Hi Tom, Thanks for replying:
Could you give us a bit more information? - version of fail2ban 0.10.2-2 - which mail action are you using? How does it set the subject? I use Sendmail, in my local jail the default action is: # Choose default action. To change, just override value of 'action' with the # interpolation to the chosen action shortcut (e.g. action_mw, action_mwl, etc) in jail.local # globally (section [DEFAULT]) or per specific section action = %(action_mwl)s - output of the shell commands 'uname -n' and 'uname -a: uname -n: trumpfsmurica.com uname -a: Linux trumpfsmurica.com 4.15.0-45-generic #48-Ubuntu SMP Tue Jan 29 16:28:13 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux - output of the shell command 'hostname -f' hostname -f: trumpfsmurica.com - the actual hostname you expect to see trumpfsmurica.com - the actual hostname you are seeing in the email subjects srv461.smurfs.today (but only in the sshd ban emails, apache ban actions emails have the correct hostname) Thanks! > On April 13, 2019 at 8:14 AM [email protected] > wrote: > > > Send Fail2ban-users mailing list submissions to > [email protected] > > To subscribe or unsubscribe via the World Wide Web, visit > https://lists.sourceforge.net/lists/listinfo/fail2ban-users > or, via email, send a message with subject or body 'help' to > [email protected] > > You can reach the person managing the list at > [email protected] > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of Fail2ban-users digest..." > > > Today's Topics: > > 1. Odd Fail2ban email alert issue (David Shuman) > 2. Re: Odd Fail2ban email alert issue (Tom Hendrikx) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Fri, 12 Apr 2019 09:33:27 -0400 (EDT) > From: David Shuman <[email protected]> > To: [email protected] > Subject: [Fail2ban-users] Odd Fail2ban email alert issue > Message-ID: <[email protected]> > Content-Type: text/plain; charset="utf-8" > > Good morning, > > > I'm an amateur with linux and toy around with a VPS for a few years now. > I've used Fail2ban to help protect it and have for many years. I've never > had this issue before, but now all my emails sent about blocks have the wrong > hostname in the subject line. Right now running the latest ubuntu. > > > The issue my domain name is abc.com so before around early March I would see > an email subject line similar to the below: > > > [Fail2Ban] sshd: banned xxx.xxx.xx.xxx from abc.com > > > *NOW* > > > [Fail2Ban] sshd: banned xxx.xxx.xx.xxx from xyz.com > > > This coincided when I did an apt-get update/upgrade around early March, which > I believe updated my Fail2Ban as well. I dont believe this changed my > personalized settings and I checked and dont recall anything out place. > Ironically enough, this only happens on my SSHD alerts, I just noticed that i > have recent apache alerts that have the correct domain in the subject line. > I've searched the entire filesystem for xyz.com and cant find any trace of it > in anything. I've run linux security scanners to check no malware/hack. > Just odd. > > > The next strange thing is I opened a ticket with my VPS host and they > indicated they didn't see anything wrong as my headers were showing the > correct hostname, and their info showed the correct hostname, but this new > hostname that started showing up was the *HOSTNAME FROM THE CUSTOMER THAT WAS > ON THE VPS BEFORE ME* > > > Strange right? > > > Any ideas? > -------------- next part -------------- > An HTML attachment was scrubbed... > > ------------------------------ > > Message: 2 > Date: Sat, 13 Apr 2019 11:09:34 +0200 > From: Tom Hendrikx <[email protected]> > To: [email protected] > Subject: Re: [Fail2ban-users] Odd Fail2ban email alert issue > Message-ID: <[email protected]> > Content-Type: text/plain; charset=utf-8; format=flowed > > On 12-04-19 15:33, David Shuman wrote: > > Good morning, > > > > > > I'm an amateur with linux and toy around with a VPS for a few years > > now.? I've used Fail2ban to help protect it and have for many years. > > I've never had this issue before, but now all my emails sent about > > blocks have the wrong hostname in the subject line.? Right now running > > the latest ubuntu. > > > > > > The issue my domain name is abc.com so before around early March I would > > see an email subject line similar to the below: > > > > > > [Fail2Ban] sshd: banned xxx.xxx.xx.xxx from abc.com > > > > > > *NOW* > > > > > > [Fail2Ban] sshd: banned xxx.xxx.xx.xxx from *xyz.com* > > > > > > This coincided when I did an apt-get update/upgrade around early March, > > which I believe updated my Fail2Ban as well.? I dont believe this > > changed my personalized settings and I checked and dont recall anything > > out place.? Ironically enough, this only happens on my SSHD alerts, I > > just noticed that i have recent apache alerts that have the correct > > domain in the subject line.? I've searched the entire filesystem for > > xyz.com and cant find any trace of it in anything.? I've run linux > > security scanners to check no malware/hack.? Just odd. > > > > > > The next strange thing is I opened a ticket with my VPS host and they > > indicated they didn't see anything wrong as my headers were showing the > > correct hostname, and their info showed the correct hostname, but this > > new hostname that started showing up was the *HOSTNAME FROM THE CUSTOMER > > THAT WAS ON THE VPS BEFORE ME* > > > > On my ubuntu 16.04 using fail2ban 0.9.3 from default packages, both the > "mail-*" and "sendmail-*" actions use the value of 'uname -n' in the > subject. It's hard to debug this without some more details. > > Could you give us a bit more information? > > - version of fail2ban > - which mail action are you using? How does it set the subject? > - output of the shell commands 'uname -n' and 'uname -a' > - output of the shell command 'hostname -f' > - the actual hostname you expect to see > - the actual hostname you are seeing in the email subjects > > Kind regards, > Tom > > > > > ------------------------------ > > > > ------------------------------ > > Subject: Digest Footer > > _______________________________________________ > Fail2ban-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/fail2ban-users > > > ------------------------------ > > End of Fail2ban-users Digest, Vol 149, Issue 5 > ********************************************** _______________________________________________ Fail2ban-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fail2ban-users
