Notifications sent to API, instead of mail

Post Reply
dandju20
Junior Member
Posts: 1
Joined: 20 Jul 2020, 17:29

Notifications sent to API, instead of mail

Post by dandju20 »

Hello,

I was wondering if it would be possible to send lfd notifications like: login notification, suspicious process,... to an REST API endpoint/server, instead of sending them by email? In case of an email system failure, emails are not sent, but sending them to another (monitoring) system over eg. Https (to an API) would be a good alternative.

There seems to be an option to execute a script, but only when an IP got blocked?

If there is a way please let me know.

Thanks
Daniel
pluggi
Junior Member
Posts: 3
Joined: 20 Sep 2016, 13:27

Re: Notifications sent to API, instead of mail

Post by pluggi »

I would also be interested in this option too. :)
idratis3
Junior Member
Posts: 27
Joined: 07 May 2017, 11:36

Re: Notifications sent to API, instead of mail

Post by idratis3 »

And this could make further customisation of the notifications possible, or use other channels as mail (opens the way for integration in a custum dashboard, or IFTTT, Zapier, SLACK, etc....
danfbach
Junior Member
Posts: 8
Joined: 10 Feb 2021, 14:53

Re: Notifications sent to API, instead of mail

Post by danfbach »

This would be an excellent addition - perhaps you could allow csf to assume the current cpanel slack configuration? (if that's even possible?) That'd be pretty cool.
marcele
Junior Member
Posts: 215
Joined: 17 Sep 2007, 17:02

Re: Notifications sent to API, instead of mail

Post by marcele »

Just a note that CSF already supports this. Take a look at the BLOCK_REPORT option in /etc/csf/csf.conf. It's pretty easy to write a custom report script to log everything to an API.
idratis3
Junior Member
Posts: 27
Joined: 07 May 2017, 11:36

Re: Notifications sent to API, instead of mail

Post by idratis3 »

An example of use is here :
Perl : https://gist.github.com/Bsebring/f3dd52 ... b681961a2d
Python : https://gist.github.com/Bsebring/afcd0a ... 7ded2e9368
"# This file was written as an executable to be used in the auto report function
# of csf and lfd. By replacing $YOUR_API_KEY below with your abuseipdb api key,
# allows you to use this code to integrate your csf system with abuseipdb.com"
idratis3
Junior Member
Posts: 27
Joined: 07 May 2017, 11:36

Re: Notifications sent to API, instead of mail

Post by idratis3 »

From the readme.txt about "Block Reporting" on 2022-01-14
1/ Security : "It runs under the root account, so great care should be exercised with regard to security of the BLOCK_REPORT script"
2/ The arguments :
-----)
lfd can run an external script when it performs and IP address block following
for example a login failure. This is done by setting the configuration variable
BLOCK_REPORT to a script that must be executable. The following parameters are
passed the the script as arguments:

ARG 1 = IP Address # The IP address or CIDR being blocked
ARG 2 = ports # Port, comma separated list or * for all ports
ARG 3 = permanent # 0=temporary block, 1=permanent block
ARG 4 = inout # Direction of block: in, out or inout
ARG 5 = timeout # If a temporary block, TTL in seconds, otherwise 0
ARG 6 = message # Message containing reason for block
ARG 7 = logs # The logs lines that triggered the block (will contain
# line feeds between each log line)
ARG 8 = trigger # The configuration settings triggered

lfd launches the BLOCK_REPORT in a forked process which terminates after 10
seconds if not completed by then. It runs under the root account, so great care
should be exercised with regard to security of the BLOCK_REPORT script.

To also run an external script when a temporary block is unblocked by lfd.
UNBLOCK_REPORT can be the full path of the external script which must be
executable. The following parameters are passed the the script as arguments:

ARG 1 = IP Address # The IP address or CIDR being blocked
ARG 2 = port* # Port, there could be multiple unblocks for each IP

[*] If a port was specified in the initial block.
(-----
Post Reply