Solved Many connections from amazonaws? And Abuseipdb config to block abusers.

@Active8
sorry, but I'm not happy to share about security script or relate to public.

but for the tricks ( simple ), you can use text detection like ... for PHP code it something like "strpos" function to detect what's category should be.
 
Next to the IP removal (if possible in my case), I registered my company, which is another domain then the server hostname uses, is that a problem?
Can I just add the script to another server by creating another api key or do I also need to use a domain on that server?
 
no need, there have description in abuseipdb about this.

Verified webmasters are given a higher daily limit of 3,000 checks/reports. You will of course need to verify ownership of your domain via HTML file, HTML meta tag, or DNS TXT record. Even if you own multiple domains, we only need proof of ownership for one site to grant you webmaster status.
 
Is it best to use just CSF reports or can I better change the XARF setting to report in XARF format?
If I set this to 1, some types are not reported.

What do you all use here? 0 or 1?
# Note: The following block types are not reported through this feature:
# LF_PERMBLOCK, LF_NETBLOCK, LF_DISTATTACK, LF_DISTFTP, RT_*_ALERT
X_ARF = "0"
 
@Active8 @jamgames2 I'm having a bit of an issue now.

I'm using this on 2 servers and working fine. Had 213 reports since last night, but I encountered these, because both servers are CSF clusters.
Cluster member 95.xxxxxx (FI/Finland/server.domain.nl) said,
so this is exposting the ip address and the hostname of the cluster server.
Seems the script used is also reporting the clustering (which is should not, or at least not this way).

Is there an easy way so I can put something in the .pl or .sh script so these cluster things won't be mentioned anymore?

Also in the reports it looks like this:
1679528783967.png


So it seems the reporting is using all the categories I wanted to report, instead of using only the categorie which is abused.
For example, an smtpauth attack is not an SSH attack. Is this normal? Or can this be improved?
 
Why is this topic marked as "Solved", if its ongoing?
Because I thought it was solved, and just now I discovered this.

And my previous reply was just informational.

The original question is still solved by the way, but I will remove the "Solved" if that gives you peace of mind. :)
 
it not normal, script should be improve.

I don't know too much about perl or bash. but you can use regex pattern to censor all the thing that you want.

( in perl )
$comment =~ s/Cluster member.*said,/***/g;
 
I have never used clustered CSF so can't help but please check @jamgames2 his solution and report back if this helps.
If not we can ask AbuseIPDB staff to help use
 
Thank you I will try that, also already mailed to AbuseIPDB if they could fix this.

I've now changed:
comment => $comment,
to
comment => $comment, ~ s/Cluster member.*said,/***/g;

Is that the correct way or should I use a comma at the end instead of semicolumn? And there needs to be a space between the ~ and the s?
 
@Richard G
just add after line "my $comment = ..... ", it will be like

Code:
my $comment = $message . "; Ports: " . $ports . "; Direction: " . $inout . "; Trigger: " . $trigger . "; Logs: " . $logs;
$comment =~ s/Cluster member.*said,/***/g;
 
just add after line "my $comment = ..... ", it will be like

Seem it does not work.

I have it like you said, except for the log part so like this:
Code:
my $comment = $message . "; Ports: " . $ports . "; Direction: " . $inout
    . "; Trigger: " . $trigger . "; $comment =~ s/Cluster member.*said,/***/g;

But now it does not report anymore, either because the perl script does not work, or due to this adjustment, I'm not sure.
Pity it's not shown in some log if or when something is reported.
 
it weird.
Yes you can say that again. I've found the same way to do it on the net when I doublechecked. It's the replace command. So no clue as to why it should not work.

@eva2000 I've thought of that too, but I doubt that this is the case.
The firewall is blocking them afterwards, because there are too many connections made, and so generating the firewall message.
So before that time, it lets the connections through. So it seems it's some kind of attach on the 443 port without making a connection to some domain. Probably just attacking the ip on port 443.
 
Back
Top