ENH: Added blocklist.de reporting API action

2013-12-05 08:22:20 +00:00 · 2013-12-05 08:22:20 +00:00 · e810ec009d
parent 3a5983ab0b
commit e810ec009d
2 changed files with 67 additions and 0 deletions
--- a/config/action.d/blocklist_de.conf
+++ b/config/action.d/blocklist_de.conf
@ -0,0 +1,55 @@
+# Fail2Ban configuration file
+#
+# Author: Steven Hiscocks
+#
+#
+
+# Action to report IP address to blocklist.de
+# Blocklist.de must be signed up to at www.blocklist.de
+# Once registered, one or more servers can be added.
+# This action requires the server 'email address' and the assoicate apikey.
+#
+# From blocklist.de:
+#   www.blocklist.de is a free and voluntary service provided by a
+#   Fraud/Abuse-specialist, whose servers are often attacked on SSH-,
+#   Mail-Login-, FTP-, Webserver- and other services.
+#   The mission is to report all attacks to the abuse deparments of the
+#   infected PCs/servers to ensure that the responsible provider can inform
+#   the customer about the infection and disable them
+#
+
+[Definition]
+
+# Option:  actionstart
+# Notes.:  command executed once at the start of Fail2Ban.
+# Values:  CMD
+#
+actionstart = 
+
+# Option:  actionstop
+# Notes.:  command executed once at the end of Fail2Ban
+# Values:  CMD
+#
+actionstop =
+
+# Option:  actioncheck
+# Notes.:  command executed once before each actionban command
+# Values:  CMD
+#
+actioncheck =
+
+# Option:  actionban
+# Notes.:  command executed when banning an IP. Take care that the
+#          command is executed with Fail2Ban user rights.
+# Tags:    See jail.conf(5) man page
+# Values:  CMD
+#
+actionban = ! curl --data-urlencode 'server=<email>' --data 'apikey=<apikey>' --data 'service=<service>' --data 'ip=<ip>' --data-urlencode 'logs=<matches>' --data 'format=text' "https://www.blocklist.de/en/httpreports.html" | grep "status: error"
+
+# Option:  actionunban
+# Notes.:  command executed when unbanning an IP. Take care that the
+#          command is executed with Fail2Ban user rights.
+# Tags:    See jail.conf(5) man page
+# Values:  CMD
+#
+actionunban =
--- a/config/jail.conf
+++ b/config/jail.conf
@ -532,3 +532,15 @@ filter  = selinux-ssh
 action  = iptables[name=SELINUX-SSH, port=ssh, protocol=tcp]
 logpath  = /var/log/audit/audit.log
 maxretry = 5
+
+# Report block via blocklist.de fail2ban reporting service API
+# See action.d/blocklist_de.conf for more information
+[ssh-blocklist]
+
+enabled  = false
+filter   = sshd
+action   = iptables[name=SSH, port=ssh, protocol=tcp]
+           sendmail-whois[name=SSH, dest=you@example.com, sender=fail2ban@example.com, sendername="Fail2Ban"]
+           blocklist_de[email="fail2ban@example.com", apikey="xxxxxx", service=%(filter)s]
+logpath  = /var/log/sshd.log
+maxretry = 5