SJ Hosting abuse reporter. To be used with Fail2ban. Can also be used manually.
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Miguel N. dd78ef0770 Update 'src/reporter.php' 8 months ago
boot Update 'boot/init.php' 8 months ago
config First commit 8 months ago
src Update 'src/reporter.php' 8 months ago
.gitignore First commit 8 months ago
LICENSE First commit 8 months ago
README.md Update 'README.md' 8 months ago
composer.json First commit 8 months ago
composer.lock First commit 8 months ago

README.md

Abuse-Reporter 0.1.0

The abuse reporter is a simple script for designed for use with the AbuseIPDB Fail2Ban integration.

Unfortunately, F2B does not allow much freedom in customising the report message; This can easily be solved with a third party script to sanitize the report message.

This script is able to strip sensitive information from reports (e.g. hostnames, email addresses, server IP addresses, etc), before sending them. It also tries to remove any fluff introduced by F2B from the report string.

For transparency, it keeps it's own logs using Monolog, where it stores information about who it reported, and about failed reports. The log file can be tailed for live F2B activity.

Data removed from the reports will appear as [expunged] in the reports.

Removing sensitive data

Right now, it only strips hostnames and machine names from the comment. This is hardcoded at the moment, though it can be easily added in the config.

Further sensitive data can be stripped using REGEX patterns to detect more hostnames and other misc items. Feel free to submit a PR.

This script was kept rather simple. It just needs to do one thing, and it needs to do it efficiently.

Requirements

This script uses Monolog for logging and Guzzle for API requests (reports). It doesn't require any other extensions other than ext-json.

Install

Simply install the composer requirements using composer install. Open the boot/init.phpfile and change the hardcoded require paths. This will be changed in the future with a standard require that works dynamically.

Additionally, create the logs folder and touch an empty app.log file for logging to work.

Usage

Call the abuse reporter file: ./src/reporter.php. The arguments are not named and are therefore in the following order:

  • IP Address of the abuser
  • Comment for the report (Usually SSHD log snippets)
  • Categories (Must be a comma delimted list of categories, found here.)

Example usage: ./src/reporter.php "181.28.101.14" "Brute force" "18,22". This is for a manual report. Refer to the category list for a list of valid categories.

The actionban of action.d/abuseipdb.conf would look like something like this: actionban = /usr/bin/php /path/to/abuse-reporter/src/reporter.php "<ip>" "<matches>" "<abuseipdb_category>".

Repeat offenders

Sometimes, bots come back after getting banned for a while. This can be prevented by the recidive jail of F2B. However, F2B will re-ban the IP, triggering a new report. This script doesn't remember which IP addresses it banned, and if your ban time is short enough, this can result in duplicate reports, which will fail. This failure is logged both by the script and by F2B. This is normal, but not optimal. This feature will be added sometime later down the line.

This will also happen each time F2B restarts, because it calls actionban for each ban it restores.

Configuration

Copy config/app.ini.example to config/app.ini, then add your AbuseIPDB API key in the appropriate section.

Don't forget to add your IP address to the ignoreip section of the config file to avoid reporting yourself accidentally. It's also a good idea to also add the ignoreip directive to jail.local to avoid getting locked out.

Licensing

This script is licensed under the MIT license. See LICENSE for details.

Contributing

Feel free to open a PR any time with more useful features!