FastNetMon could call notify script which calls when DDoS arrives. You could use it for integration with third-part applications or monitoring systems.
We use mail tool, please install it before:
sudo apt-get install -y bsd-mailx
Example script provided below will send email to address specified inside script:
#!/usr/bin/env bash
# This script will get following params:
# $1 client_ip_as_string
# $2 data_direction
# $3 pps_as_string
# $4 action (ban or unban)
email_notify="root,please_fix_this_email@domain.com"
#
# Please be carefult! You should not remove cat >
#
if [ "$4" = "unban" ]; then
# No details arrived to stdin here
# Unban actions if used
exit 0
fi
#
# For ban and attack_details actions we will receive attack details to stdin
# if option notify_script_pass_details enabled in FastNetMon's configuration file
#
# If you do not need this details, please set option notify_script_pass_details to "no".
#
# Please do not remove "cat" command if you have notify_script_pass_details enabled, because
# FastNetMon will crash in this case (it expect read of data from script side).
#
if [ "$4" = "ban" ]; then
cat | mail -s "FastNetMon Guard: IP $1 blocked because $2 attack with power $3 pps" $email_notify;
# You can add ban code here!
exit 0
fi
if [ "$4" == "attack_details" ]; then
cat | mail -s "FastNetMon Guard: IP $1 blocked because $2 attack with power $3 pps" $email_notify;
exit 0
fi
Please put it to file /usr/local/bin/notify_script.bash
And set executable bit for it:
sudo chmod +x /usr/local/bin/notify_script.bash
Then open example notify script with favourite editor and specify your email in field: “email_notify”.
Then try to run it manually for ban action:
echo ban_details | /usr/local/bin/notify_script.bash 11.22.33.44 incoming 100500 ban
And try to run it manually for unban (we do not have details in this case):
/usr/local/bin/notify_script.bash 11.22.33.44 incoming 100500 unban
You should receive example emails in both cases.
From FastNetMon side you need to apply following configuration:
sudo fcli set main notify_script_enabled enable sudo fcli set main notify_script_path /usr/local/bin/notify_script.bash sudo fcli set main notify_script_format text sudo fcli commit
Also, if you do not need any details about attack which FastNetMon provides to stdin, please disable this option and remove all lines where we use “cat”:
sudo fcli set main notify_script_pass_details disable sudo fcli commit