From 7f77eb0b6e24c61c25680f108a57913d1c27a6f7 Mon Sep 17 00:00:00 2001
From: Morteza Saeed Mohammadi <m.mohammadi721@gmail.com>
Date: Wed, 17 Jul 2024 02:26:52 +0330
Subject: [PATCH] Fix sensitive information leakage in actionban command

---
 config/action.d/abuseipdb.conf | 49 +++++++++++++++++++++++++---------
 1 file changed, 37 insertions(+), 12 deletions(-)

diff --git a/config/action.d/abuseipdb.conf b/config/action.d/abuseipdb.conf
index d0d4a99b..5c20413c 100644
--- a/config/action.d/abuseipdb.conf
+++ b/config/action.d/abuseipdb.conf
@@ -68,24 +68,30 @@ actionstop =
 actioncheck =
 
 # Option:  actionban
-# Notes.:  command executed when banning an IP. Take care that the
+# Notes.:  Command executed when banning an IP. Take care that the
 #          command is executed with Fail2Ban user rights.
 #
-#          ** IMPORTANT! **
-#
-#          By default, this posts directly to AbuseIPDB's API, unfortunately
-#          this results in a lot of backslashes/escapes appearing in the
-#          reports. This also may include info like your hostname.
-#          If you have your own web server with PHP available, you can
-#          use my (Shaun's) helper PHP script by commenting out the first #actionban
-#          line below, uncommenting the second one, and pointing the URL at
-#          wherever you install the helper script. For the PHP helper script, see
-#          <https://github.com/parseword/fail2ban-abuseipdb/>
+#          This command posts to AbuseIPDB's API to report abusive IPs. By default,
+#          it includes sensitive information such as your server IP addresses and other
+#          specified fields. To customize what information is removed before sending
+#          the report, you can set options like dst_ips_prefix, hostname, and other_removed
+#          in the jail.local file or by passing arguments in your jail action line.
 #
 # Tags:    See jail.conf(5) man page
 # Values:  CMD
 #
-actionban = lgm=$(printf '%%.1000s\n...' "<matches>"); curl -sSf "https://api.abuseipdb.com/api/v2/report" -H "Accept: application/json" -H "Key: <abuseipdb_apikey>" --data-urlencode "comment=$lgm" --data-urlencode "ip=<ip>" --data "categories=<abuseipdb_category>"
+
+actionban = lgm=$(printf '%%.1000s\n...' "<matches>" | \
+            sed -r 's/<source_ips_field>([0-9]{1,3}\.){1}[0-9]{1,3}/<source_ips_field>[REMOVED]/g' | \
+            sed -r 's/([[:xdigit:]]{1,2}:){5}[[:xdigit:]]{1,2}/[REMOVED]/g' | \
+            sed -r 's/<other_removed>//g' | \
+            sed -r 's/<hostname>//g'); \
+            curl -sSf "https://api.abuseipdb.com/api/v2/report" \
+            -H "Accept: application/json" \
+            -H "Key: <abuseipdb_apikey>" \
+            --data-urlencode "comment=$lgm" \
+            --data-urlencode "ip=<ip>" \
+            --data "categories=<abuseipdb_category>"
 
 # Option:  actionunban
 # Notes.:  command executed when unbanning an IP. Take care that the
@@ -102,3 +108,22 @@ actionunban =
 # Register for abuseipdb [https://www.abuseipdb.com], get api key and set below.
 # You will need to set the category in the action call.
 abuseipdb_apikey =
+
+# Option: dst_ips_prefix
+# Notes:  Specifies the prefix used before destination IPs in your log for removing the first two octets of DST IP from match logs.
+# Example: If your iptables log entry is DST=xxx.xxx.xxx.xxx, set dst_ips_prefix to DST=
+# dst_ips_prefix = DST=
+# Values:  STRING  Default: None
+dst_ips_prefix =
+
+# Option: other_removed
+# Notes:  Specifies text to be removed from matches log entries.
+# Example: To remove hostname and app from iptables log entries, set other_removed to HOSTNAME APPNAME:
+# other_removed = myhost kernel:
+# Values:  STRING  Default: None
+other_removed =
+
+# Option: hostname
+# Notes:  Use this option to remove hostname from matches log.
+# Values:  STRING  Default: None
+hostname =