Restructured the way the catagories work.

Jail.conf is cleaner and abuseipdb.conf is more flexible.
2017-01-08 09:26:11 +02:00 · 2017-01-08 09:26:11 +02:00 · 1c41390f7c
parent 55e107310f
commit 1c41390f7c
2 changed files with 31 additions and 16 deletions
--- a/config/action.d/abuseipdb.conf
+++ b/config/action.d/abuseipdb.conf
@ -16,6 +16,23 @@
 # Original Ref: https://wiki.shaunc.com/wikka.php?wakka=ReportingToAbuseIPDBWithFail2Ban
 # Added to fail2ban by Andrew James Collett (ajcollett)

+## abuseIPDB Catagories, `the abuseipdb_category` MUST be set in the jail.conf action call.
+# Example, for ssh bruteforce: action = %(action_abuseipdb)s[abuseipdb_category="18,22"]
+# ID	Title	Description
+# 3	  Fraud Orders
+# 4	  DDoS Attack
+# 9	  Open Proxy
+# 10	Web Spam
+# 11	Email Spam
+# 14	Port Scan
+# 18	Brute-Force
+# 19	Bad Web Bot
+# 20	Exploited Host
+# 21	Web App Attack
+# 22	SSH	Secure Shell (SSH) abuse. Use this category in combination with more specific categories.
+# 23	IoT Targeted
+# See https://abuseipdb.com/categories for more descriptions
+
 [Definition]

 # Option:  actionstart
@ -71,4 +88,6 @@ actionunban =
 # Option:  abuseipdb_apikey
 # Notes    Your API key from abuseipdb.com
 # Values:  STRING  Default: None
+# Register for abuseipdb [https://www.abuseipdb.com], get api key and set below.
+# You will need to set the catagory in the action call.
 abuseipdb_apikey =
--- a/config/jail.conf
+++ b/config/jail.conf
@ -206,23 +206,19 @@ action_badips = badips.py[category="%(__name__)s", banaction="%(banaction)s", ag
 # Report ban via badips.com (uses action.d/badips.conf for reporting only)
 #
 action_badips_report = badips[category="%(__name__)s", agent="%(fail2ban_agent)s"]
-# Actions to report to abuseipdb.com via API.
-# See action.d/abuseipdb.conf and https://wiki.shaunc.com/wikka.php?wakka=ReportingToAbuseIPDBWithFail2Ban
-# If you want cleaner reports that ensure no user data see the helper script at the above IP
+# Report ban via abuseipdb.com.
+#
+# See action.d/abuseipdb.conf and
+# https://wiki.shaunc.com/wikka.php?wakka=ReportingToAbuseIPDBWithFail2Ban
+#
 # NOTE: These reports may include sensitive Info.
-
-# IMPORTANT: Register for abuseipdb [https://www.abuseipdb.com], get, and set the api key at the bottom of action.d/abuseipdb.conf
-action_abuseipdb_fraud     = abuseipdb[abuseipdb_category="3"]
-action_abuseipdb_ddos      = abuseipdb[abuseipdb_category="4"]
-action_abuseipdb_proxy     = abuseipdb[abuseipdb_category="9"]
-action_abuseipdb_forumspam = abuseipdb[abuseipdb_category="10"]
-action_abuseipdb_emailspam = abuseipdb[abuseipdb_category="11"]
-action_abuseipdb_blogspam  = abuseipdb[abuseipdb_category="12"]
-action_abuseipdb_portscan  = abuseipdb[abuseipdb_category="14"]
-action_abuseipdb_hack      = abuseipdb[abuseipdb_category="15"]
-action_abuseipdb_sqlinject = abuseipdb[abuseipdb_category="16"]
-action_abuseipdb_spoofing  = abuseipdb[abuseipdb_category="17"]
-action_abuseipdb_sshbrute  = abuseipdb[abuseipdb_category="18"]
+# If you want cleaner reports that ensure no user data see the helper script at the above website.
+#
+# IMPORTANT: This action relies on a api_key being added to the above action conf,
+# and the appropriate catagories set.
+# Example, for ssh bruteforce: action = %(action_abuseipdb)s[abuseipdb_category="18,22"]
+# See action.d/abuseipdb.conf for catagories
+action_abuseipdb = abuseipdb

 # Choose default action.  To change, just override value of 'action' with the
 # interpolation to the chosen action shortcut (e.g.  action_mw, action_mwl, etc) in jail.local