14.12.2017

FastNetMon Advanced Notify Script in Bash

FastNetMon could call notify script which calls when DDoS arrives. You could use it for integration with third-part applications or monitoring systems.

We use mail tool, please install it before:

sudo apt-get install -y bsd-mailx

Example script provided below will send email to address specified inside script:

#!/usr/bin/env bash

# This script will get following params:
#  $1 client_ip_as_string
#  $2 data_direction
#  $3 pps_as_string
#  $4 action (ban or unban)

email_notify="root,please_fix_this_email@domain.com"

#
# Please be carefult! You should not remove cat > 
#

if [ "$4" = "unban" ]; then
    # No details arrived to stdin here

    # Unban actions if used
    exit 0
fi

#
# For ban and attack_details actions we will receive attack details to stdin
# if option notify_script_pass_details enabled in FastNetMon's configuration file
# 
# If you do not need this details, please set option notify_script_pass_details to "no".
#
# Please do not remove "cat" command if you have notify_script_pass_details enabled, because
# FastNetMon will crash in this case (it expect read of data from script side).
#

if [ "$4" = "ban" ]; then
    cat | mail -s "FastNetMon Guard: IP $1 blocked because $2 attack with power $3 pps" $email_notify;
    # You can add ban code here!
    exit 0
fi

if [ "$4" == "attack_details" ]; then
    cat | mail -s "FastNetMon Guard: IP $1 blocked because $2 attack with power $3 pps" $email_notify;
    
    exit 0
fi

Please put it to file /usr/local/bin/notify_script.bash

And set executable bit for it:

sudo chmod +x /usr/local/bin/notify_script.bash

Then open example notify script with favourite editor and specify your email in field: “email_notify”.

Then try to run it manually for ban action:

echo ban_details | /usr/local/bin/notify_script.bash 11.22.33.44 incoming 100500 ban

And try to run it manually for unban (we do not have details in this case):

/usr/local/bin/notify_script.bash 11.22.33.44 incoming 100500 unban

You should receive example emails in both cases.

From FastNetMon side you need to apply following configuration:

sudo fcli set main notify_script_enabled enable
sudo fcli set main notify_script_path /usr/local/bin/notify_script.bash
sudo fcli set main notify_script_format text
sudo fcli commit

Also, if you do not need any details about attack which FastNetMon provides to stdin, please disable this option and remove all lines where we use “cat”:

sudo fcli set main notify_script_pass_details disable
sudo fcli commit