fail2ban/config/action.d/ipthreat.conf

# IPThreat configuration file
#
# Added to fail2ban by Jeff Johnson (jjxtra)
#
# Action to report IP address to ipthreat.net
#
# You must sign up to obtain an API key from ipthreat.net and request bulk report permissions
# https://ipthreat.net/integrations
#
# IPThreat is a 100% free site and service, all data is licensed under a creative commons by attribution license
# Please do not integrate if you do not agree to the license
#
# IMPORTANT:
#
# Reporting an IP is a serious action. Make sure that it is legit.
# Consider using this action only for:
#   * IP that has been banned more than once
#   * High max retry to avoid user mistyping password
#   * Filters that are unlikely to be human error
#
# Example:
# ```
#   action = %(known/action)s
#            ipthreat[]
# ```
#
# The action accepts the following arguments: ipthreat[ipthreat_flags="8",ipthreat_system="SSH", ipthreat_apikey=...]
# In most cases your action could be as simple as: ipthreat[], since the default flags and system are set to the most correct default values.
# You can optionally override ipthreat_system and ipthreat_flags if desired.
# The ipthreat_apikey must be set at the bottom of this configuration file.
#
# `ipthreat_system` is a short name of the system attacked, i.e. SSH, SMTP, MYSQL, PHP, etc.
#
# For `ipthreat_flags`, most cases will use 8 (BruteForce) which is the default, but you could use others.
# You can use the name or the ordinal.
# Multiple values are comma separated.
# ```
# Name           Ordinal Description
# Dns            1       Abuse/attack of dns (domain name server)
# Fraud          2       General fraud, whether orders, misuse of payment info, etc
# DDos           4       Distributed denial of service attack, whether through http requests, large ping attack, etc
# BruteForce     8       Brute force login attack
# Proxy          16      IP is a proxy like TOR or other proxy server
# Spam           32      Email, comment or other type of spam
# Vpn            64      IP is part of a VPN
# Hacking        128     General hacking outside of brute force attack (includes vulnerability scans, sql injection, etc.). Use port scan flag instead if it's just probe on ports.
# BadBot         256     Bad bot that is not honoring robots.txt or just flooding with too many requests, etc
# Compromised    512     The ip has been taken over by malware or botnet
# Phishing       1024    The ip is involved in phishing or spoofing
# Iot            2048    The ip has targeted an iot (Internet of Things) device
# PortScan       4096    Port scan
# See https://ipthreat.net/bulkreportformat for more information
# ```

[Definition]

# bypass action for restored tickets
norestored = 1

# Option:  actionstart
# Notes.:  command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false).
# Values:  CMD
#
actionstart =

# Option:  actionstop
# Notes.:  command executed at the stop of jail (or at the end of Fail2Ban)
# Values:  CMD
#
actionstop =

# Option:  actioncheck
# Notes.:  command executed once before each actionban command
# Values:  CMD
#
actioncheck =

# Option:  actionban
# Notes.:  command executed when banning an IP. Take care that the
#          command is executed with Fail2Ban user rights.
#
# Tags:    See jail.conf(5) man page
# Values:  CMD
#
actionban = curl -sSf "https://api.ipthreat.net/api/report" -X POST -H "Content-Type: application/json" -H "X-API-KEY: <ipthreat_apikey>" -d "{\"ip\":\"<ip>\",\"flags\":\"<ipthreat_flags>\",\"system\":\"<ipthreat_system>\",\"notes\":\"fail2ban\"}"

# Option:  actionunban
# Notes.:  command executed when unbanning an IP. Take care that the
#          command is executed with Fail2Ban user rights.
# Tags:    See jail.conf(5) man page
# Values:  CMD
#
actionunban =

[Init]
# Option:  ipthreat_apikey
# Notes    Your API key from ipthreat.net
# Values:  STRING Default: None
# Register for ipthreat [https://ipthreat.net], get api key and set below.
# You will need to set the flags and system in the action call in jail.conf
ipthreat_apikey =

# By default, the ipthreat system is the name of the fail2ban jail
ipthreat_system = <name>

# By default the ip threat flags is 8 (brute force), but you can override this per jail if desired
ipthreat_flags = 8
IPThreat integration (#3349) new IPThreat action 2022-09-13 09:01:46 +00:00			`# IPThreat configuration file`
			`#`
			`# Added to fail2ban by Jeff Johnson (jjxtra)`
			`#`
			`# Action to report IP address to ipthreat.net`
			`#`
			`# You must sign up to obtain an API key from ipthreat.net and request bulk report permissions`
			`# https://ipthreat.net/integrations`
			`#`
			`# IPThreat is a 100% free site and service, all data is licensed under a creative commons by attribution license`
			`# Please do not integrate if you do not agree to the license`
			`#`
			`# IMPORTANT:`
			`#`
			`# Reporting an IP is a serious action. Make sure that it is legit.`
			`# Consider using this action only for:`
			`# * IP that has been banned more than once`
Fix more typos 2023-11-22 16:32:05 +00:00			`# * High max retry to avoid user mistyping password`
IPThreat integration (#3349) new IPThreat action 2022-09-13 09:01:46 +00:00			`# * Filters that are unlikely to be human error`
			`#`
			`# Example:`
			# ```
			`# action = %(known/action)s`
			`# ipthreat[]`
			# ```
			`#`
			`# The action accepts the following arguments: ipthreat[ipthreat_flags="8",ipthreat_system="SSH", ipthreat_apikey=...]`
			`# In most cases your action could be as simple as: ipthreat[], since the default flags and system are set to the most correct default values.`
			`# You can optionally override ipthreat_system and ipthreat_flags if desired.`
			`# The ipthreat_apikey must be set at the bottom of this configuration file.`
			`#`
			# `ipthreat_system` is a short name of the system attacked, i.e. SSH, SMTP, MYSQL, PHP, etc.
			`#`
			# For `ipthreat_flags`, most cases will use 8 (BruteForce) which is the default, but you could use others.
			`# You can use the name or the ordinal.`
			`# Multiple values are comma separated.`
			# ```
			`# Name Ordinal Description`
			`# Dns 1 Abuse/attack of dns (domain name server)`
			`# Fraud 2 General fraud, whether orders, misuse of payment info, etc`
			`# DDos 4 Distributed denial of service attack, whether through http requests, large ping attack, etc`
			`# BruteForce 8 Brute force login attack`
			`# Proxy 16 IP is a proxy like TOR or other proxy server`
			`# Spam 32 Email, comment or other type of spam`
			`# Vpn 64 IP is part of a VPN`
			`# Hacking 128 General hacking outside of brute force attack (includes vulnerability scans, sql injection, etc.). Use port scan flag instead if it's just probe on ports.`
			`# BadBot 256 Bad bot that is not honoring robots.txt or just flooding with too many requests, etc`
			`# Compromised 512 The ip has been taken over by malware or botnet`
			`# Phishing 1024 The ip is involved in phishing or spoofing`
[DATALAD RUNCMD] run codespell throughout fixing typo automagically === Do not change lines below === { "chain": [], "cmd": "codespell -w", "exit": 0, "extra_inputs": [], "inputs": [], "outputs": [], "pwd": "." } ^^^ Do not change lines above ^^^ 2023-11-18 15:04:04 +00:00			`# Iot 2048 The ip has targeted an iot (Internet of Things) device`
IPThreat integration (#3349) new IPThreat action 2022-09-13 09:01:46 +00:00			`# PortScan 4096 Port scan`
			`# See https://ipthreat.net/bulkreportformat for more information`
			# ```

			`[Definition]`

			`# bypass action for restored tickets`
			`norestored = 1`

			`# Option: actionstart`
			`# Notes.: command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false).`
			`# Values: CMD`
			`#`
			`actionstart =`

			`# Option: actionstop`
			`# Notes.: command executed at the stop of jail (or at the end of Fail2Ban)`
			`# Values: CMD`
			`#`
			`actionstop =`

			`# Option: actioncheck`
			`# Notes.: command executed once before each actionban command`
			`# Values: CMD`
			`#`
			`actioncheck =`

			`# Option: actionban`
			`# Notes.: command executed when banning an IP. Take care that the`
			`# command is executed with Fail2Ban user rights.`
			`#`
			`# Tags: See jail.conf(5) man page`
			`# Values: CMD`
			`#`
			`actionban = curl -sSf "https://api.ipthreat.net/api/report" -X POST -H "Content-Type: application/json" -H "X-API-KEY: <ipthreat_apikey>" -d "{\"ip\":\"<ip>\",\"flags\":\"<ipthreat_flags>\",\"system\":\"<ipthreat_system>\",\"notes\":\"fail2ban\"}"`

			`# Option: actionunban`
			`# Notes.: command executed when unbanning an IP. Take care that the`
			`# command is executed with Fail2Ban user rights.`
			`# Tags: See jail.conf(5) man page`
			`# Values: CMD`
			`#`
			`actionunban =`

			`[Init]`
			`# Option: ipthreat_apikey`
			`# Notes Your API key from ipthreat.net`
			`# Values: STRING Default: None`
			`# Register for ipthreat [https://ipthreat.net], get api key and set below.`
			`# You will need to set the flags and system in the action call in jail.conf`
			`ipthreat_apikey =`

			`# By default, the ipthreat system is the name of the fail2ban jail`
			`ipthreat_system = <name>`

			`# By default the ip threat flags is 8 (brute force), but you can override this per jail if desired`
			`ipthreat_flags = 8`