FastNetMon could call notify script which calls when DDoS arrives. You could use it for integration with third-part applications or monitoring systems.
We use mail tool, please install it before:
1 |
sudo apt-get install -y bsd-mailx |
Example script provided below will send email to address specified inside script:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 |
#!/usr/bin/env bash # This script will get following params: # $1 client_ip_as_string # $2 data_direction # $3 pps_as_string # $4 action (ban or unban) # # Please be carefult! You should not remove cat > # if [ "$4" = "unban" ]; then # No details arrived to stdin here # Unban actions if used exit 0 fi # # For ban and attack_details actions we will receive attack details to stdin # if option notify_script_pass_details enabled in FastNetMon's configuration file # # If you do not need this details, please set option notify_script_pass_details to "no". # # Please do not remove "cat" command if you have notify_script_pass_details enabled, because # FastNetMon will crash in this case (it expect read of data from script side). # if [ "$4" = "ban" ]; then cat | mail -s "FastNetMon Guard: IP $1 blocked because $2 attack with power $3 pps" $email_notify; # You can add ban code here! exit 0 fi if [ "$4" == "attack_details" ]; then cat | mail -s "FastNetMon Guard: IP $1 blocked because $2 attack with power $3 pps" $email_notify; exit 0 fi |
Please put it to file /usr/local/bin/notify_script.bash
And set executable bit for it:
1 |
sudo chmod +x /usr/local/bin/notify_script.bash |
Then open example notify script with favourite editor and specify your email in field: “email_notify”.
Then try to run it manually for ban action:
1 |
echo ban_details | /usr/local/bin/notify_script.bash 11.22.33.44 incoming 100500 ban |
And try to run it manually for unban (we do not have details in this case):
1 |
/usr/local/bin/notify_script.bash 11.22.33.44 incoming 100500 unban |
You should receive example emails in both cases.
From FastNetMon side you need to apply following configuration:
1 2 3 |
sudo fcli set main notify_script_path /usr/local/bin/notify_script.bash sudo fcli set main notify_script_format text sudo fcli commit |
Also, if you do not need any details about attack which FastNetMon provides to stdin, please disable this option and remove all lines where we use “cat”:
1 2 |
sudo fcli set main notify_script_pass_details disable sudo fcli commit |