Solved Many connections from amazonaws? And Abuseipdb config to block abusers.

[zEitEr]

Wasn't 127.0.0.2 used for RBL stuff? So testing with that won't work.

Not too sure. I've just search which test IP can be used for this. You might try any other.

 

[Richard G]

You might try any other.

I tried 192.168.10.1 and as expected no report to abuseipdb. Expected because other cluster reports generated by csf themselves, also did not report to abuseipdb.

I now removed the extra line from the perl script and see if reporting is still done.

 

[zEitEr]

I don't use CSF cluster and do not report IPs to abuseipdb, so it's up to you to test the things.

 

[Richard G]

so it's up to you to test the things.

Yep indeed. Otherwise I will do what I thought before and just disable the clustering and only use the report option.

Thank you for thinking with us and trying to help!

 

[eva2000]

I tried 192.168.10.1 and as expected no report to abuseipdb. Expected because other cluster reports generated by csf themselves, also did not report to abuseipdb.

I now removed the extra line from the perl script and see if reporting is still done.

Does any AbuseIPDB recorded logs ever report Cluster member reports? Maybe AbuseIPDB is filtering them out as they'd be considered duplicates?

 

[Richard G]

Does any AbuseIPDB recorded logs ever report Cluster member reports?

Yes, see post #28.

I looking now what is wrong, because not it's not reporting anything anymore, so I'm testing with the perl script if the perl script even still works because on the other server I used the .sh script.

 

[eva2000]

Yes, see post #28.

Up to post #66 - sooo long

 

[Richard G]

Yeah it's 4 pages already... lot of read work.

 

[zEitEr]

You might try this one with some logging added:

#!/usr/bin/perl
# This file was written as an executable to be used in the auto report function
# of csf and lfd. By replacing $YOUR_API_KEY below with your abuseipdb api key,
# allows you to use this code to integrate your csf system with abuseipdb.com
use strict;
use warnings;
use HTTP::Tiny;
use JSON;
use POSIX qw(strftime);

# Gather the information from the commandline passed by lfd
my $ports = $ARGV[1];
my $inout = $ARGV[3];
my $message = $ARGV[5];
my $logs = $ARGV[6];
my $trigger = $ARGV[7];
my $comment = $message . "; Ports: " . $ports . "; Direction: " . $inout . "; Trigger: " . $trigger . "; Logs: " . $logs;
my $ua = HTTP::Tiny->new;

$comment =~ s/Cluster member.*said,/***/g;

log_str("Reporting: ". $comment);

my $url = 'https://api.abuseipdb.com/api/v2/report';

my $data = {
    ip => $ARGV[0],
    comment => $comment,
    categories => 14
};

my %options = (
   "headers", {
       "Key" => "YOUR_API_KEY",
       "Accept" => "application/json"
   },
);

my $response = $ua->post_form($url, $data, \%options);
my $json = JSON->new;
my $output = $json->pretty->encode($json->decode($response->{'content'}));

if ($response->{'status'} == 200){
    print "Report Succesful!\n" . $output;
} elsif ($response->{'status'} == 429) {
    print $output;
} elsif ($response->{'status'} == 422) {
    print $output;
} elsif ($response->{'status'} == 401) {
    print $output;
}

log_str("Response: ". $output);

sub log_str
{
    my ($str) = @_;
    my $date = localtime();
    open (LOG, ">> /var/log/lfd_abuseipdb.log");
    print LOG "${date}: ${str}\n";
    close(LOG);
}

Trigger a block and then check logs: /var/log/lfd_abuseipdb.log

 

[Active8]

Yeah it's 4 pages already... lot of read work.

Better change the topic name to reflect the content

 

[Richard G]

Thank you @zEitEr I will do that for sure.
Edit: tested and log works like a charm.

Yesterday evening late, I've been doing some more testing and searching and found out that the perl script was not working at all, hence also not the exclusion line.
But I didn't know why until I found a little older thread by accident, here on the forums, which brought me the solution I found in there.

I had to install perl-JSON and after that, the perl script worked, and the exclusion line too.

Only thing left now is that sometimes it places way to much log, containing other abusing ip's next to the reported one.
(Fixed by removing the log statement part).

Now I'm testing a script with @eva2000 with several nice options and I will test your script with log too, because logging is great.

@Active8 Hahaha, yeah you get that right. I have adjusted it to give a better reflection.

 

[Wanabo]

Any update on the perl script?
I'm interested also.

 

[Richard G]

Oooh yes... I use a tool now which makes everything perfect, even masking, reporting in the correct category and all.

Have al ook at this one.

GitHub - centminmod/centminmod-abuseipdb-reporter: CSF Firewall and AbuseIPDB API integration with specific focus on data privacy and prevention of sensitive data leaked to public AbuseIPDB database report

CSF Firewall and AbuseIPDB API integration with specific focus on data privacy and prevention of sensitive data leaked to public AbuseIPDB database report - centminmod/centminmod-abuseipdb-reporter

github.com

 

[Wanabo]

Looks great! Thanks! Started the implementation directly.

 

[eva2000]

Oooh yes... I use a tool now which makes everything perfect, even masking, reporting in the correct category and all.

Have al ook at this one.

GitHub - centminmod/centminmod-abuseipdb-reporter: CSF Firewall and AbuseIPDB API integration with specific focus on data privacy and prevention of sensitive data leaked to public AbuseIPDB database report

CSF Firewall and AbuseIPDB API integration with specific focus on data privacy and prevention of sensitive data leaked to public AbuseIPDB database report - centminmod/centminmod-abuseipdb-reporter

github.com

Glad you like. Been deploying my scripts on all my servers too

 

[Richard G]

Yep you're great. You made a fantastic script, still very happy with it and it works perfectly.
Thanks again!