Wiki source for ReportingToAbuseIPDBWithFail2Ban


Show raw source

====== Reporting to ""AbuseIPDB.com"" with ""Fail2ban"" ======

This is a guide to integrating [[http://www.fail2ban.org|Fail2ban]] and [[http://abuseipdb.com|AbuseIPDB.com]] so that each time your system blocks an attacker, it also reports the incident to ""AbuseIPDB."" //This document is a work in progress.// In lieu of registering on this wiki, please send comments and corrections to wiki@shaunc.com.

{{{toc}}}

===Background - ""Fail2ban"" and ""AbuseIPDB""=== -----
[[http://www.fail2ban.org|Fail2ban]] is a utility that parses various system and software log files looking for signs of network abuse, and then firewalls out the offending IP addresses. It's becoming more common to crowdsource these incidents to centralized databases, so administrators can watch for patterns of abuse or pre-emptively block known malicious IPs. One of these efforts is [[http://abuseipdb.com|AbuseIPDB]], where attack information is compiled into reports [[https://www.abuseipdb.com/check/100.36.236.72|like this one]].

In this guide you'll learn how to configure ""Fail2ban"" so that it automatically reports attacks to the ""AbuseIPDB"" database. It's assumed that your system is already running ""Fail2ban.""

===Step 1: Register for ""AbuseIPDB""===-----
First, you'll need an API key from [[http://abuseipdb.com|AbuseIPDB.com]] to make any reports there. Go to their website, register for an account, and obtain an API key. If you have a large footprint (multiple servers, well-known servers, etc.) and see >1000 ""Fail2ban"" incidents per day, you probably want to register for a webmaster account, as the daily API usage limit is higher. It's free to register either way.

===Step 2: Create ""AbuseIPDB"" action configuration ===-----
Create a new file in your ""Fail2ban"" action.d directory, for example ##/etc/fail2ban/action.d/##, and name it ##abuseipdb.conf##. You **MUST** set your API key at the end of this configuration file.

%%# Fail2ban configuration file
#
# Action to report IP address to abuseipdb.com
# You must sign up to obtain an API key from abuseipdb.com.
#
# IMPORTANT:
#
# Reporting an IP of abuse is a serious complaint. Make sure that it is
# serious. Fail2ban developers and network owners recommend you only use this
# action for:
# * The recidive where the IP has been banned multiple times
# * Where maxretry has been set quite high, beyond the normal user typing
# password incorrectly.
# * For filters that have a low likelihood of receiving human errors
#

[Definition]

# Option: actionstart
# Notes.: command executed once at the start of Fail2Ban.
# Values: CMD
#
actionstart =

# Option: actionstop
# Notes.: command executed once at the end of Fail2Ban
# Values: CMD
#
actionstop =

# Option: actioncheck
# Notes.: command executed once before each actionban command
# Values: CMD
#
actioncheck =

# Option: actionban
# Notes.: command executed when banning an IP. Take care that the
# command is executed with Fail2Ban user rights.
#
# ** IMPORTANT! **
#
# By default, this posts directly to AbuseIPDB's API, unfortunately
# this results in a lot of backslashes/escapes appearing in the
# reports. If you have your own web server with PHP available, you can
# use my helper PHP script by commenting out the first #actionban
# line below, uncommenting the second one, and pointing the URL at
# wherever you install the helper script. For the PHP helper script, see
# <https://wiki.shaunc.com/wikka.php?wakka=ReportingToAbuseIPDBWithFail2Ban>
#
# --ciphers ecdhe_ecdsa_aes_256_sha is used to workaround a
# "NSS error -12286" from curl as it attempts to connect using
# SSLv3. See https://www.centos.org/forums/viewtopic.php?t=52732
# Tags: See jail.conf(5) man page
# Values: CMD
#
actionban = curl --fail --ciphers ecdhe_ecdsa_aes_256_sha --data 'key=<abuseipdb_apikey>' --data-urlencode 'comment=<matches>' --data 'ip=<ip>' --data 'category=<abuseipdb_category>' "https://www.abuseipdb.com/report/json"
#actionban = curl --fail --data 'key=<abuseipdb_apikey>' --data 'comment=<matches>' --data 'ip=<ip>' --data 'category=<abuseipdb_category>' "http://yoursite.example.com/abuseipdb/report-api.php"

# Option: actionunban
# Notes.: command executed when unbanning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags: See jail.conf(5) man page
# Values: CMD
#
actionunban =

[Init]

# Option: abuseipdb_apikey
# Notes Your API key from abuseipdb.com
# Values: STRING Default: None

abuseipdb_apikey = PUT_YOUR_API_KEY_HERE_VISIT_ABUSEIPDB_DOT_COM_TO_GET_ONE%%

=== Step 3: Edit jail.local ===-----
Edit your ##fail2ban/jail.local## file to define several new actions as below. These should go below the default action definitions (action_mw, etc.) that are already defined in the file.

%%# Actions to report to abuseipdb.com via API.
# See action.d/abuseipdb.conf
action_abuseipdb_fraud = abuseipdb[abuseipdb_category="3"]
action_abuseipdb_ddos = abuseipdb[abuseipdb_category="4"]
action_abuseipdb_proxy = abuseipdb[abuseipdb_category="9"]
action_abuseipdb_forumspam = abuseipdb[abuseipdb_category="10"]
action_abuseipdb_emailspam = abuseipdb[abuseipdb_category="11"]
action_abuseipdb_blogspam = abuseipdb[abuseipdb_category="12"]
action_abuseipdb_portscan = abuseipdb[abuseipdb_category="14"]
action_abuseipdb_hack = abuseipdb[abuseipdb_category="15"]
action_abuseipdb_sqlinject = abuseipdb[abuseipdb_category="16"]
action_abuseipdb_spoofing = abuseipdb[abuseipdb_category="17"]
action_abuseipdb_sshbrute = abuseipdb[abuseipdb_category="18"]%%

Now add these new actions to each jail wherever appropriate; a jail can have multiple actions, so just add the new ones to complement any existing actions. For example, to report SSH brute force attempts to ""AbuseIPDB"", add ##action_abuseipd_sshbrute## as an action for sshd:

%%[sshd]
enabled = true
port = ssh
logpath = %(sshd_log)s
action = %(action_mwl)s # <--- This was already set as an action
%(action_abuseipdb_sshbrute)s # <--- Here is the new additional action%%

Restart ""Fail2ban"" (##service fail2ban restart## or perhaps ##fail2ban-client reload##). It will take a few minutes to re-parse all the bans; check its log files to see whether or not it's working properly. Login to your ""AbuseIPDB.com"" account and see if any reports are being submitted.

===Step 4: Optionally, install the PHP Helper Script===-----
Reports posted directly from ""Fail2ban"" to ""AbuseIPDB.com"" will, as of this writing, contain a lot of backslash/escape characters. That's because, for security purposes, ""Fail2ban"" [[https://github.com/fail2ban/fail2ban/commit/83109bc|escapes the contents]] of the "matches" variable before passing it on to any action mechanism. In order to clean up my reports, as well as gain some control over filtering their contents, I created a helper script in PHP. ""Fail2ban"" posts to the PHP script instead of to ""AbuseIPDB"". The helper script does some cleaning and then posts to the ""AbuseIPDB"" API.

If you have a web server (Apache, nginx, ...) capable of running PHP, you can place this helper script somewhere on your server, and then point ""Fail2ban's"" ##action.d/abuseipdb.conf## (from Step 2) to it. I recommend restricting it via .htaccess or some other method so that only your server(s) can post to it. You should also edit in your server's own IP address, domain, your username, or anything else you don't want showing up in your reports.

%%<?php

/* Bail if nothing was posted to us */
if (!isset($_POST['ip'])) {
exit;
}

/* Remove backslashes and sensitive information from the report */
$_POST['comment'] = str_replace('\\', '', $_POST['comment']);
$_POST['comment'] = str_replace('1.2.3.4', '[munged]', $_POST['comment']);
$_POST['comment'] = preg_replace('|example.com|mi', '[munged]', $_POST['comment']);

// If we're reporting spam, further munge any email addresses in the report
if ($_POST['category'] == 11) {
$_POST['comment'] = str_replace('@', '[at]', $_POST['comment']);
}

/* Post report data to abuseipdb.com */
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, 'https://www.abuseipdb.com/report/json');
curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 30);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($_POST));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
// Required for connecting to a Cloudflare-hosted system...
curl_setopt($ch, CURLOPT_SSL_CIPHER_LIST, 'ecdhe_ecdsa_aes_128_sha');

$reply = curl_exec($ch);
$err = curl_error($ch);
curl_close($ch);

/* Send a notification email */
mail ('you@example.com',
'[abuseipdb] ' . $_POST['ip'],
"Err: {$err}\n\nServer reply: {$reply}\n\nIncoming _POST:\n\n" . var_export($_POST, true) . "\n\nOutgoing post data: " . http_build_query($_POST)
);%%

-----
[[CategoryLinux]]
Valid XHTML :: Valid CSS: :: Powered by WikkaWiki