mirror of https://github.com/fail2ban/fail2ban
BF: Use abusix Abuse Contact DB to get more accurate abuse addresses
Taken from xarf-login-attack action from 0.9 branch by Daniel Blackpull/614/head
parent
9bfc77c320
commit
31f4ea59cb
|
@ -1,17 +1,16 @@
|
||||||
# Fail2Ban configuration file
|
# Fail2Ban configuration file
|
||||||
#
|
#
|
||||||
# Author: Russell Odom <russ@gloomytrousers.co.uk>
|
# Author: Russell Odom <russ@gloomytrousers.co.uk>, Daniel Black
|
||||||
# Sends a complaint e-mail to addresses listed in the whois record for an
|
# Sends a complaint e-mail to addresses listed in the whois record for an
|
||||||
# offending IP address.
|
# offending IP address.
|
||||||
|
# This uses the https://abusix.com/contactdb.html to lookup abuse contacts.
|
||||||
|
#
|
||||||
|
# DEPENDANCIES:
|
||||||
|
# This requires the dig command from bind-utils
|
||||||
#
|
#
|
||||||
# You should provide the <logpath> in the jail config - lines from the log
|
# You should provide the <logpath> in the jail config - lines from the log
|
||||||
# matching the given IP address will be provided in the complaint as evidence.
|
# matching the given IP address will be provided in the complaint as evidence.
|
||||||
#
|
#
|
||||||
# Note that we will try to use e-mail addresses that are most likely to be abuse
|
|
||||||
# addresses (based on various keywords). If they aren't found we fall back on
|
|
||||||
# any other addresses found in the whois record, with a few exceptions.
|
|
||||||
# If no addresses are found, no e-mail is sent.
|
|
||||||
#
|
|
||||||
# WARNING
|
# WARNING
|
||||||
# -------
|
# -------
|
||||||
#
|
#
|
||||||
|
@ -55,7 +54,7 @@ actioncheck =
|
||||||
# Tags: See jail.conf(5) man page
|
# Tags: See jail.conf(5) man page
|
||||||
# Values: CMD
|
# Values: CMD
|
||||||
#
|
#
|
||||||
actionban = ADDRESSES=`whois <ip> | perl -e 'while (<STDIN>) { next if /^changed|@(ripe|apnic)\.net/io; $m += (/abuse|trouble:|report|spam|security/io?3:0); if (/([a-z0-9_\-\.+]+@[a-z0-9\-]+(\.[[a-z0-9\-]+)+)/io) { while (s/([a-z0-9_\-\.+]+@[a-z0-9\-]+(\.[[a-z0-9\-]+)+)//io) { if ($m) { $a{lc($1)}=$m } else { $b{lc($1)}=$m } } $m=0 } else { $m && --$m } } if (%%a) {print join(",",keys(%%a))} else {print join(",",keys(%%b))}'`
|
actionban = oifs=${IFS}; IFS=.;SEP_IP=( <ip> ); set -- ${SEP_IP} ;ADDRESSES=$(dig +short -t txt -q $4.$3.$2.$1.abuse-contacts.abusix.org); IFS=${oifs}
|
||||||
IP=<ip>
|
IP=<ip>
|
||||||
if [ ! -z "$ADDRESSES" ]; then
|
if [ ! -z "$ADDRESSES" ]; then
|
||||||
(printf %%b "<message>\n"; date '+Note: Local timezone is %%z (%%Z)'; grep -E '(^|[^0-9])<ip>([^0-9]|$)' <logpath>) | <mailcmd> "Abuse from <ip>" <mailargs> $ADDRESSES
|
(printf %%b "<message>\n"; date '+Note: Local timezone is %%z (%%Z)'; grep -E '(^|[^0-9])<ip>([^0-9]|$)' <logpath>) | <mailcmd> "Abuse from <ip>" <mailargs> $ADDRESSES
|
||||||
|
@ -70,7 +69,7 @@ actionban = ADDRESSES=`whois <ip> | perl -e 'while (<STDIN>) { next if /^changed
|
||||||
actionunban =
|
actionunban =
|
||||||
|
|
||||||
[Init]
|
[Init]
|
||||||
message = Dear Sir/Madam,\n\nWe have detected abuse from the IP address $IP, which according to a whois lookup is on your network. We would appreciate if you would investigate and take action as appropriate.\n\nLog lines are given below, but please ask if you require any further information.\n\n(If you are not the correct person to contact about this please accept our apologies - your e-mail address was extracted from the whois record by an automated process. This mail was generated by Fail2Ban.)\n
|
message = Dear Sir/Madam,\n\nWe have detected abuse from the IP address $IP, which according to a abusix.com is on your network. We would appreciate if you would investigate and take action as appropriate.\n\nLog lines are given below, but please ask if you require any further information.\n\n(If you are not the correct person to contact about this please accept our apologies - your e-mail address was extracted from the whois record by an automated process.)\n\n This mail was generated by Fail2Ban.\nThe recipient address of this report was provided by the Abuse Contact DB by abusix.com. abusix.com does not maintain the content of the database. All information which we pass out, derives from the RIR databases and is processed for ease of use. If you want to change or report non working abuse contacts please contact the appropriate RIR. If you have any further question, contact abusix.com directly via email (info@abusix.com). Information about the Abuse Contact Database can be found here: https://abusix.com/global-reporting/abuse-contact-db\nabusix.com is neither responsible nor liable for the content or accuracy of this message.\n
|
||||||
|
|
||||||
# Path to the log files which contain relevant lines for the abuser IP
|
# Path to the log files which contain relevant lines for the abuser IP
|
||||||
#
|
#
|
||||||
|
|
Loading…
Reference in New Issue