diff --git a/MANIFEST b/MANIFEST index bf46406c..565f5f75 100644 --- a/MANIFEST +++ b/MANIFEST @@ -23,6 +23,7 @@ config/action.d/helpers-common.conf config/action.d/hostsdeny.conf config/action.d/ipfilter.conf config/action.d/ipfw.conf +config/action.d/ipthreat.conf config/action.d/iptables-allports.conf config/action.d/iptables.conf config/action.d/iptables-ipset-proto4.conf diff --git a/config/action.d/ipthreat.conf b/config/action.d/ipthreat.conf new file mode 100644 index 00000000..193a60f2 --- /dev/null +++ b/config/action.d/ipthreat.conf @@ -0,0 +1,107 @@ +# IPThreat configuration file +# +# Added to fail2ban by Jeff Johnson (jjxtra) +# +# Action to report IP address to ipthreat.net +# +# You must sign up to obtain an API key from ipthreat.net and request bulk report permissions +# https://ipthreat.net/integrations +# +# IPThreat is a 100% free site and service, all data is licensed under a creative commons by attribution license +# Please do not integrate if you do not agree to the license +# +# IMPORTANT: +# +# Reporting an IP is a serious action. Make sure that it is legit. +# Consider using this action only for: +# * IP that has been banned more than once +# * High max retry to avoid user mis-typing password +# * Filters that are unlikely to be human error +# +# Example: +# ``` +# action = %(known/action)s +# ipthreat[] +# ``` +# +# The action accepts the following arguments: ipthreat[ipthreat_flags="8",ipthreat_system="SSH", ipthreat_apikey=...] +# In most cases your action could be as simple as: ipthreat[], since the default flags and system are set to the most correct default values. +# You can optionally override ipthreat_system and ipthreat_flags if desired. +# The ipthreat_apikey must be set at the bottom of this configuration file. +# +# `ipthreat_system` is a short name of the system attacked, i.e. SSH, SMTP, MYSQL, PHP, etc. +# +# For `ipthreat_flags`, most cases will use 8 (BruteForce) which is the default, but you could use others. +# You can use the name or the ordinal. +# Multiple values are comma separated. +# ``` +# Name Ordinal Description +# Dns 1 Abuse/attack of dns (domain name server) +# Fraud 2 General fraud, whether orders, misuse of payment info, etc +# DDos 4 Distributed denial of service attack, whether through http requests, large ping attack, etc +# BruteForce 8 Brute force login attack +# Proxy 16 IP is a proxy like TOR or other proxy server +# Spam 32 Email, comment or other type of spam +# Vpn 64 IP is part of a VPN +# Hacking 128 General hacking outside of brute force attack (includes vulnerability scans, sql injection, etc.). Use port scan flag instead if it's just probe on ports. +# BadBot 256 Bad bot that is not honoring robots.txt or just flooding with too many requests, etc +# Compromised 512 The ip has been taken over by malware or botnet +# Phishing 1024 The ip is involved in phishing or spoofing +# Iot 2048 The ip has targetted an iot (Internet of Things) device +# PortScan 4096 Port scan +# See https://ipthreat.net/bulkreportformat for more information +# ``` + +[Definition] + +# bypass action for restored tickets +norestored = 1 + +# Option: actionstart +# Notes.: command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false). +# Values: CMD +# +actionstart = + +# Option: actionstop +# Notes.: command executed at the stop of jail (or at the end of Fail2Ban) +# Values: CMD +# +actionstop = + +# Option: actioncheck +# Notes.: command executed once before each actionban command +# Values: CMD +# +actioncheck = + +# Option: actionban +# Notes.: command executed when banning an IP. Take care that the +# command is executed with Fail2Ban user rights. +# +# Tags: See jail.conf(5) man page +# Values: CMD +# +actionban = curl -sSf "https://api.ipthreat.net/api/report" -X POST -H "Content-Type: application/json" -H "X-API-KEY: " -d "{\"ip\":\"\",\"flags\":\"\",\"system\":\"\",\"notes\":\"fail2ban\"}" + +# Option: actionunban +# Notes.: command executed when unbanning an IP. Take care that the +# command is executed with Fail2Ban user rights. +# Tags: See jail.conf(5) man page +# Values: CMD +# +actionunban = + +[Init] +# Option: ipthreat_apikey +# Notes Your API key from ipthreat.net +# Values: STRING Default: None +# Register for ipthreat [https://ipthreat.net], get api key and set below. +# You will need to set the flags and system in the action call in jail.conf +ipthreat_apikey = + +# By default, the ipthreat system is the name of the fail2ban jail +ipthreat_system = + +# By default the ip threat flags is 8 (brute force), but you can override this per jail if desired +ipthreat_flags = 8 \ No newline at end of file