Go to most recent revision | Blame | Compare with Previous | Last modification | View Log | RSS feed
# Fail2ban configuration file## Action to report IP address to abuseipdb.com# You must sign up to obtain an API key from abuseipdb.com.## NOTE: These reports may include sensitive Info.# If you want cleaner reports that ensure no user data see the helper script at the below website.## IMPORTANT:## Reporting an IP of abuse is a serious complaint. Make sure that it is# serious. Fail2ban developers and network owners recommend you only use this# action for:# * The recidive where the IP has been banned multiple times# * Where maxretry has been set quite high, beyond the normal user typing# password incorrectly.# * For filters that have a low likelihood of receiving human errors## This action relies on a api_key being added to the above action conf,# and the appropriate categories set.## Example, for ssh bruteforce (in section [sshd] of `jail.local`):# action = %(known/action)s# %(action_abuseipdb)s[abuseipdb_apikey="my-api-key", abuseipdb_category="18,22"]## See below for catagories.## Original Ref: https://wiki.shaunc.com/wikka.php?wakka=ReportingToAbuseIPDBWithFail2Ban# Added to fail2ban by Andrew James Collett (ajcollett)## abuseIPDB Catagories, `the abuseipdb_category` MUST be set in the jail.conf action call.# Example, for ssh bruteforce: action = %(action_abuseipdb)s[abuseipdb_category="18,22"]# ID Title Description# 3 Fraud Orders# 4 DDoS Attack# 9 Open Proxy# 10 Web Spam# 11 Email Spam# 14 Port Scan# 18 Brute-Force# 19 Bad Web Bot# 20 Exploited Host# 21 Web App Attack# 22 SSH Secure Shell (SSH) abuse. Use this category in combination with more specific categories.# 23 IoT Targeted# See https://abuseipdb.com/categories for more descriptions[Definition]# bypass action for restored ticketsnorestored = 1# Option: actionstart# Notes.: command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false).# Values: CMD#actionstart =# Option: actionstop# Notes.: command executed at the stop of jail (or at the end of Fail2Ban)# Values: CMD#actionstop =# Option: actioncheck# Notes.: command executed once before each actionban command# Values: CMD#actioncheck =# Option: actionban# Notes.: command executed when banning an IP. Take care that the# command is executed with Fail2Ban user rights.## ** IMPORTANT! **## By default, this posts directly to AbuseIPDB's API, unfortunately# this results in a lot of backslashes/escapes appearing in the# reports. This also may include info like your hostname.# If you have your own web server with PHP available, you can# use my (Shaun's) helper PHP script by commenting out the first #actionban# line below, uncommenting the second one, and pointing the URL at# wherever you install the helper script. For the PHP helper script, see# <https://wiki.shaunc.com/wikka.php?wakka=ReportingToAbuseIPDBWithFail2Ban>## Tags: See jail.conf(5) man page# Values: CMD#actionban = lgm=$(printf '%%.1000s\n...' "<matches>"); curl -sSf "https://api.abuseipdb.com/api/v2/report" -H "Accept: application/json" -H "Key: <abuseipdb_apikey>" --data-urlencode "comment=$lgm" --data-urlencode "ip=<ip>" --data "categories=<abuseipdb_category>"# Option: actionunban# Notes.: command executed when unbanning an IP. Take care that the# command is executed with Fail2Ban user rights.# Tags: See jail.conf(5) man page# Values: CMD#actionunban =[Init]# Option: abuseipdb_apikey# Notes Your API key from abuseipdb.com# Values: STRING Default: None# Register for abuseipdb [https://www.abuseipdb.com], get api key and set below.# You will need to set the category in the action call.abuseipdb_apikey =