Fail2ban notifications in Notifly

Fail2ban automatically bans IPs that attempt to break into SSH, the web panel, or the mail server. By default it only writes to the log. Connect Notifly to it — you’ll get a live picture of the attacks.

Action for Notifly

Create the file /etc/fail2ban/action.d/notifly.conf:

[Definition]
actionstart = curl -s --max-time 10 "%(notifly_url)s/message?token=%(notifly_token)s" \
                -H "Content-Type: application/json" \
                -d '{"title":"🟢 Fail2ban запущен","message":"Jail <name> on <fq-hostname>","priority":3}'

actionstop  = curl -s --max-time 10 "%(notifly_url)s/message?token=%(notifly_token)s" \
                -H "Content-Type: application/json" \
                -d '{"title":"🔴 Fail2ban остановлен","message":"Jail <name> on <fq-hostname>","priority":4}'

actionban   = curl -s --max-time 10 "%(notifly_url)s/message?token=%(notifly_token)s" \
                -H "Content-Type: application/json" \
                -d '{"title":"🚫 Бан в jail <name>","message":"IP <ip> заблокирован на <fq-hostname>. Попыток: <failures>.","priority":5}'

actionunban = curl -s --max-time 10 "%(notifly_url)s/message?token=%(notifly_token)s" \
                -H "Content-Type: application/json" \
                -d '{"title":"✅ Разбан в jail <name>","message":"IP <ip> разблокирован на <fq-hostname>","priority":3}'

[Init]
notifly_url   = https://your-notifly.example.com
notifly_token = AGdjfk_L.dKe8q

Connecting to a jail

In /etc/fail2ban/jail.local add the action to the desired jail:

[sshd]
enabled  = true
maxretry = 5
bantime  = 1h
action   = %(action_)s
           notifly

Restart Fail2ban:

sudo systemctl restart fail2ban
sudo fail2ban-client status sshd

Test

Trigger a ban — for example, from another machine enter a wrong password 5 times:

for i in 1 2 3 4 5; do ssh -o PreferredAuthentications=password wronguser@server; done

Notifly will receive ”🚫 Ban in jail sshd”.

Notification for a real threat

If you want a loud notification to arrive only during a “mass attack”, raise the priority to 9 in actionban and filter by <failures>:

actionban = curl -s --max-time 10 "%(notifly_url)s/message?token=%(notifly_token)s" \
                -H "Content-Type: application/json" \
                -d '{"title":"🚨 Атака на <name>","message":"IP <ip>: <failures> попыток за <bantime>s","priority":9}'

Or create a separate jail with a very short findtime/maxretry — it will trigger only for large-scale brute-force attacks.

Benefits

• Real-time view of attacks. You can immediately see which services are being targeted and from which networks.
• Confirmation that Fail2ban is running. Start/stop notifications also arrive — if fail2ban crashes on the server, you’ll know.
• Useful for audits. The notification history in Notifly = a history of bans with search and filters.

What to improve next

• Add geolocation: obtain <ip> via geoiplookup in a wrapper script.
• Create a separate jail for “repeat offenders” (recidive) — set priority=10 for them.
• Combine with the SSH login notification, so the whole perimeter is visible at a glance.