Tuesday, October 25, 2016

fail2ban: autoreporting attack to www.abuseipdb.com

Create file /etc/fail2ban/action.d/abuseipdb.conf
# Fail2Ban configuration file
#
# Author: IGAM Muliarsa
#
#

# Action to report IP address to abuseipdb.com
# you must sign up in https://www.abuseipdb.com
# This action requires API_KEY
# https://www.abuseipdb.com/report/json?key=[API_KEY]&category=[CATEGORIES]&comment=[COMMENT]&ip=[IP]
#
# IMPORTANT:
#
# Reporting an IP of abuse is a serious complaint. Make sure that it is
# serious. Fail2ban developers and network owners recommend you only use this
# action for:
#   * The recidive where the IP has been banned multiple times
#   * Where maxretry has been set quite high, beyond the normal user typing
#     password incorrectly.
#   * For filters that have a low likelyhood of receiving human errors
#

[Definition]

# Option:  actionstart
# Notes.:  command executed once at the start of Fail2Ban.
# Values:  CMD
#
actionstart =

# Option:  actionstop
# Notes.:  command executed once at the end of Fail2Ban
# Values:  CMD
#
actionstop =

# Option:  actioncheck
# Notes.:  command executed once before each actionban command
# Values:  CMD
#
actioncheck =

# Option:  actionban
# Notes.:  command executed when banning an IP. Take care that the
#          command is executed with Fail2Ban user rights.
# Tags:    See jail.conf(5) man page
# Values:  CMD
#
actionban = curl --data 'key=<apikey>' --data 'category=<category>' --data 'ip=<ip>' --data-urlencode 'comment=<matches>' --user-agent 'fail2ban v0.8.12' 'https://www.abuseipdb.com/report/json'

# Option:  actionunban
# Notes.:  command executed when unbanning an IP. Take care that the
#          command is executed with Fail2Ban user rights.
# Tags:    See jail.conf(5) man page
# Values:  CMD
#
actionunban =

[Init]

# Option:  apikey
# Notes    your user apikey from abuseipdb.com user account
# Values:  STRING  Default: None
#
apikey = REPLACE_WITH_YOUR_API_KEY

# Option:  service
# Notes    service name you are reporting on, typically aligns with filter name
# Values:  STRING  Default: None
#
#service =
Edit /etc/fail2ban/jail.conf
...
[sshd]

port    = ssh
logpath = %(sshd_log)s
backend = %(sshd_backend)s
enabled = true
filter = sshd
action = iptables-ipset-proto4[]
        mlocaldb[category=10]
        abuseipdb[category=4,18,22]
...
To find available category, follow this rule.
Restart your fail2ban.
Tested on Fail2ban 0.9.x

References:

Posted by at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)