how to do that, leave a message.