|8 months ago|
|boot||8 months ago|
|config||8 months ago|
|src||8 months ago|
|.gitignore||8 months ago|
|LICENSE||8 months ago|
|README.md||8 months ago|
|composer.json||8 months ago|
|composer.lock||8 months ago|
The abuse reporter is a simple script for designed for use with the AbuseIPDB Fail2Ban integration.
Unfortunately, F2B does not allow much freedom in customising the report message; This can easily be solved with a third party script to sanitize the report message.
This script is able to strip sensitive information from reports (e.g. hostnames, email addresses, server IP addresses, etc), before sending them. It also tries to remove any fluff introduced by F2B from the report string.
For transparency, it keeps it's own logs using Monolog, where it stores information about who it reported, and about failed reports. The log file can be tailed for live F2B activity.
Data removed from the reports will appear as
[expunged] in the reports.
Removing sensitive data
Right now, it only strips hostnames and machine names from the comment. This is hardcoded at the moment, though it can be easily added in the config.
Further sensitive data can be stripped using REGEX patterns to detect more hostnames and other misc items. Feel free to submit a PR.
This script was kept rather simple. It just needs to do one thing, and it needs to do it efficiently.
This script uses Monolog for logging and Guzzle for API requests (reports). It doesn't require any other extensions other than ext-json.
Simply install the composer requirements using
composer install. Open the
boot/init.phpfile and change the hardcoded require paths. This will be
changed in the future with a standard require that works dynamically.
Additionally, create the
logs folder and
touch an empty
app.log file for logging to work.
Call the abuse reporter file:
./src/reporter.php. The arguments are not named and are therefore in the following order:
- IP Address of the abuser
- Comment for the report (Usually SSHD log snippets)
- Categories (Must be a comma delimted list of categories, found here.)
./src/reporter.php "22.214.171.124" "Brute force" "18,22". This is for a manual report. Refer to the category list for a list of valid categories.
action.d/abuseipdb.conf would look like something like this:
actionban = /usr/bin/php /path/to/abuse-reporter/src/reporter.php "<ip>" "<matches>" "<abuseipdb_category>".
Sometimes, bots come back after getting banned for a while. This can be prevented by the
recidive jail of F2B. However, F2B will re-ban the IP,
triggering a new report. This script doesn't remember which IP addresses it banned, and if your ban time is short enough, this can result in duplicate reports,
which will fail. This failure is logged both by the script and by F2B. This is normal, but not optimal. This feature will be added sometime later down the line.
This will also happen each time F2B restarts, because it calls
actionban for each ban it restores.
config/app.ini, then add your AbuseIPDB API key in the appropriate section.
Don't forget to add your IP address to the
ignoreip section of the config file to avoid reporting yourself accidentally. It's also a good idea to also add the
ignoreip directive to
jail.local to avoid getting locked out.
This script is licensed under the MIT license. See
LICENSE for details.
Feel free to open a PR any time with more useful features!