FastNetMon can send emails about hosts blocked using the blackhole approach, and it can send emails about each partial block rule (BGP Flow spec mode) deployed to block malicious traffic.
We recommend using an SMTP server in your network to avoid issues during DDoS attacks because external connectivity may be affected by the attack, and email notification will not be sent.
We strongly advise against using standard Gmail accounts for email alerts, as Google frequently blocks them, and recently, password authentication was disabled completely. You can use Google Suite services, but please add IP of server into allow list to avoid blocks.
We recommend using the internal SMTP server to avoid potential connectivity disruption due to an attack, which will lead to an inability to send alert emails.
Example configuration which includes all available options:
sudo fcli set main email_notifications_enabled enable sudo fcli set main email_notifications_tls enable sudo fcli set main email_notifications_auth enable sudo fcli set main email_notifications_port 587 sudo fcli set main email_notifications_host smtp.email-service.com sudo fcli set main email_notifications_from mynotificationemail@email-service.com sudo fcli set main email_notifications_username mynotificationemail@email-service.com sudo fcli set main email_notifications_password please_keep_it_secure sudo fcli set main email_notifications_recipients noc@yourcompany.com sudo fcli set main email_notifications_recipients tech@yourcompany.com
Then you could use this command and send a test email to the configured notification emails
sudo fcli set email_test
In case of any issues with email delivery, please check that your server has the application “msmtp” installed. Also, you may check /var/log/fastnetmon/email.log file about any error messages.
You also may change default email subjects easily:
sudo fcli set main email_subject_blackhole_block "Our defense system blocked host {{ ip }}"
sudo fcli set main email_subject_blackhole_unblock "Our defense system unblocked host {{ ip }}"
sudo fcli set main email_subject_partial_block "FastNetMon partially blocked traffic for host {{ ip }}"
sudo fcli commit
If your server uses a custom auth method, then you can specify it explicitly, but in almost all cases, you do not need to do so; the best auth method will be selected automatically:
sudo fcli set main email_notifications_auth_method XXX
Where XXX may be one of the following options:
- login
- plain
- scram-sha-1
- cram-md5
- gssapi
- external
- digest-md5
- ntlm
If you use self-signed certificates for your SMTP server, you will need to set this option to ignore certificate validation issues:
sudo fcli set main email_notifications_disable_certificate_checks true sudo fcli commit
By default, FastNetMon adds dump of attack’s traffic but this behavior can be disabled this way:
sudo fcli set main email_notifications_add_simple_packet_dump false sudo fcli commit
In case of any issues with msmpt you can try running it directly using same syntax as FastNetMon uses internally:
cat message.txt | sudo msmtp -t -a default --file=/etc/fastnetmon/msmtp.conf
As an example, message.txt you can use:
To: noc@domain.net From: noc@domain.net Subject: Test . Test body
After running this command, please share the error message with our support team, and we will be able to advise further.
On old installations which use Ubuntu or Debian, you may face issues related with AppArmor, which did not like fact that msmtp uses a non-standard configuration path and blocks execution. To address this issue, you need to do the following:
sudo apt-get install -y apparmor-utils sudo /usr/sbin/aa-disable msmtp
After that, please try sending a test email:
sudo fcli set email_test