Revision history for ReportingToAbuseIPDBWithFail2Ban


Revision [83]

Last edited on 2016-06-22 17:57:11 by ShaunC
Additions:
action = %(action_mwl)s # <--- This was already set as an action
Deletions:
action = %(action_mwl)s # <--- This was already set as an action


Revision [82]

Edited on 2016-06-22 17:52:58 by ShaunC
Additions:
[[http://www.fail2ban.org|Fail2ban]] is a utility that parses various system and software log files looking for signs of network abuse, and then firewalls out the offending IP addresses. It's becoming more common to crowdsource these incidents to centralized databases, so administrators can watch for patterns of abuse or pre-emptively block known malicious IPs. One of these efforts is [[http://abuseipdb.com|AbuseIPDB]], where attack information is compiled into reports [[https://www.abuseipdb.com/check/100.36.236.72|like this one]].
First, you'll need an API key from [[http://abuseipdb.com|AbuseIPDB.com]] to make any reports there. Go to their website, register for an account, and obtain an API key. If you have a large footprint (multiple servers, well-known servers, etc.) and see >1000 ""Fail2ban"" incidents per day, you probably want to register for a webmaster account, as the daily API usage limit is higher. It's free to register either way.
Deletions:
[[http://www.fail2ban.org|Fail2ban]] is a utility that parses various system and software log files looking for signs of abuse, and then firewalls out the offending IP addresses. It's becoming more common to crowdsource these incidents to centralized databases, so administrators can watch for patterns of abuse or pre-emptively block known malicious IPs. One of these efforts is [[http://abuseipdb.com|AbuseIPDB]], where attack information is compiled into reports [[https://www.abuseipdb.com/check/100.36.236.72|like this one]].
First, you'll need an API key from [[http://abuseipdb.com|AbuseIPDB.com]] to make any reports there. Go to their website, register for an account, and obtain an API key. If you have a large footprint and receive >1000 ""Fail2ban"" incidents per day, you probably want to register for a webmaster account, as the daily API usage limit is higher. It's free to register either way.


Revision [81]

Edited on 2016-06-22 17:50:47 by ShaunC
Additions:
This is a guide to integrating [[http://www.fail2ban.org|Fail2ban]] and [[http://abuseipdb.com|AbuseIPDB.com]] so that each time your system blocks an attacker, it also reports the incident to ""AbuseIPDB."" //This document is a work in progress.// In lieu of registering on this wiki, please send comments and corrections to wiki@shaunc.com.
[[http://www.fail2ban.org|Fail2ban]] is a utility that parses various system and software log files looking for signs of abuse, and then firewalls out the offending IP addresses. It's becoming more common to crowdsource these incidents to centralized databases, so administrators can watch for patterns of abuse or pre-emptively block known malicious IPs. One of these efforts is [[http://abuseipdb.com|AbuseIPDB]], where attack information is compiled into reports [[https://www.abuseipdb.com/check/100.36.236.72|like this one]].
Deletions:
This is a guide to integrating [[http://wwwfail2ban.org|Fail2ban]] and [[http://abuseipdb.com|AbuseIPDB.com]] so that each time your system blocks an attacker, it also reports the incident to ""AbuseIPDB."" //This document is a work in progress.// In lieu of registering on this wiki, please send comments and corrections to wiki@shaunc.com.
[[http://wwwfail2ban.org|Fail2ban]] is a utility that parses various system and software log files looking for signs of abuse, and then firewalls out the offending IP addresses. It's becoming more common to crowdsource these incidents to centralized databases, so administrators can watch for patterns of abuse or pre-emptively block known malicious IPs. One of these efforts is [[http://abuseipdb.com|AbuseIPDB]], where attack information is compiled into reports [[https://www.abuseipdb.com/check/100.36.236.72|like this one]].


Revision [80]

Edited on 2016-06-22 17:48:59 by ShaunC
Additions:
-----
[[CategoryLinux]]


Revision [79]

Edited on 2016-06-22 17:16:41 by ShaunC
Additions:
{{{toc}}}


Revision [78]

Edited on 2016-06-22 17:15:20 by ShaunC
Additions:
====== Reporting to ""AbuseIPDB.com"" with ""Fail2ban"" ======
This is a guide to integrating [[http://wwwfail2ban.org|Fail2ban]] and [[http://abuseipdb.com|AbuseIPDB.com]] so that each time your system blocks an attacker, it also reports the incident to ""AbuseIPDB."" //This document is a work in progress.// In lieu of registering on this wiki, please send comments and corrections to wiki@shaunc.com.
===Background - ""Fail2ban"" and ""AbuseIPDB""=== -----
[[http://wwwfail2ban.org|Fail2ban]] is a utility that parses various system and software log files looking for signs of abuse, and then firewalls out the offending IP addresses. It's becoming more common to crowdsource these incidents to centralized databases, so administrators can watch for patterns of abuse or pre-emptively block known malicious IPs. One of these efforts is [[http://abuseipdb.com|AbuseIPDB]], where attack information is compiled into reports [[https://www.abuseipdb.com/check/100.36.236.72|like this one]].
In this guide you'll learn how to configure ""Fail2ban"" so that it automatically reports attacks to the ""AbuseIPDB"" database. It's assumed that your system is already running ""Fail2ban.""
===Step 1: Register for ""AbuseIPDB""===-----
First, you'll need an API key from [[http://abuseipdb.com|AbuseIPDB.com]] to make any reports there. Go to their website, register for an account, and obtain an API key. If you have a large footprint and receive >1000 ""Fail2ban"" incidents per day, you probably want to register for a webmaster account, as the daily API usage limit is higher. It's free to register either way.
===Step 2: Create ""AbuseIPDB"" action configuration ===-----
# reports. If you have your own web server with PHP available, you can
# wherever you install the helper script. For the PHP helper script, see
=== Step 3: Edit jail.local ===-----
Edit your ##fail2ban/jail.local## file to define several new actions as below. These should go below the default action definitions (action_mw, etc.) that are already defined in the file.
Now add these new actions to each jail wherever appropriate; a jail can have multiple actions, so just add the new ones to complement any existing actions. For example, to report SSH brute force attempts to ""AbuseIPDB"", add ##action_abuseipd_sshbrute## as an action for sshd:
action = %(action_mwl)s # <--- This was already set as an action
%(action_abuseipdb_sshbrute)s # <--- Here is the new additional action%%
Restart ""Fail2ban"" (##service fail2ban restart## or perhaps ##fail2ban-client reload##). It will take a few minutes to re-parse all the bans; check its log files to see whether or not it's working properly. Login to your ""AbuseIPDB.com"" account and see if any reports are being submitted.
===Step 4: Optionally, install the PHP Helper Script===-----
Reports posted directly from ""Fail2ban"" to ""AbuseIPDB.com"" will, as of this writing, contain a lot of backslash/escape characters. That's because, for security purposes, ""Fail2ban"" [[https://github.com/fail2ban/fail2ban/commit/83109bc|escapes the contents]] of the "matches" variable before passing it on to any action mechanism. In order to clean up my reports, as well as gain some control over filtering their contents, I created a helper script in PHP. ""Fail2ban"" posts to the PHP script instead of to ""AbuseIPDB"". The helper script does some cleaning and then posts to the ""AbuseIPDB"" API.
If you have a web server (Apache, nginx, ...) capable of running PHP, you can place this helper script somewhere on your server, and then point ""Fail2ban's"" ##action.d/abuseipdb.conf## (from Step 2) to it. I recommend restricting it via .htaccess or some other method so that only your server(s) can post to it. You should also edit in your server's own IP address, domain, your username, or anything else you don't want showing up in your reports.
%%<?php
/* Bail if nothing was posted to us */
if (!isset($_POST['ip'])) {
exit;
}
/* Remove backslashes and sensitive information from the report */
$_POST['comment'] = str_replace('\\', '', $_POST['comment']);
$_POST['comment'] = str_replace('1.2.3.4', '[munged]', $_POST['comment']);
$_POST['comment'] = preg_replace('|example.com|mi', '[munged]', $_POST['comment']);
// If we're reporting spam, further munge any email addresses in the report
if ($_POST['category'] == 11) {
$_POST['comment'] = str_replace('@', '[at]', $_POST['comment']);
}
/* Post report data to abuseipdb.com */
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, 'https://www.abuseipdb.com/report/json');
curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 30);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($_POST));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
// Required for connecting to a Cloudflare-hosted system...
curl_setopt($ch, CURLOPT_SSL_CIPHER_LIST, 'ecdhe_ecdsa_aes_128_sha');
$reply = curl_exec($ch);
$err = curl_error($ch);
curl_close($ch);
/* Send a notification email */
mail ('you@example.com',
'[abuseipdb] ' . $_POST['ip'],
"Err: {$err}\n\nServer reply: {$reply}\n\nIncoming _POST:\n\n" . var_export($_POST, true) . "\n\nOutgoing post data: " . http_build_query($_POST)
);%%
Deletions:
====== Reporting to ""AbuseIPDB.com"" with ""Fail2ban"" ======
===Step 1: Register for ""AbuseIPDB""===
You'll need an API key from [[http://abuseipdb.com|AbuseIPDB.com]] to make reports there. Go to their website, register, and obtain an API key.
===Step 2: Create ""AbuseIPDB"" action configuration ===
# reports. If you have your own Apache with PHP available, you can
# wherever you installed the helper script. For the PHP helper script, see
=== Step 3: Edit jail.local ===
Edit the ##/etc/fail2ban/jail.local## file to define several new actions as below. These should go below the default action definitions (action_mw, etc.) that are already in the file.
Now add these new actions to each jail wherever appropriate; for example, to report SSH brute force attempts, add ##action_abuseipd_sshbrute## as an action for sshd:
action = %(action_mwlb)s
%(action_abuseipdb_sshbrute)s # <--- Here%%
Restart ""Fail2ban"" (##service fail2ban restart## or perhaps ##fail2ban-client reload##). It will take a few minutes to re-parse all the bans, check its log files to see whether or not it's working properly. Login to your ""AbuseIPDB.com"" account and see if any reports are being submitted.
===Step 4: Optionally, install the PHP Helper Script===
Reports posted directly to ""AbuseIPDB.com"" will, as of this writing, contain a lot of backslash/escape characters. For security purposes, ""Fail2ban"" escapes the contents of the "matches" variable before passing it on to any ##action## mechanism.
todo: link the commit that does this, explain the PHP helper, include the PHP helper


Revision [77]

The oldest known version of this page was created on 2016-06-22 15:27:49 by ShaunC
Valid XHTML :: Valid CSS: :: Powered by WikkaWiki