Permalink
Switch branches/tags
Nothing to show
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
executable file 95 lines (83 sloc) 2.8 KB
#!/usr/bin/env bash
#
# Hello, lovely FastNetMon customer! I'm really happy to see you here!
# Pavel Odintsov, author
#
#
# Instructions:
#
# Copy this script to /usr/local/bin/
# Edit /etc/fastnetmon.conf and set:
# notify_script_path = /usr/local/bin/notify_with_slack.sh
#
# Add your email address to email_notify.
#
# Add your Slack incoming webhook to slack_url.
# slack_url="https://hooks.slack.com/services/TXXXXXXXX/BXXXXXXXXX/LXXXXXXXXX"
#
# Notes:
# hostname lookup requires the dig command.
# Debian: apt-get install dnsutils
# Redhat: yum install bind-utils
#
# For ban and attack_details actions we will receive attack details to stdin
# if option notify_script_pass_details enabled in FastNetMon's configuration file
#
# If you do not need this details, please set option notify_script_pass_details to "no".
#
# Please do not remove the following command if you have notify_script_pass_details enabled, because
# FastNetMon will crash in this case (it expect read of data from script side).
#
if [ "$4" = "ban" ] || [ "$4" = "attack_details" ]; then
fastnetmon_output=$(</dev/stdin)
fi
# This script will get following params:
# $1 client_ip_as_string
# $2 data_direction
# $3 pps_as_string
# $4 action (ban or unban)
# Target hostname
hostname=`dig -x ${1} +short`
# Email:
email_notify="root,please_fix_this_email@domain.ru"
# Slack:
slack_url=""
slack_title="FastNetMon Alert!"
slack_text="IP: ${1}\nHostname: ${hostname}\nAttack: ${2}\nPPS: ${3}\nAction: ${4}\n\n${fastnetmon_output}"
slack_action=${4}
function slackalert () {
if [ ! -z $slack_url ] && [ "$slack_action" = "ban" ]; then
local slack_color="danger"
elif [ ! -z $slack_url ] && [ "$slack_action" = "attack_details" ]; then
local slack_color="warning"
elif [ ! -z $slack_url ] && [ "$slack_action" = "unban" ]; then
local slack_color="good"
else
return 0
fi
local slack_payload="{\"attachments\": [ { \"title\": \"${slack_title}\", \"text\": \"${slack_text}\", \"color\": \"${slack_color}\" } ] }"
curl --connect-timeout 30 --max-time 60 -s -S -X POST -H 'Content-type: application/json' --data "${slack_payload}" "${slack_url}"
}
if [ "$4" = "unban" ]; then
# Slack Alert:
slackalert
# Unban actions if used
exit 0
fi
if [ "$4" = "ban" ]; then
# Email Alert:
echo "${fastnetmon_output}" | mail -s "FastNetMon Alert: IP $1 blocked because of $2 attack with power $3 pps" $email_notify;
# Slack Alert:
slackalert
# You can add ban code here!
# iptables -A INPUT -s $1 -j DROP
# iptables -A INPUT -d $1 -j DROP
exit 0
fi
if [ "$4" = "attack_details" ]; then
# Email Alert:
echo "${fastnetmon_output}" | mail -s "FastNetMon Analysis: IP $1 blocked because of $2 attack with power $3 pps" $email_notify;
# Slack Alert:
slackalert
exit 0
fi