From 1c41390f7caed9a9e6712c83d80774bf7bf1c14f Mon Sep 17 00:00:00 2001 From: Andrew James Collett Date: Sun, 8 Jan 2017 09:26:11 +0200 Subject: [PATCH] Restructured the way the catagories work. Jail.conf is cleaner and abuseipdb.conf is more flexible. --- config/action.d/abuseipdb.conf | 19 +++++++++++++++++++ config/jail.conf | 28 ++++++++++++---------------- 2 files changed, 31 insertions(+), 16 deletions(-) diff --git a/config/action.d/abuseipdb.conf b/config/action.d/abuseipdb.conf index 7bd3f68a..3bcfb065 100644 --- a/config/action.d/abuseipdb.conf +++ b/config/action.d/abuseipdb.conf @@ -16,6 +16,23 @@ # Original Ref: https://wiki.shaunc.com/wikka.php?wakka=ReportingToAbuseIPDBWithFail2Ban # Added to fail2ban by Andrew James Collett (ajcollett) +## abuseIPDB Catagories, `the abuseipdb_category` MUST be set in the jail.conf action call. +# Example, for ssh bruteforce: action = %(action_abuseipdb)s[abuseipdb_category="18,22"] +# ID Title Description +# 3 Fraud Orders +# 4 DDoS Attack +# 9 Open Proxy +# 10 Web Spam +# 11 Email Spam +# 14 Port Scan +# 18 Brute-Force +# 19 Bad Web Bot +# 20 Exploited Host +# 21 Web App Attack +# 22 SSH Secure Shell (SSH) abuse. Use this category in combination with more specific categories. +# 23 IoT Targeted +# See https://abuseipdb.com/categories for more descriptions + [Definition] # Option: actionstart @@ -71,4 +88,6 @@ actionunban = # Option: abuseipdb_apikey # Notes Your API key from abuseipdb.com # Values: STRING Default: None +# Register for abuseipdb [https://www.abuseipdb.com], get api key and set below. +# You will need to set the catagory in the action call. abuseipdb_apikey = diff --git a/config/jail.conf b/config/jail.conf index f5d24621..7ba343fb 100644 --- a/config/jail.conf +++ b/config/jail.conf @@ -206,23 +206,19 @@ action_badips = badips.py[category="%(__name__)s", banaction="%(banaction)s", ag # Report ban via badips.com (uses action.d/badips.conf for reporting only) # action_badips_report = badips[category="%(__name__)s", agent="%(fail2ban_agent)s"] -# Actions to report to abuseipdb.com via API. -# See action.d/abuseipdb.conf and https://wiki.shaunc.com/wikka.php?wakka=ReportingToAbuseIPDBWithFail2Ban -# If you want cleaner reports that ensure no user data see the helper script at the above IP +# Report ban via abuseipdb.com. +# +# See action.d/abuseipdb.conf and +# https://wiki.shaunc.com/wikka.php?wakka=ReportingToAbuseIPDBWithFail2Ban +# # NOTE: These reports may include sensitive Info. - -# IMPORTANT: Register for abuseipdb [https://www.abuseipdb.com], get, and set the api key at the bottom of action.d/abuseipdb.conf -action_abuseipdb_fraud = abuseipdb[abuseipdb_category="3"] -action_abuseipdb_ddos = abuseipdb[abuseipdb_category="4"] -action_abuseipdb_proxy = abuseipdb[abuseipdb_category="9"] -action_abuseipdb_forumspam = abuseipdb[abuseipdb_category="10"] -action_abuseipdb_emailspam = abuseipdb[abuseipdb_category="11"] -action_abuseipdb_blogspam = abuseipdb[abuseipdb_category="12"] -action_abuseipdb_portscan = abuseipdb[abuseipdb_category="14"] -action_abuseipdb_hack = abuseipdb[abuseipdb_category="15"] -action_abuseipdb_sqlinject = abuseipdb[abuseipdb_category="16"] -action_abuseipdb_spoofing = abuseipdb[abuseipdb_category="17"] -action_abuseipdb_sshbrute = abuseipdb[abuseipdb_category="18"] +# If you want cleaner reports that ensure no user data see the helper script at the above website. +# +# IMPORTANT: This action relies on a api_key being added to the above action conf, +# and the appropriate catagories set. +# Example, for ssh bruteforce: action = %(action_abuseipdb)s[abuseipdb_category="18,22"] +# See action.d/abuseipdb.conf for catagories +action_abuseipdb = abuseipdb # Choose default action. To change, just override value of 'action' with the # interpolation to the chosen action shortcut (e.g. action_mw, action_mwl, etc) in jail.local