howto: tweet banned IPs from fail2ban

since i banged my head on this for a couple of days, i thought i’d share my solution.

if you’re running a server, you really should do something to keep brute-force SSH attacks from slowing it down, and potentially compromising your server. for this, i use fail2ban

fail2ban allows one to trigger certain actions when an IP is banned. i wanted to tweet those IPs, so their ISPs could be publicly shamed. i do this at

it’s well known how to tweet from the command line:

curl -u username:mypassword -d status="Status Message"

so, i put this into a file “tweet.conf” in /etc/fail2ban/actions.d:

actionstart =
actionstop =
actioncheck =
actionban = echo "status=<ip>" | curl -u USERNAME:PASSWORD -d @-
actionunban =

and the following in /etc/fail2ban/jail.conf:

enabled = true
filter = sshd
action = iptables[name=SSH, port=ssh, protocol=tcp]
logpath = /var/log/secure
maxretry = 3
bantime = 86400

(note the “action” is just “tweet” without the trailing “.conf”)

Comments are closed.