Fail2ban and Rocket.Chat integration


System admins can have fail2ban alerts sent to a Rocket.Chat channel fairly easily.

First, create a channel called #alerts

Second, create the integration. I gave mine the name Fail2Ban, posting to channel #alerts, Post as, alias Fail2Ban, copy the curl command under Example: and save.

Third, on the server on which fail2ban is running, create a script, ‘/usr/local/bin/’, pasting the copied curl command into it with a few edits to capture variables and to remove unnecessary details:


curl -X POST -H 'Content-Type: application/json' --data '{"username":"Fail2Ban","text":"The IP '"$1"' has 
been banned","attachments":[{"title":"Fail2Ban Alert for '"$HOSTNAME"' ","color":"#764FA5"}]}'

The quote marks around the two variables $1 (passed by F2B) and $HOSTNAME (local machine) must be correct.

Fourth, create rocket.conf under ‘/etc/fail2ban/action.d’ as follows:


actionstart = 
actionflush = 
actionstop = 
actioncheck = 
actionban = /usr/local/bin/ <ip>
actionunban =


You can obviously do more, but this is to get started.

Fifth, add the action to your jail. For example:

port    = ssh
logpath = %(sshd_log)s
backend = %(sshd_backend)s
action = %(action_)s

Lastly, reload fail2ban, test, and you should generate a result as follows:

The IP has been banned
Fail2Ban Alert for Sever01


Wazuh/OSSEC alerts may also be sent to Rocket.Chat using the existing Slack script, FYI. If anyone is interested in how to do that, leave a message.