From 55e107310fd0697d583aa8971e2b1db48e49c5ea Mon Sep 17 00:00:00 2001 From: Andrew James Collett Date: Sat, 7 Jan 2017 14:24:54 +0200 Subject: [PATCH 1/8] Added config for AbuseIPDB, ony tested on Ubuntu 16.04 --- THANKS | 2 + config/action.d/abuseipdb.conf | 74 ++++++++++++++++++++++++++++++++++ config/jail.conf | 21 +++++++++- 3 files changed, 95 insertions(+), 2 deletions(-) create mode 100644 config/action.d/abuseipdb.conf diff --git a/THANKS b/THANKS index 8f746f29..7537cb92 100644 --- a/THANKS +++ b/THANKS @@ -16,6 +16,7 @@ Alexander Koeppe (IPv6 support) Alexandre Perrin (kAworu) Amir Caspi Amy +Andrew James Collett (ajcollett) Andrew St. Jean Andrey G. Grozin Andy Fragen @@ -111,6 +112,7 @@ Sean DuBois Sebastian Arcus Serg G. Brester Sergey Safarov +Shaun C. Sireyessire silviogarbes Stefan Tatschner diff --git a/config/action.d/abuseipdb.conf b/config/action.d/abuseipdb.conf new file mode 100644 index 00000000..7bd3f68a --- /dev/null +++ b/config/action.d/abuseipdb.conf @@ -0,0 +1,74 @@ +# Fail2ban configuration file +# +# Action to report IP address to abuseipdb.com +# You must sign up to obtain an API key from abuseipdb.com. +# +# IMPORTANT: +# +# Reporting an IP of abuse is a serious complaint. Make sure that it is +# serious. Fail2ban developers and network owners recommend you only use this +# action for: +# * The recidive where the IP has been banned multiple times +# * Where maxretry has been set quite high, beyond the normal user typing +# password incorrectly. +# * For filters that have a low likelihood of receiving human errors +# +# Original Ref: https://wiki.shaunc.com/wikka.php?wakka=ReportingToAbuseIPDBWithFail2Ban +# Added to fail2ban by Andrew James Collett (ajcollett) + +[Definition] + +# Option: actionstart +# Notes.: command executed once at the start of Fail2Ban. +# Values: CMD +# +actionstart = + +# Option: actionstop +# Notes.: command executed once at the end of Fail2Ban +# Values: CMD +# +actionstop = + +# Option: actioncheck +# Notes.: command executed once before each actionban command +# Values: CMD +# +actioncheck = + +# Option: actionban +# Notes.: command executed when banning an IP. Take care that the +# command is executed with Fail2Ban user rights. +# +# ** IMPORTANT! ** +# +# By default, this posts directly to AbuseIPDB's API, unfortunately +# this results in a lot of backslashes/escapes appearing in the +# reports. This also may include info like your hostname. +# If you have your own web server with PHP available, you can +# use my (Shaun's) helper PHP script by commenting out the first #actionban +# line below, uncommenting the second one, and pointing the URL at +# wherever you install the helper script. For the PHP helper script, see +# +# +# --ciphers ecdhe_ecdsa_aes_256_sha is used to workaround a +# "NSS error -12286" from curl as it attempts to connect using +# SSLv3. See https://www.centos.org/forums/viewtopic.php?t=52732 +# Tags: See jail.conf(5) man page +# Values: CMD +# +actionban = curl --fail --ciphers ecdhe_ecdsa_aes_256_sha --data 'key=' --data-urlencode 'comment=' --data 'ip=' --data 'category=' "https://www.abuseipdb.com/report/json" + +# Option: actionunban +# Notes.: command executed when unbanning an IP. Take care that the +# command is executed with Fail2Ban user rights. +# Tags: See jail.conf(5) man page +# Values: CMD +# +actionunban = + +[Init] +# Option: abuseipdb_apikey +# Notes Your API key from abuseipdb.com +# Values: STRING Default: None +abuseipdb_apikey = diff --git a/config/jail.conf b/config/jail.conf index b7c927e2..f5d24621 100644 --- a/config/jail.conf +++ b/config/jail.conf @@ -185,7 +185,7 @@ action_cf_mwl = cloudflare[cfuser="%(cfemail)s", cftoken="%(cfapikey)s"] %(mta)s-whois-lines[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"] # Report block via blocklist.de fail2ban reporting service API -# +# # See the IMPORTANT note in action.d/blocklist_de.conf for when to # use this action. Create a file jail.d/blocklist_de.local containing # [Init] @@ -206,6 +206,23 @@ action_badips = badips.py[category="%(__name__)s", banaction="%(banaction)s", ag # Report ban via badips.com (uses action.d/badips.conf for reporting only) # action_badips_report = badips[category="%(__name__)s", agent="%(fail2ban_agent)s"] +# Actions to report to abuseipdb.com via API. +# See action.d/abuseipdb.conf and https://wiki.shaunc.com/wikka.php?wakka=ReportingToAbuseIPDBWithFail2Ban +# If you want cleaner reports that ensure no user data see the helper script at the above IP +# NOTE: These reports may include sensitive Info. + +# IMPORTANT: Register for abuseipdb [https://www.abuseipdb.com], get, and set the api key at the bottom of action.d/abuseipdb.conf +action_abuseipdb_fraud = abuseipdb[abuseipdb_category="3"] +action_abuseipdb_ddos = abuseipdb[abuseipdb_category="4"] +action_abuseipdb_proxy = abuseipdb[abuseipdb_category="9"] +action_abuseipdb_forumspam = abuseipdb[abuseipdb_category="10"] +action_abuseipdb_emailspam = abuseipdb[abuseipdb_category="11"] +action_abuseipdb_blogspam = abuseipdb[abuseipdb_category="12"] +action_abuseipdb_portscan = abuseipdb[abuseipdb_category="14"] +action_abuseipdb_hack = abuseipdb[abuseipdb_category="15"] +action_abuseipdb_sqlinject = abuseipdb[abuseipdb_category="16"] +action_abuseipdb_spoofing = abuseipdb[abuseipdb_category="17"] +action_abuseipdb_sshbrute = abuseipdb[abuseipdb_category="18"] # Choose default action. To change, just override value of 'action' with the # interpolation to the chosen action shortcut (e.g. action_mw, action_mwl, etc) in jail.local @@ -330,7 +347,7 @@ logpath = /opt/openhab/logs/request.log port = http,https logpath = %(nginx_error_log)s -# To use 'nginx-limit-req' jail you should have `ngx_http_limit_req_module` +# To use 'nginx-limit-req' jail you should have `ngx_http_limit_req_module` # and define `limit_req` and `limit_req_zone` as described in nginx documentation # http://nginx.org/en/docs/http/ngx_http_limit_req_module.html # or for example see in 'config/filter.d/nginx-limit-req.conf' From 1c41390f7caed9a9e6712c83d80774bf7bf1c14f Mon Sep 17 00:00:00 2001 From: Andrew James Collett Date: Sun, 8 Jan 2017 09:26:11 +0200 Subject: [PATCH 2/8] Restructured the way the catagories work. Jail.conf is cleaner and abuseipdb.conf is more flexible. --- config/action.d/abuseipdb.conf | 19 +++++++++++++++++++ config/jail.conf | 28 ++++++++++++---------------- 2 files changed, 31 insertions(+), 16 deletions(-) diff --git a/config/action.d/abuseipdb.conf b/config/action.d/abuseipdb.conf index 7bd3f68a..3bcfb065 100644 --- a/config/action.d/abuseipdb.conf +++ b/config/action.d/abuseipdb.conf @@ -16,6 +16,23 @@ # Original Ref: https://wiki.shaunc.com/wikka.php?wakka=ReportingToAbuseIPDBWithFail2Ban # Added to fail2ban by Andrew James Collett (ajcollett) +## abuseIPDB Catagories, `the abuseipdb_category` MUST be set in the jail.conf action call. +# Example, for ssh bruteforce: action = %(action_abuseipdb)s[abuseipdb_category="18,22"] +# ID Title Description +# 3 Fraud Orders +# 4 DDoS Attack +# 9 Open Proxy +# 10 Web Spam +# 11 Email Spam +# 14 Port Scan +# 18 Brute-Force +# 19 Bad Web Bot +# 20 Exploited Host +# 21 Web App Attack +# 22 SSH Secure Shell (SSH) abuse. Use this category in combination with more specific categories. +# 23 IoT Targeted +# See https://abuseipdb.com/categories for more descriptions + [Definition] # Option: actionstart @@ -71,4 +88,6 @@ actionunban = # Option: abuseipdb_apikey # Notes Your API key from abuseipdb.com # Values: STRING Default: None +# Register for abuseipdb [https://www.abuseipdb.com], get api key and set below. +# You will need to set the catagory in the action call. abuseipdb_apikey = diff --git a/config/jail.conf b/config/jail.conf index f5d24621..7ba343fb 100644 --- a/config/jail.conf +++ b/config/jail.conf @@ -206,23 +206,19 @@ action_badips = badips.py[category="%(__name__)s", banaction="%(banaction)s", ag # Report ban via badips.com (uses action.d/badips.conf for reporting only) # action_badips_report = badips[category="%(__name__)s", agent="%(fail2ban_agent)s"] -# Actions to report to abuseipdb.com via API. -# See action.d/abuseipdb.conf and https://wiki.shaunc.com/wikka.php?wakka=ReportingToAbuseIPDBWithFail2Ban -# If you want cleaner reports that ensure no user data see the helper script at the above IP +# Report ban via abuseipdb.com. +# +# See action.d/abuseipdb.conf and +# https://wiki.shaunc.com/wikka.php?wakka=ReportingToAbuseIPDBWithFail2Ban +# # NOTE: These reports may include sensitive Info. - -# IMPORTANT: Register for abuseipdb [https://www.abuseipdb.com], get, and set the api key at the bottom of action.d/abuseipdb.conf -action_abuseipdb_fraud = abuseipdb[abuseipdb_category="3"] -action_abuseipdb_ddos = abuseipdb[abuseipdb_category="4"] -action_abuseipdb_proxy = abuseipdb[abuseipdb_category="9"] -action_abuseipdb_forumspam = abuseipdb[abuseipdb_category="10"] -action_abuseipdb_emailspam = abuseipdb[abuseipdb_category="11"] -action_abuseipdb_blogspam = abuseipdb[abuseipdb_category="12"] -action_abuseipdb_portscan = abuseipdb[abuseipdb_category="14"] -action_abuseipdb_hack = abuseipdb[abuseipdb_category="15"] -action_abuseipdb_sqlinject = abuseipdb[abuseipdb_category="16"] -action_abuseipdb_spoofing = abuseipdb[abuseipdb_category="17"] -action_abuseipdb_sshbrute = abuseipdb[abuseipdb_category="18"] +# If you want cleaner reports that ensure no user data see the helper script at the above website. +# +# IMPORTANT: This action relies on a api_key being added to the above action conf, +# and the appropriate catagories set. +# Example, for ssh bruteforce: action = %(action_abuseipdb)s[abuseipdb_category="18,22"] +# See action.d/abuseipdb.conf for catagories +action_abuseipdb = abuseipdb # Choose default action. To change, just override value of 'action' with the # interpolation to the chosen action shortcut (e.g. action_mw, action_mwl, etc) in jail.local From b35391e768c4a476cc176959bad1571ccfd40708 Mon Sep 17 00:00:00 2001 From: Andrew James Collett Date: Sun, 8 Jan 2017 09:30:00 +0200 Subject: [PATCH 3/8] Update jail.conf Fixing spacing --- config/jail.conf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/config/jail.conf b/config/jail.conf index 7ba343fb..09675904 100644 --- a/config/jail.conf +++ b/config/jail.conf @@ -185,7 +185,7 @@ action_cf_mwl = cloudflare[cfuser="%(cfemail)s", cftoken="%(cfapikey)s"] %(mta)s-whois-lines[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"] # Report block via blocklist.de fail2ban reporting service API -# +# # See the IMPORTANT note in action.d/blocklist_de.conf for when to # use this action. Create a file jail.d/blocklist_de.local containing # [Init] @@ -330,7 +330,7 @@ port = http,https logpath = %(apache_error_log)s maxretry = 1 - + [openhab-auth] filter = openhab From 10d61e077942c25ac5a026a6c6da2b3d2bb6ee3f Mon Sep 17 00:00:00 2001 From: Andrew James Collett Date: Sun, 8 Jan 2017 09:39:12 +0200 Subject: [PATCH 4/8] Fixed the spaces again --- config/jail.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/jail.conf b/config/jail.conf index 09675904..31f0c2be 100644 --- a/config/jail.conf +++ b/config/jail.conf @@ -330,7 +330,7 @@ port = http,https logpath = %(apache_error_log)s maxretry = 1 - + [openhab-auth] filter = openhab From 3991f51f30f10a1086f0999089aa25c8fedb653d Mon Sep 17 00:00:00 2001 From: Andrew James Collett Date: Sun, 8 Jan 2017 09:45:35 +0200 Subject: [PATCH 5/8] Update jail.conf Sigh, added a space back that I somehow missed in Vim, despite it being a rebase... --- config/jail.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/jail.conf b/config/jail.conf index 31f0c2be..560136a6 100644 --- a/config/jail.conf +++ b/config/jail.conf @@ -343,7 +343,7 @@ logpath = /opt/openhab/logs/request.log port = http,https logpath = %(nginx_error_log)s -# To use 'nginx-limit-req' jail you should have `ngx_http_limit_req_module` +# To use 'nginx-limit-req' jail you should have `ngx_http_limit_req_module` # and define `limit_req` and `limit_req_zone` as described in nginx documentation # http://nginx.org/en/docs/http/ngx_http_limit_req_module.html # or for example see in 'config/filter.d/nginx-limit-req.conf' From 18d09b6d8ef6c72b83fd99f81832ffe2e7c2ce8d Mon Sep 17 00:00:00 2001 From: Andrew James Collett Date: Sun, 8 Jan 2017 09:50:58 +0200 Subject: [PATCH 6/8] Updated changelog. --- ChangeLog | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/ChangeLog b/ChangeLog index 7964a9ba..5f5496c7 100644 --- a/ChangeLog +++ b/ChangeLog @@ -83,6 +83,10 @@ TODO: implementing of options resp. other tasks from PR #1346 if configuration is clean (fails by wrong configured jails if option `-t` specified) * New command action parameter `actionrepair` - command executed in order to restore sane environment in error case of `actioncheck`. +* Reporting via abuseipdb.com: + - Bans can now be reported to abuseipdb + - Catagories must be set in the config + - Relevant log lines included in report ### Enhancements * Huge increasing of fail2ban performance and especially test-cases performance (see gh-1109) From 62fa02241f3c2c159d2d17ad8f1bf8ab96881d3a Mon Sep 17 00:00:00 2001 From: "Serg G. Brester" Date: Thu, 9 Mar 2017 13:31:40 +0100 Subject: [PATCH 7/8] Update jail.conf --- config/jail.conf | 11 ++--------- 1 file changed, 2 insertions(+), 9 deletions(-) diff --git a/config/jail.conf b/config/jail.conf index 560136a6..75a824e2 100644 --- a/config/jail.conf +++ b/config/jail.conf @@ -206,18 +206,11 @@ action_badips = badips.py[category="%(__name__)s", banaction="%(banaction)s", ag # Report ban via badips.com (uses action.d/badips.conf for reporting only) # action_badips_report = badips[category="%(__name__)s", agent="%(fail2ban_agent)s"] + # Report ban via abuseipdb.com. # -# See action.d/abuseipdb.conf and -# https://wiki.shaunc.com/wikka.php?wakka=ReportingToAbuseIPDBWithFail2Ban +# See action.d/abuseipdb.conf for usage example and details. # -# NOTE: These reports may include sensitive Info. -# If you want cleaner reports that ensure no user data see the helper script at the above website. -# -# IMPORTANT: This action relies on a api_key being added to the above action conf, -# and the appropriate catagories set. -# Example, for ssh bruteforce: action = %(action_abuseipdb)s[abuseipdb_category="18,22"] -# See action.d/abuseipdb.conf for catagories action_abuseipdb = abuseipdb # Choose default action. To change, just override value of 'action' with the From b1f5ac948431cfac4089c18df016f6cd02976fa9 Mon Sep 17 00:00:00 2001 From: "Serg G. Brester" Date: Thu, 9 Mar 2017 13:33:11 +0100 Subject: [PATCH 8/8] Update abuseipdb.conf --- config/action.d/abuseipdb.conf | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/config/action.d/abuseipdb.conf b/config/action.d/abuseipdb.conf index 3bcfb065..15e41fbe 100644 --- a/config/action.d/abuseipdb.conf +++ b/config/action.d/abuseipdb.conf @@ -3,6 +3,9 @@ # Action to report IP address to abuseipdb.com # You must sign up to obtain an API key from abuseipdb.com. # +# NOTE: These reports may include sensitive Info. +# If you want cleaner reports that ensure no user data see the helper script at the below website. +# # IMPORTANT: # # Reporting an IP of abuse is a serious complaint. Make sure that it is @@ -13,6 +16,15 @@ # password incorrectly. # * For filters that have a low likelihood of receiving human errors # +# This action relies on a api_key being added to the above action conf, +# and the appropriate categories set. +# +# Example, for ssh bruteforce (in section [sshd] of `jail.local`): +# action = %(known/action)s +# %(action_abuseipdb)s[abuseipdb_apikey="my-api-key", abuseipdb_category="18,22"] +# +# See below for catagories. +# # Original Ref: https://wiki.shaunc.com/wikka.php?wakka=ReportingToAbuseIPDBWithFail2Ban # Added to fail2ban by Andrew James Collett (ajcollett)