From 2962bb0e56253ca7097b0b9ef7545b5b6ba5fa6b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Hasan=20=C3=87ALI=C5=9EIR?= Date: Wed, 26 Feb 2025 12:47:31 +0300 Subject: [PATCH] Fail2Ban AbuseIPDB: Override main config with enhancements MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - Added an override configuration to enhance Fail2Ban’s AbuseIPDB integration. - Introduced a local banned IP list for better isolation from Fail2Ban. - Optimized API calls (`/v2/check` → `/v2/report`) to reduce redundant reports. - Ensured `norestored=1` handling to prevent re-reporting after restarts. - Improved logging and added custom comments to avoid sensitive data exposure. This override provides more control, efficiency, and security while maintaining compatibility with the main configuration. --- files/abuseipdb.local | 63 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 63 insertions(+) create mode 100644 files/abuseipdb.local diff --git a/files/abuseipdb.local b/files/abuseipdb.local new file mode 100644 index 00000000..b698afdc --- /dev/null +++ b/files/abuseipdb.local @@ -0,0 +1,63 @@ +# Fail2Ban AbuseIPDB Integration (Enhanced) +# +# Author: Hasan CALISIR +# GitHub: https://github.com/hsntgm +# +# Description: +# This configuration enhances Fail2Ban's integration with AbuseIPDB, +# providing users with improved control, flexibility, and security when reporting abusive IPs. +# +# Key Enhancements: +# - Implements a **local banned IP list** to ensure **complete isolation** from Fail2Ban, +# enabling the script to manage and track IP bans without relying solely on Fail2Ban's internal ban management. +# - Performs **two API calls**: +# 1. `/v2/check`: Verifies if the IP is already reported to AbuseIPDB. +# 2. `/v2/report`: Reports the IP to AbuseIPDB if necessary, ensuring efficient use of API calls. +# - Supports **Fail2Ban's `norestored=1` feature** to prevent redundant reports on Fail2Ban restart. +# This feature ensures that once an IP is reported, it is not reported again upon Fail2Ban restart. +# - **Prevents redundant reporting** by checking the local list before making a report to AbuseIPDB. +# - Provides **custom comments** for IP reports, helping to avoid the leakage of sensitive information. +# + +[Definition] +# Option: norestored +###################### +# Notes.: Ensure norestored is set to 0 +# We control this at the script level to provide users with more control over how restored tickets are handled. +# We will also be able to log all triggered events by norestored +# Do not modify this value directly. Instead, adjust 'BYPASS_FAIL2BAN' below as needed. +# norestored = 0 + + +# Option: User defined settings +###################### +# Notes.: * Path to the main local banned IP list used by the action script. Not logrotate your main IP list log. +# * Path to the log file where actions and events are recorded by the action script +# * Rely on Fail2Ban for restarts (0) or completely isolate it by bypassing Fail2Ban (1) +# ! Bypassing Fail2Ban on restarts (BYPASS_FAIL2BAN = 1) can overhelm your server and AbuseIPDB API on restarts +# ! Use this option if you want to completely isolate from Fail2Ban and rely solely on the local banned IP list for reporting. + +# BANNED_IP_LIST = "/var/log/abuseipdb/abuseipdb-banned.log" +# LOG_FILE = "/var/log/abuseipdb/abuseipdb.log" +# BYPASS_FAIL2BAN = 0 + + +# Option: actionstart +###################### +# Notes.: DO NOT MODIFY, JUST UNCOMMENT +# actionstart = nohup /etc/fail2ban/action.d/fail2ban_abuseipdb.sh \ +# "--actionstart" "" "" & + + +# Option: actionban +###################### +# Notes.: DO NOT MODIFY, JUST UNCOMMENT +# actionban = /etc/fail2ban/action.d/fail2ban_abuseipdb.sh \ +# "" "" "" "" "" "" "" "" "" + + +[Init] +# Option: abuseipdb_apikey +###################### +# Notes Set your API key and COMMENT OUT +# abuseipdb_apikey =