Updated 23 Mar 2016 with corrections.
(These instructions based on a CentOS machine I’m responsible for.)
You may find yourself getting multiple emails per day from a server running Fail2Ban, each and every time it blocks an IP address after several failed SSH logins, e.g.
Subject: [Fail2Ban] SSH: banned 220.127.116.11 from myserver
It’s not terribly obvious how to disable these – you’ll find plenty of threads from people asking how to turn Fail2Ban notifications on, not so many asking how to turn them off, also the concepts and syntax takes a bit of getting used to…
In /etc/fail2ban/jail.conf` there’s a section that describes various actions – look for action_, action_mw and action_mwl. You’ll see they vary in scope, from just writing to the logfile to emailing the sysadmin (or even administrators identified in whois lookups) or automatically banning IPs from 3rd-party services like CloudFlare.
Further down is this:
# Choose default action. To change, just override value of 'action' with the
# interpolation to the chosen action shortcut (e.g. action_mw, action_mwl, etc) in jail.local
# globally (section [DEFAULT]) or per specific section
action = %(action_)s
In other words, you can have a single definition in /etc/fail2ban/jail.conf and reuse it in jail.local without writing it out again in full. It will need to go in the correct [section] (or “jail”) or under [DEFAULT].
I’d recommend changing one thing at a time – many of the checks (FTP etc.) will be disabled by default anyway.
Note: your jail.local file may have the actions written out in full as well (mine did) in which case you can just manually remove the sendmail line. Adding a duplicate action won’t produce a warning anywhere, fail2ban will just use the last one one.
But there’s no [ssh] section? Which of these “jails” do I use?
Check fail2ban’s status to get a list of which jails it’s using, e.g.
sudo service fail2ban status
fail2ban-server (pid 9427) is running...
|- Number of jail: 1
`- Jail list: ssh-iptables
Your default jail.local will likely already have enabled=true or false lines for each jail too.
Remember to restart the service.
sudo service fail2ban restart
Checking what Fail2Ban doing now you no longer have email alerts
See the entries in /var/log/messages, such as:
Mar 21 13:41:54 myserver fail2ban.filter: INFO [ssh-iptables] Found 18.104.22.168
Mar 21 13:41:55 myserver fail2ban.filter: INFO [ssh-iptables] Found
Mar 21 13:41:56 myserver fail2ban.filter: INFO [ssh-iptables] Found 22.214.171.124
Mar 21 13:41:57 myserver fail2ban.filter: INFO [ssh-iptables] Found 126.96.36.199
Mar 21 13:41:58 myserver fail2ban.filter: INFO [ssh-iptables] Found 188.8.131.52
Mar 21 13:41:59 myserver fail2ban.actions: NOTICE [ssh-iptables] Ban 184.108.40.206