From 55e107310fd0697d583aa8971e2b1db48e49c5ea Mon Sep 17 00:00:00 2001 From: Andrew James Collett Date: Sat, 7 Jan 2017 14:24:54 +0200 Subject: [PATCH] Added config for AbuseIPDB, ony tested on Ubuntu 16.04 --- THANKS | 2 + config/action.d/abuseipdb.conf | 74 ++++++++++++++++++++++++++++++++++ config/jail.conf | 21 +++++++++- 3 files changed, 95 insertions(+), 2 deletions(-) create mode 100644 config/action.d/abuseipdb.conf diff --git a/THANKS b/THANKS index 8f746f29..7537cb92 100644 --- a/THANKS +++ b/THANKS @@ -16,6 +16,7 @@ Alexander Koeppe (IPv6 support) Alexandre Perrin (kAworu) Amir Caspi Amy +Andrew James Collett (ajcollett) Andrew St. Jean Andrey G. Grozin Andy Fragen @@ -111,6 +112,7 @@ Sean DuBois Sebastian Arcus Serg G. Brester Sergey Safarov +Shaun C. Sireyessire silviogarbes Stefan Tatschner diff --git a/config/action.d/abuseipdb.conf b/config/action.d/abuseipdb.conf new file mode 100644 index 00000000..7bd3f68a --- /dev/null +++ b/config/action.d/abuseipdb.conf @@ -0,0 +1,74 @@ +# Fail2ban configuration file +# +# Action to report IP address to abuseipdb.com +# You must sign up to obtain an API key from abuseipdb.com. +# +# IMPORTANT: +# +# Reporting an IP of abuse is a serious complaint. Make sure that it is +# serious. Fail2ban developers and network owners recommend you only use this +# action for: +# * The recidive where the IP has been banned multiple times +# * Where maxretry has been set quite high, beyond the normal user typing +# password incorrectly. +# * For filters that have a low likelihood of receiving human errors +# +# Original Ref: https://wiki.shaunc.com/wikka.php?wakka=ReportingToAbuseIPDBWithFail2Ban +# Added to fail2ban by Andrew James Collett (ajcollett) + +[Definition] + +# Option: actionstart +# Notes.: command executed once at the start of Fail2Ban. +# Values: CMD +# +actionstart = + +# Option: actionstop +# Notes.: command executed once at the end of Fail2Ban +# Values: CMD +# +actionstop = + +# Option: actioncheck +# Notes.: command executed once before each actionban command +# Values: CMD +# +actioncheck = + +# Option: actionban +# Notes.: command executed when banning an IP. Take care that the +# command is executed with Fail2Ban user rights. +# +# ** IMPORTANT! ** +# +# By default, this posts directly to AbuseIPDB's API, unfortunately +# this results in a lot of backslashes/escapes appearing in the +# reports. This also may include info like your hostname. +# If you have your own web server with PHP available, you can +# use my (Shaun's) helper PHP script by commenting out the first #actionban +# line below, uncommenting the second one, and pointing the URL at +# wherever you install the helper script. For the PHP helper script, see +# +# +# --ciphers ecdhe_ecdsa_aes_256_sha is used to workaround a +# "NSS error -12286" from curl as it attempts to connect using +# SSLv3. See https://www.centos.org/forums/viewtopic.php?t=52732 +# Tags: See jail.conf(5) man page +# Values: CMD +# +actionban = curl --fail --ciphers ecdhe_ecdsa_aes_256_sha --data 'key=' --data-urlencode 'comment=' --data 'ip=' --data 'category=' "https://www.abuseipdb.com/report/json" + +# Option: actionunban +# Notes.: command executed when unbanning an IP. Take care that the +# command is executed with Fail2Ban user rights. +# Tags: See jail.conf(5) man page +# Values: CMD +# +actionunban = + +[Init] +# Option: abuseipdb_apikey +# Notes Your API key from abuseipdb.com +# Values: STRING Default: None +abuseipdb_apikey = diff --git a/config/jail.conf b/config/jail.conf index b7c927e2..f5d24621 100644 --- a/config/jail.conf +++ b/config/jail.conf @@ -185,7 +185,7 @@ action_cf_mwl = cloudflare[cfuser="%(cfemail)s", cftoken="%(cfapikey)s"] %(mta)s-whois-lines[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"] # Report block via blocklist.de fail2ban reporting service API -# +# # See the IMPORTANT note in action.d/blocklist_de.conf for when to # use this action. Create a file jail.d/blocklist_de.local containing # [Init] @@ -206,6 +206,23 @@ action_badips = badips.py[category="%(__name__)s", banaction="%(banaction)s", ag # Report ban via badips.com (uses action.d/badips.conf for reporting only) # action_badips_report = badips[category="%(__name__)s", agent="%(fail2ban_agent)s"] +# Actions to report to abuseipdb.com via API. +# See action.d/abuseipdb.conf and https://wiki.shaunc.com/wikka.php?wakka=ReportingToAbuseIPDBWithFail2Ban +# If you want cleaner reports that ensure no user data see the helper script at the above IP +# NOTE: These reports may include sensitive Info. + +# IMPORTANT: Register for abuseipdb [https://www.abuseipdb.com], get, and set the api key at the bottom of action.d/abuseipdb.conf +action_abuseipdb_fraud = abuseipdb[abuseipdb_category="3"] +action_abuseipdb_ddos = abuseipdb[abuseipdb_category="4"] +action_abuseipdb_proxy = abuseipdb[abuseipdb_category="9"] +action_abuseipdb_forumspam = abuseipdb[abuseipdb_category="10"] +action_abuseipdb_emailspam = abuseipdb[abuseipdb_category="11"] +action_abuseipdb_blogspam = abuseipdb[abuseipdb_category="12"] +action_abuseipdb_portscan = abuseipdb[abuseipdb_category="14"] +action_abuseipdb_hack = abuseipdb[abuseipdb_category="15"] +action_abuseipdb_sqlinject = abuseipdb[abuseipdb_category="16"] +action_abuseipdb_spoofing = abuseipdb[abuseipdb_category="17"] +action_abuseipdb_sshbrute = abuseipdb[abuseipdb_category="18"] # Choose default action. To change, just override value of 'action' with the # interpolation to the chosen action shortcut (e.g. action_mw, action_mwl, etc) in jail.local @@ -330,7 +347,7 @@ logpath = /opt/openhab/logs/request.log port = http,https logpath = %(nginx_error_log)s -# To use 'nginx-limit-req' jail you should have `ngx_http_limit_req_module` +# To use 'nginx-limit-req' jail you should have `ngx_http_limit_req_module` # and define `limit_req` and `limit_req_zone` as described in nginx documentation # http://nginx.org/en/docs/http/ngx_http_limit_req_module.html # or for example see in 'config/filter.d/nginx-limit-req.conf'