AbuseIPDB and CSF/Others

[factor]

All:
Just in case you did not know. AbuseIPDB allows auto reporting of the "bad guys" with CSF and Others. You just need a free account.

AbuseIPDB provides a free API for reporting and checking IP addresses.

Every day webmasters, system administrators, and other IT professionals use our API to report thousands of IP addresses engaging spamming, hacking, vulnerability scanning, and other malicious activity in real time.

ConfigServer Security & Firewall (csf) is a stateful packet inspection (SPI) firewall, Login/Intrusion Detection and security application for Linux servers.

In this tutorial, we will learn how to set up CSF so that attempted intrusions against your system are automatically blocked. It is also possible to use CSF to pre-emptively block IP addresses in our blacklist.

The main link is here https://www.abuseipdb.com/
CSF link is https://www.abuseipdb.com/csf
Fail2Ban link https://www.abuseipdb.com/fail2ban.html

The csf integration works great.

They even have a bulk reporter log scanner as well.
Bulk link https://www.abuseipdb.com/bulk-report

 

[Richard G]

Seems very interesting. But I'm not really into auto reporting. It's happens that also good customers get blocked, for example because they create a new email address and instantly forget their password. They should not get into blacklists.

So handle with care, also because there is no limits in ip's so as they also say, watch for restraining your system.

 

[factor]

They should not get into blacklists.

I will have to watch and see. In your account you have the ability to remove reported ips as well.

 

[Eureka]

Thanks Brent,

For the links, looks very interesting.

 

[Eureka]

I just signed up for a free account, looks like you can only use one domain per account. ?

 

[factor]

I just signed up for a free account, looks like you can only use one domain per account. ?

I just used my company domain. Then verified. Then used the api key for all my servers. The domain as far as I know is used to verify your the owner of the domain.

 

[Eureka]

Thanks Brent,

That sounds like the answer.

 

[factor]

It is what I did. I am still trying this out. It seems to work so far.

I did need to add perl-JSON on centos

 

[Eureka]

It working fine on CentOS 7 will be test on my CentOS 8 server later

 

[Eureka]

I did need to add perl-JSON on centos

Which ver of CentOS ? thanks, have you tried it in CentOS 8?

 

[factor]

Yep I have on 7 and 8.

 

[Eureka]

Thanks mate, works fine on CFS 7 and 8. I am using DNS text entry.

I will not be using the auto reporting feature.

 

[MaXi32]

I use AbuseIPDB API integrated with suricata. They have ready script for auto reporting with lua script here: https://www.abuseipdb.com/suricata

 

[Wanabo]

Running into some trouble and appreciate some help.
Trying to make this work at CentOS 8 with csf/lfd.

I registered at abuseipdb and generated an api v2 key.
With this api key I can import the blacklist fine, but the reporting script gives me errors with this api v2 key.

First problem I encountered when I ran the script was: Can't locate JSON.pm in @INC (you may need to install the JSON module)
Googled it and find a solution: yum install perl-JSON

Now I'm getting:

[root@ bin]# ./abuseipdb_report.pl
Global symbol "$YOUR_API_KEY" requires explicit package name (did you forget to declare "my $YOUR_API_KEY"?) at ./abuseipdb_report.pl line 30.
Execution of ./abuseipdb_report.pl aborted due to compilation errors.
[root@ bin]# ./abuseipdb_report.pl
Use of uninitialized value $message in concatenation (.) or string at ./abuseipdb_report.pl line 16.
Use of uninitialized value $ports in concatenation (.) or string at ./abuseipdb_report.pl line 16.
Use of uninitialized value $inout in concatenation (.) or string at ./abuseipdb_report.pl line 16.
Use of uninitialized value $trigger in concatenation (.) or string at ./abuseipdb_report.pl line 16.
Use of uninitialized value $logs in concatenation (.) or string at ./abuseipdb_report.pl line 16.
Use of uninitialized value $01259875265 in concatenation (.) or string at ./abuseipdb_report.pl line 28.
Use of uninitialized value in subroutine entry at /usr/share/perl5/vendor_perl/HTTP/Tiny.pm line 988.
{
   "errors" : [
      {
         "detail" : "Authentication failed. You are either missing your API key or it is incorrect. Note: The APIv2 key differs from the APIv1 key.",
         "status" : 401
      }
   ]
}

Entered my api v2 key and ran the script again. Than a lot of concatenation messages appeared. Not worrying yet, because the apiv1 key might fix that.

But I can't find an api v1 in my account?
Could it be that I registered as a "private" instead of a webmaster?

Update: Went through the webmaster procedure and verified a domain and implemented a contributor badge. My limits were upgraded, but still no api v1 to be found.

 

[factor]

Running into some trouble and appreciate some help.
Trying to make this work at CentOS 8 with csf/lfd.

I registered at abuseipdb and generated an api v2 key.
With this api key I can import the blacklist fine, but the reporting script gives me errors with this api v2 key.

First problem I encountered when I ran the script was: Can't locate JSON.pm in @INC (you may need to install the JSON module)
Googled it and find a solution: yum install perl-JSON

Now I'm getting:

[root@ bin]# ./abuseipdb_report.pl
Global symbol "$YOUR_API_KEY" requires explicit package name (did you forget to declare "my $YOUR_API_KEY"?) at ./abuseipdb_report.pl line 30.
Execution of ./abuseipdb_report.pl aborted due to compilation errors.
[root@ bin]# ./abuseipdb_report.pl
Use of uninitialized value $message in concatenation (.) or string at ./abuseipdb_report.pl line 16.
Use of uninitialized value $ports in concatenation (.) or string at ./abuseipdb_report.pl line 16.
Use of uninitialized value $inout in concatenation (.) or string at ./abuseipdb_report.pl line 16.
Use of uninitialized value $trigger in concatenation (.) or string at ./abuseipdb_report.pl line 16.
Use of uninitialized value $logs in concatenation (.) or string at ./abuseipdb_report.pl line 16.
Use of uninitialized value $01259875265 in concatenation (.) or string at ./abuseipdb_report.pl line 28.
Use of uninitialized value in subroutine entry at /usr/share/perl5/vendor_perl/HTTP/Tiny.pm line 988.
{
   "errors" : [
      {
         "detail" : "Authentication failed. You are either missing your API key or it is incorrect. Note: The APIv2 key differs from the APIv1 key.",
         "status" : 401
      }
   ]
}

Entered my api v2 key and ran the script again. Than a lot of concatenation messages appeared. Not worrying yet, because the apiv1 key might fix that.

But I can't find an api v1 in my account?
Could it be that I registered as a "private" instead of a webmaster?

Update: Went through the webmaster procedure and verified a domain and implemented a contributor badge. My limits were upgraded, but still no api v1 to be found.

You need

dnf install perl-HTTP-Tiny

as well
See if that helps

 

[factor]

./abuseipdb_report.pl

are you here
Reporting to AbuseIPDB (Optional)
1.) Create an executable script that reports to AbuseIPDB.

What link are you on?

 

[factor]

there is no version one anymore
V2 works fine for me.

 

[factor]

I see the issue in their doc the names conflict

abuseipdb_block.pl hosted with ❤ by GitHub
And then make the script file executable using

chmod +x


2.) Set the BLOCK_REPORT variable in /etc/csf.conf to the executable script file.


BLOCK_REPORT = "/path/to/abuseipdb_report.pl"

Make them match

 

[Wanabo]

Hi Brent,
perl-HTTP-Tiny is all ready installed.

You need

dnf install perl-HTTP-Tiny

as well
See if that helps

# yum install perl-HTTP-Tiny
Last metadata expiration check: 1:19:40 ago on Wed 05 Aug 2020 05:48:07 AM UTC.
Package perl-HTTP-Tiny-0.074-1.el8.noarch is already installed.
Dependencies resolved.
Nothing to do.

are you here
Reporting to AbuseIPDB (Optional)
1.) Create an executable script that reports to AbuseIPDB.

What link are you on?

Yes! I've put the script in: /usr/local/csf/bin/abuseipdb_report.pl and chmod it to: 100700 root:root
Or do you mean by link this? https://www.abuseipdb.com/csf

I see the issue in their doc the names conflict



Make them match

They were matched! BLOCK_REPORT = "/usr/local/csf/bin/abuseipdb_report.pl"

As far as I can see I did everything right.

 

[Wanabo]

Ok fixed the api issue. I left a $ sign!
"Key" => "$YOUR_API_KEY",
I only removed YOUR_API_KEY leaving the $ before my api key.

But still not working.

# ./abuseipdb_report.pl
Use of uninitialized value $message in concatenation (.) or string at ./abuseipdb_report.pl line 16.
Use of uninitialized value $ports in concatenation (.) or string at ./abuseipdb_report.pl line 16.
Use of uninitialized value $inout in concatenation (.) or string at ./abuseipdb_report.pl line 16.
Use of uninitialized value $trigger in concatenation (.) or string at ./abuseipdb_report.pl line 16.
Use of uninitialized value $logs in concatenation (.) or string at ./abuseipdb_report.pl line 16.
Use of uninitialized value in subroutine entry at /usr/share/perl5/vendor_perl/HTTP/Tiny.pm line 988.
{
   "errors" : [
      {
         "source" : {
            "parameter" : "ip"
         },
         "status" : 422,
         "detail" : "The ip field is required."
      }
   ]
}

Edit: Suddenly I had this thought. I'm running the script directly, but it is intended to be called by csf/lfd. Then the values might be passed.
So perhaps just wait and see if ip's are getting reported in my dashboard at abuseipdb.
@Brent, what happens if you run the script directly from the command line?