FastNetMon can send emails about hosts blocked using blackhole approach and it can send emails about each partial block rule (BGP Flow spec mode) deployed to block malicious traffic.
We recommend using SMTP server in your network to avoid issues during DDoS attacks because external connectivity may be affected by attack and email notification will not be send.
We strongly advice against using standard Gmail accounts for email alerts as Google frequently blocks them and recently password authentication was disabled completely. You can use Google Suite services but please add IP of server into allow list to avoid blocks.
We recommend using internal SMTP server to avoid potential connectivity disruption due to attack which will lead to inability to send alert email.
Example configuration which includes all available options:
sudo fcli set main email_notifications_enabled enable sudo fcli set main email_notifications_tls enable sudo fcli set main email_notifications_auth enable sudo fcli set main email_notifications_port 587 sudo fcli set main email_notifications_host smtp.email-service.com sudo fcli set main email_notifications_from mynotificationemail@email-service.com sudo fcli set main email_notifications_username mynotificationemail@email-service.com sudo fcli set main email_notifications_password please_keep_it_secure sudo fcli set main email_notifications_recipients noc@yourcompany.com sudo fcli set main email_notifications_recipients tech@yourcompany.com
Then you could use this command and send test email to configured notification emails
sudo fcli set email_test
In case of any issues with email delivery, please check that your server has application “msmtp” installed. Also, you may check /var/log/fastnetmon/email.log file about any error messages.
You also may change default email subjects easily:
sudo fcli set main email_subject_blackhole_block "Our defense system blocked host {{ ip }}"
sudo fcli set main email_subject_blackhole_unblock "Our defense system unblocked host {{ ip }}"
sudo fcli set main email_subject_partial_block "FastNetMon partially blocked traffic for host {{ ip }}"
sudo fcli commit
If your server uses custom auth method then you can specify it explicitly but in almost all cases you do not need to do so, best auth method will be selected automatically:
sudo fcli set main email_notifications_auth_method XXX
Where XXX may be one of the following options:
- login
- plain
- scram-sha-1
- cram-md5
- gssapi
- external
- digest-md5
- ntlm
If you use self signed certificates for your SMTP server you will need to set this option to ignore certificate validation issues:
sudo fcli set main email_notifications_disable_certificate_checks true sudo fcli commit
By default, FastNetMon adds dump of attack’s traffic but this behavior can be disabled this way:
sudo fcli set main email_notifications_add_simple_packet_dump false sudo fcli commit
In case of any issues with msmpt you can try running it directly using same syntax as FastNetMon uses internally:
cat message.txt | sudo msmtp -t -a default --file=/etc/fastnetmon/msmtp.conf
As example message.txt you can use:
To: noc@domain.net From: noc@domain.net Subject: Test . Test body
After running this command please share error message with our support team and we will be able to advice on this matter.
On old installations which use Ubuntu or Debian you may face issues related with AppArmor which did not like fact that msmtp uses non standard configuration path and block execution. To address this issue you need to do following:
sudo apt-get install -y apparmor-utils sudo /usr/sbin/aa-disable msmtp
After that please try sending test email::
sudo fcli set email_test