Closed stratege1401 closed 6 years ago
sebres
commented
6 years ago This is not an issue of fail2ban, if you cannot call the same via command line...
I assume just the SSL handshake failed at all. This can occur because the server does not accept this kind of cipher, resp. your NSS does not support it. You should specify the ciphers, whatever is supported by the abuseipdb-server but also supported by your version of "curl" / yours NSS-version.
stratege1401
commented
6 years ago Thank you for the clue you gave me.
Anyway, the documentation for abuseipdb.conf should state to verify if the user curl support the cipher choosen by the developer.
It is like buying a car, but the vendor dont tell you if is unloaded, regular or gazoil. "Just guess, man, and have a good day" :)
After checking my curl version over https://www.howsmyssl.com/a/check I discover i was not able to support the abuseipdb.conf cipher. So i switch to another one, and this time it work.
So , again, thank you for pointing the obvious to me.
sebres
commented
6 years ago BTW. Why specifying cipher?
$ curl --fail --data 'key=test' --data-urlencode 'comment=xxx' --data 'ip=192.0.2.1' --data 'category=4' "https://www.abuseipdb.com/report/json"
curl: (22) The requested URL returned error: 400 Bad RequestSo you see - the connection is built (400 is just an after-effect of wrong param's).
I assume it's just a wrong name, take a look here
The same with given proper cipher works fine on my debians:
curl --fail --ciphers "ECDHE-ECDSA-AES128-GCM-SHA256" ... "https://www.abuseipdb.com/report/json"
curl --fail --ciphers "ECDHE-ECDSA-AES256-GCM-SHA384" ... "https://www.abuseipdb.com/report/json" why specific, because the plugins come that way !
sebres
commented
6 years ago Oh you meant https://github.com/fail2ban/fail2ban/blob/55e107310fd0697d583aa8971e2b1db48e49c5ea/config/action.d/abuseipdb.conf#L60.
I forgot, that we have such an action.
I'll fix it later, Thanks.
stratege1401
commented
6 years ago more info:
after using good command curl, i get: [{"id":"Unprocessable Entity","links":{"about":"https:\/\/www.abuseipdb.com\/api"},"status":"422","code":"1019", "title":"The request was well-formed but was unable to be followed due to semantic errors.","detail":"The field
sebres
commented
6 years ago Your more-info is unfortunately truncated :) can you please repeat it with whole log-excerpt.
stratege1401
commented
6 years ago Sorry for delay:
curl --tlsv1.0 --data 'key=<myapikey>' --data-urlencode 'comment=<matches>' --data 'ip=<198.50.226.18>' --data 'category=<4>' "https://www.abuseipdb.com/report/json"
198.50.226.18 is a Canadian ip doing some brute force ssh, a real one, bad guys, you knows, looser, bad bad guys ... and i get in response:
[{"id":"Unprocessable Entity","links":{"about":"https:\/\/www.abuseipdb.com\/api"},"status":"422","code":"1019","title":"The request was well-formed but was unable to be followed due to semantic errors.","detail":"The field must be a valid IP address.","source":{"parameter":"ip"}}]
sebres
commented
6 years ago Do you enclose the IP in brackets <>? Or it is the excerpt from fail2ban.log?
Just to be sure, because 'ip=<ip>' will be normally substituted into 'ip=192.0.2.1' (without <> left and right).
What do you see in fail2ban.log? Please exact all errors round about exec (just with replaced your api key)...
stratege1401
commented
6 years ago I FEEL SO FXXXXX STUPID !!!!!!!!!! EVEN MY 6 YEARS OLD DAUGHTER SHOULD HAVE FIND THIS !!!!!
YOU ARE SO RIGHT:
the correct command line is
curl --tlsv1.0 --data 'key=mykey' --data-urlencode 'comment=matches' --data 'ip=198.50.226.18' --data 'category=4' "https://www.abuseipdb.com/report/json"
the comment should be something like 2018-02-13 12:39:40,056 fail2ban.filter [32368]: INFO [sshd] Found 198.50.226.18 - 2018-02-13 12:36:41
i am so desperate to be so blind ans brainless !!!!
{"ip":"198.50.226.18","success":true}root@nextcloud:/var/log
stratege1401
commented
6 years ago i have modified
fail2ban/config/action.d/abuseipdb.conf Line 60 in 55e1073
to look like:
actionban = curl --tlsv1.1 --data 'key=<abuseipdb_apikey>' --data-urlencode 'comment=<matches>' --data 'ip=<ip>' --data 'category=<abuseipdb_category>'
"https://www.abuseipdb.com/report/json"restarted my service: and get:
2018-02-13 22:23:22,970 fail2ban.server [20126]: INFO Starting Fail2ban v0.10.2
2018-02-13 22:23:22,978 fail2ban.database [20126]: INFO Connected to fail2ban persistent database '/var /lib/fail2ban/fail2ban.sqlite3'
2018-02-13 22:23:22,983 fail2ban.jail [20126]: INFO Creating new jail 'sshd'
2018-02-13 22:23:23,001 fail2ban.jail [20126]: INFO Jail 'sshd' uses pyinotify {}
2018-02-13 22:23:23,010 fail2ban.jail [20126]: INFO Initiated 'pyinotify' backend
2018-02-13 22:23:23,015 fail2ban.filter [20126]: INFO maxLines: 1
2018-02-13 22:23:23,047 fail2ban.server [20126]: INFO Jail sshd is not a JournalFilter instance
2018-02-13 22:23:23,049 fail2ban.filter [20126]: INFO Added logfile: '/var/log/auth.log' (pos = 49053 , hash = 18115dd705ccbf140a19d0503026e2f54a0ff171)
2018-02-13 22:23:23,052 fail2ban.filter [20126]: INFO findtime: 36000
2018-02-13 22:23:23,053 fail2ban.actions [20126]: INFO banTime: 3600
2018-02-13 22:23:23,053 fail2ban.filter [20126]: INFO encoding: UTF-8
2018-02-13 22:23:23,053 fail2ban.filter [20126]: INFO maxRetry: 3
2018-02-13 22:23:23,054 fail2ban.jail [20126]: INFO Creating new jail 'apache-auth'
2018-02-13 22:23:23,054 fail2ban.jail [20126]: INFO Jail 'apache-auth' uses pyinotify {}
2018-02-13 22:23:23,058 fail2ban.jail [20126]: INFO Initiated 'pyinotify' backend
2018-02-13 22:23:23,065 fail2ban.filter [20126]: INFO Added logfile: '/var/log/apache2/error.log' (po s = 3949, hash = ca324cc12b56e12c3077f047f9e5b9a32e2ba140)
2018-02-13 22:23:23,066 fail2ban.filter [20126]: INFO findtime: 36000
2018-02-13 22:23:23,067 fail2ban.actions [20126]: INFO banTime: 3600
2018-02-13 22:23:23,067 fail2ban.filter [20126]: INFO encoding: UTF-8
2018-02-13 22:23:23,067 fail2ban.filter [20126]: INFO maxRetry: 5
2018-02-13 22:23:23,068 fail2ban.jail [20126]: INFO Creating new jail 'apache-badbots'
2018-02-13 22:23:23,068 fail2ban.jail [20126]: INFO Jail 'apache-badbots' uses pyinotify {}
2018-02-13 22:23:23,075 fail2ban.jail [20126]: INFO Initiated 'pyinotify' backend
2018-02-13 22:23:23,091 fail2ban.filter [20126]: INFO Added logfile: '/var/log/apache2/access.log' (p os = 2178199, hash = 940bfd9e057fd82807c87a34951d2329d0ce1fee)
2018-02-13 22:23:23,098 fail2ban.filter [20126]: INFO Added logfile: '/var/log/apache2/other_vhosts_a ccess.log' (pos = 0, hash = da39a3ee5e6b4b0d3255bfef95601890afd80709)
2018-02-13 22:23:23,099 fail2ban.filter [20126]: INFO findtime: 36000
2018-02-13 22:23:23,099 fail2ban.actions [20126]: INFO banTime: 172800
2018-02-13 22:23:23,100 fail2ban.filter [20126]: INFO encoding: UTF-8
2018-02-13 22:23:23,100 fail2ban.filter [20126]: INFO maxRetry: 2
2018-02-13 22:23:23,100 fail2ban.jail [20126]: INFO Creating new jail 'apache-nohome'
2018-02-13 22:23:23,100 fail2ban.jail [20126]: INFO Jail 'apache-nohome' uses pyinotify {}
2018-02-13 22:23:23,104 fail2ban.jail [20126]: INFO Initiated 'pyinotify' backend
2018-02-13 22:23:23,108 fail2ban.filter [20126]: INFO Added logfile: '/var/log/apache2/error.log' (po s = 3949, hash = ca324cc12b56e12c3077f047f9e5b9a32e2ba140)
2018-02-13 22:23:23,109 fail2ban.filter [20126]: INFO findtime: 36000
2018-02-13 22:23:23,110 fail2ban.actions [20126]: INFO banTime: 3600
2018-02-13 22:23:23,110 fail2ban.filter [20126]: INFO encoding: UTF-8
2018-02-13 22:23:23,110 fail2ban.filter [20126]: INFO maxRetry: 2
2018-02-13 22:23:23,111 fail2ban.jail [20126]: INFO Creating new jail 'proftpd'
2018-02-13 22:23:23,111 fail2ban.jail [20126]: INFO Jail 'proftpd' uses pyinotify {}
2018-02-13 22:23:23,115 fail2ban.jail [20126]: INFO Initiated 'pyinotify' backend
2018-02-13 22:23:23,123 fail2ban.server [20126]: INFO Jail proftpd is not a JournalFilter instance
2018-02-13 22:23:23,124 fail2ban.filter [20126]: INFO Added logfile: '/var/log/auth.log' (pos = 49053 , hash = 18115dd705ccbf140a19d0503026e2f54a0ff171)
2018-02-13 22:23:23,125 fail2ban.filter [20126]: INFO findtime: 36000
2018-02-13 22:23:23,126 fail2ban.actions [20126]: INFO banTime: 3600
2018-02-13 22:23:23,126 fail2ban.filter [20126]: INFO encoding: UTF-8
2018-02-13 22:23:23,126 fail2ban.filter [20126]: INFO maxRetry: 5
2018-02-13 22:23:23,127 fail2ban.jail [20126]: INFO Creating new jail 'pure-ftpd'
2018-02-13 22:23:23,127 fail2ban.jail [20126]: INFO Jail 'pure-ftpd' uses pyinotify {}
2018-02-13 22:23:23,131 fail2ban.jail [20126]: INFO Initiated 'pyinotify' backend
2018-02-13 22:23:23,138 fail2ban.server [20126]: INFO Jail pure-ftpd is not a JournalFilter instance
2018-02-13 22:23:23,139 fail2ban.filter [20126]: INFO Added logfile: '/var/log/auth.log' (pos = 49053 , hash = 18115dd705ccbf140a19d0503026e2f54a0ff171)
2018-02-13 22:23:23,140 fail2ban.filter [20126]: INFO findtime: 36000
2018-02-13 22:23:23,141 fail2ban.actions [20126]: INFO banTime: 3600
2018-02-13 22:23:23,141 fail2ban.filter [20126]: INFO encoding: UTF-8
2018-02-13 22:23:23,141 fail2ban.filter [20126]: INFO maxRetry: 5
2018-02-13 22:23:23,142 fail2ban.jail [20126]: INFO Creating new jail 'gssftpd'
2018-02-13 22:23:23,142 fail2ban.jail [20126]: INFO Jail 'gssftpd' uses pyinotify {}
2018-02-13 22:23:23,146 fail2ban.jail [20126]: INFO Initiated 'pyinotify' backend
2018-02-13 22:23:23,151 fail2ban.filter [20126]: INFO Added logfile: '/var/log/daemon.log' (pos = 578 7, hash = 3676f9af31c83a2d7ddc5751eb3407dc30358909)
2018-02-13 22:23:23,152 fail2ban.filter [20126]: INFO findtime: 36000
2018-02-13 22:23:23,153 fail2ban.actions [20126]: INFO banTime: 3600
2018-02-13 22:23:23,153 fail2ban.filter [20126]: INFO encoding: UTF-8
2018-02-13 22:23:23,153 fail2ban.filter [20126]: INFO maxRetry: 5
2018-02-13 22:23:23,154 fail2ban.jail [20126]: INFO Creating new jail 'wuftpd'
2018-02-13 22:23:23,154 fail2ban.jail [20126]: INFO Jail 'wuftpd' uses pyinotify {}
2018-02-13 22:23:23,158 fail2ban.jail [20126]: INFO Initiated 'pyinotify' backend
2018-02-13 22:23:23,165 fail2ban.filter [20126]: INFO Added logfile: '/var/log/auth.log' (pos = 49053 , hash = 18115dd705ccbf140a19d0503026e2f54a0ff171)
2018-02-13 22:23:23,166 fail2ban.filter [20126]: INFO findtime: 36000
2018-02-13 22:23:23,166 fail2ban.actions [20126]: INFO banTime: 3600
2018-02-13 22:23:23,167 fail2ban.filter [20126]: INFO encoding: UTF-8
2018-02-13 22:23:23,167 fail2ban.filter [20126]: INFO maxRetry: 5
2018-02-13 22:23:23,167 fail2ban.jail [20126]: INFO Creating new jail 'http-get-dos'
2018-02-13 22:23:23,168 fail2ban.jail [20126]: INFO Jail 'http-get-dos' uses pyinotify {}
2018-02-13 22:23:23,172 fail2ban.jail [20126]: INFO Initiated 'pyinotify' backend
2018-02-13 22:23:23,175 fail2ban.filter [20126]: INFO Added logfile: '/var/log/fail2ban.log' (pos = 3 0118, hash = 31c56391718a86914456044d4182300ca0270ebc)
2018-02-13 22:23:23,176 fail2ban.filter [20126]: INFO findtime: 120
2018-02-13 22:23:23,176 fail2ban.actions [20126]: INFO banTime: 3600
2018-02-13 22:23:23,177 fail2ban.filter [20126]: INFO encoding: UTF-8
2018-02-13 22:23:23,177 fail2ban.filter [20126]: INFO maxRetry: 360
2018-02-13 22:23:23,196 fail2ban.jail [20126]: INFO Jail 'sshd' started
2018-02-13 22:23:23,199 fail2ban.jail [20126]: INFO Jail 'apache-auth' started
2018-02-13 22:23:23,202 fail2ban.jail [20126]: INFO Jail 'apache-badbots' started
2018-02-13 22:23:23,205 fail2ban.jail [20126]: INFO Jail 'apache-nohome' started
2018-02-13 22:23:23,207 fail2ban.jail [20126]: INFO Jail 'proftpd' started
2018-02-13 22:23:23,208 fail2ban.jail [20126]: INFO Jail 'pure-ftpd' started
2018-02-13 22:23:23,209 fail2ban.jail [20126]: INFO Jail 'gssftpd' started
2018-02-13 22:23:23,210 fail2ban.jail [20126]: INFO Jail 'wuftpd' started
2018-02-13 22:23:23,218 fail2ban.jail [20126]: INFO Jail 'http-get-dos' started
2018-02-13 22:23:23,383 fail2ban.actions [20126]: NOTICE [sshd] Restore Ban 103.26.14.92
2018-02-13 22:23:23,413 fail2ban.actions [20126]: NOTICE [sshd] Restore Ban 193.201.224.212
2018-02-13 22:23:23,430 fail2ban.actions [20126]: NOTICE [sshd] Restore Ban 5.188.10.179
2018-02-13 22:23:23,447 fail2ban.actions [20126]: NOTICE [sshd] Restore Ban 59.63.188.36waiting to see if ip are reported on my https://www.abuseipdb.com/account/reports
will report results
sebres
commented
6 years ago I assume 'comment=<matches>' should be changed in dual quoted "comment=<matches>", because this can be mapped internally to a variable, in latest 0.10th.
Otherwise you'll see a var name instead of matches.
stratege1401
commented
6 years ago ok, with change it ....
actionban = curl --tlsv1.1 --data 'key=<abuseipdb_apikey>' --data-urlencode "comment=<matches>" --data 'ip=<ip>' --data 'category=<abuseipdb_category>'
"https://www.abuseipdb.com/report/json"using tail -f /var/log/fail2ban.log to see if some ip are banned and reported ... no luck so far...
stratege1401
commented
6 years ago well, get some IP banned for sshd but no report on abuseipdb.com/account/reports
iUsing my 4G connection, i generate false ssh connections:
2018-02-14 02:25:48,301 fail2ban.filter [3780]: INFO [sshd] Found 37.169.x.x - 2018-02-14 02:25:48
2018-02-14 02:25:50,384 fail2ban.filter [3780]: INFO [sshd] Found 37.169.x.x - 2018-02-14 02:25:50
2018-02-14 02:26:01,829 fail2ban.filter [3780]: INFO [sshd] Found 37.169.x.x - 2018-02-14 02:26:01
2018-02-14 02:26:01,971 fail2ban.actions [3780]: NOTICE [sshd] Ban 37.169.x.x
i double check my config against https://www.abuseipdb.com/fail2ban.html the only difference is
actionban = curl --tlsv1.1 --data 'key=<abuseipdb_apikey>' --data-urlencode "comment=<matches>" --data 'ip=<ip>' --data 'category=<abuseipdb_category>'
"https://www.abuseipdb.com/report/json"my tail -f /fail2ban.log say nothing my tail - f on journalctl give nothing
manual command for a ddos attack (cat4)
curl --tlsv1.1 --data 'key=...' --data-urlencode "comment=MANUAL" --data 'ip=198.50.226.18' --data 'category=4' "https://www.abuseipdb.com/report/json" > actionban.log
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 124 100 37 100 87 69 164 --:--:-- --:--:-- --:--:-- 164
actionban.log:
{"ip":"198.50.226.18","success":true}
abuseIPDB reports updated correctly
198.50.226.18 | 20 seconds ago | MANUAL | DDoS Attack
-- | -- | -- | --i am using debian 9.3 with apache2 2.4.29 and Python 2.7.13
i am turning crazy
sebres
commented
6 years ago You've not specified abuseipdb action at all. In the ini-files (configs), to read an entry with multiple-lines, at least one space is mandatory in the second line:
action = iptables[name=HTTP, port=http, protocol=tcp]
-abuseipdb[abuseipdb_category="4"]
+ abuseipdb[abuseipdb_category="4"]In your current config, you've specified a parameter abuseipdb[abuseipdb_category with value "4"]. :)
waiting to see if ip are reported ...
You can do it also immediately, using manual ban like:
?sudo? fail2ban-client set sshd banip 192.0.2.1
sleep 1
?sudo? fail2ban-client set sshd unbanip 192.0.2.1Thank again Ban/unban works, iptables is updated, the sql works .... but still no report to abuseipbd.
in case you dont mind checking those files, /etc/fail2ban/jail.local
[INCLUDES]
before = paths-debian.conf
[DEFAULT]
ignoreip = 127.0.0.1/8 192.168.1.1/24
ignorecommand =
bantime = 3600
findtime = 36000
maxretry = 5
backend = auto
usedns = warn
logencoding = auto
enabled = false
filter = %(__name__)s
destemail = root@localhost
sender = root@localhost
mta = sendmail
protocol = tcp
chain = INPUT
port = 0:65535
fail2ban_agent = Fail2Ban/%(fail2ban_version)s
banaction = iptables-multiport
banaction_allports = iptables-allports
action_ = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
action_abuseipdb = abuseipdb
action_mw = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
%(mta)s-whois[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s"]
action_mwl = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
%(mta)s-whois-lines[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"]
action_xarf = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
xarf-login-attack[service=%(__name__)s, sender="%(sender)s", logpath=%(logpath)s, port="%(port)s"]
action_cf_mwl = cloudflare[cfuser="%(cfemail)s", cftoken="%(cfapikey)s"]
%(mta)s-whois-lines[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"]
action_blocklist_de = blocklist_de[email="%(sender)s", service=%(filter)s, apikey="%(blocklist_de_apikey)s", agent="%(fail2ban_agent)s"]
action_badips = badips.py[category="%(__name__)s", banaction="%(banaction)s", agent="%(fail2ban_agent)s"]
action_badips_report = badips[category="%(__name__)s", agent="%(fail2ban_agent)s"]
action = %(action_)s
logpath = /var/log/fail2ban.log
[http-get-dos]
enabled = true
port = http,https
filter = http-get-dos
maxretry = 360
findtime = 120
action = iptables[name=HTTP, port=http, protocol=tcp]
abuseipdb[abuseipdb_category="4"]
[sshd]
enabled = true
port = 1:65535
filter = sshd
maxretry = 3
#logpath = /var/log/sshd.log
action = iptables[name=SSH, port=ssh, protocol=tcp]
abuseipdb[abuseipdb_category="14,18,22"]
[sshd-ddos]
enable = true
maxretry = 2
port = 1:65535
#logpath = /var/log/sshd.log
action = iptables[name=SSH, port=ssh, protocol=tcp]
abuseipdb[abuseipdb_category="5,18,22"]and
/etc/fail2ban/action.d/abuseipbd.conf
# Fail2ban configuration file
#
# Action to report IP address to abuseipdb.com
# You must sign up to obtain an API key from abuseipdb.com.
#
# NOTE: These reports may include sensitive Info.
# If you want cleaner reports that ensure no user data see the helper script at the below website.
#
# IMPORTANT:
#
# Reporting an IP of abuse is a serious complaint. Make sure that it is
# serious. Fail2ban developers and network owners recommend you only use this
# action for:
# * The recidive where the IP has been banned multiple times
# * Where maxretry has been set quite high, beyond the normal user typing
# password incorrectly.
# * For filters that have a low likelihood of receiving human errors
#
# This action relies on a api_key being added to the above action conf,
# and the appropriate categories set.
#
# Example, for ssh bruteforce (in section [sshd] of `jail.local`):
# action = %(known/action)s
# %(action_abuseipdb)s[abuseipdb_apikey="my-api-key", abuseipdb_category="18,22"]
#
# See below for catagories.
#
# Original Ref: https://wiki.shaunc.com/wikka.php?wakka=ReportingToAbuseIPDBWithFail2Ban
# Added to fail2ban by Andrew James Collett (ajcollett)
## abuseIPDB Catagories, `the abuseipdb_category` MUST be set in the jail.conf action call.
# Example, for ssh bruteforce: action = %(action_abuseipdb)s[abuseipdb_category="18,22"]
# ID Title Description
# 3 Fraud Orders
# 4 DDoS Attack
# 9 Open Proxy
# 10 Web Spam
# 11 Email Spam
# 14 Port Scan
# 18 Brute-Force
# 19 Bad Web Bot
# 20 Exploited Host
# 21 Web App Attack
# 22 SSH Secure Shell (SSH) abuse. Use this category in combination with more specific categories.
# 23 IoT Targeted
# See https://abuseipdb.com/categories for more descriptions
[Definition]
# Option: actionstart
# Notes.: command executed once at the start of Fail2Ban.
# Values: CMD
#
actionstart =
# Option: actionstop
# Notes.: command executed once at the end of Fail2Ban
# Values: CMD
#
actionstop =
# Option: actioncheck
# Notes.: command executed once before each actionban command
# Values: CMD
#
actioncheck =
# Option: actionban
# Notes.: command executed when banning an IP. Take care that the
# command is executed with Fail2Ban user rights.
#
# ** IMPORTANT! **
#
# By default, this posts directly to AbuseIPDB's API, unfortunately
# this results in a lot of backslashes/escapes appearing in the
# reports. This also may include info like your hostname.
# If you have your own web server with PHP available, you can
# use my (Shaun's) helper PHP script by commenting out the first #actionban
# line below, uncommenting the second one, and pointing the URL at
# wherever you install the helper script. For the PHP helper script, see
# <https://wiki.shaunc.com/wikka.php?wakka=ReportingToAbuseIPDBWithFail2Ban>
#
# --ciphers ecdhe_ecdsa_aes_256_sha is used to workaround a
# "NSS error -12286" from curl as it attempts to connect using
# SSLv3. See https://www.centos.org/forums/viewtopic.php?t=52732
# Tags: See jail.conf(5) man page
# Values: CMD
#
actionban = curl --tlsv1.1 --data 'key=<abuseipdb_apikey>' --data-urlencode "comment=<matches>" --data 'ip=<ip>' --data 'category=<abuseipdb_category>' "https://www.abuseipdb.com/report/json"
# Option: actionunban
# Notes.: command executed when unbanning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags: See jail.conf(5) man page
# Values: CMD
#
actionunban =
[Init]
# Option: abuseipdb_apikey
# Notes Your API key from abuseipdb.com
# Values: STRING Default: None
# Register for abuseipdb [https://www.abuseipdb.com], get api key and set below.
# You will need to set the catagory in the action call.
abuseipdb_apikey = remove for githubAfter that, i quit reporting ...
sebres
commented
6 years ago Ban/unban works .... but still no report to abuseipbd.
Do you see now any error in fail2ban.log after "Ban ..IP.."?
sebres
commented
6 years ago abuseipdb_apikey = remove for github
BTW. Changing of default configs (some-config.conf) is not really good idea (can be overriden/incompatible later).
So for example in order to provide abuseipdb_apikey to action, you can put it in the same section into /etc/fail2ban/action.d/abuseipbd.local.
Or just overwrite it in your jail.local, for example:
[DEFAULT]
+_abuseipdb_my_key = my-key
+_abuseipdb = abuseipdb[abuseipdb_apikey="%(_abuseipdb_my_key)s"]
[jail]
- abuseipdb[abuseipdb_category="5,18,22"]
+ %(_abuseipdb)s[abuseipdb_category="5,18,22"]but still no report to abuseipbd
stupid question by the way: have you reloaded f2b after config-change?
stratege1401
commented
6 years ago there is no stupid question !
stratege1401
commented
6 years ago OK, i took some time checking and rewriting the conf and found a formatting error in my abuseipbd.conf (some missing spaces...
If ever you visit France, you won a free beer !!!!! BECAUSE IT'S WORKS !!!
I am too tired now, i will cut/past my conf files for others peoples
THANK YOU AGAIN sebres !!! Really appreciate your help !!!
stratege1401
commented
6 years ago Here's my working configuration
/etc/fail2ban/fail2ban.local
[Definition]
# CRITICAL
# ERROR
# WARNING
# NOTICE
# INFO
# DEBUG
loglevel = INFO
logtarget = /var/log/fail2ban.log
syslogsocket = auto
socket = /var/run/fail2ban/fail2ban.sock
pidfile = /var/run/fail2ban/fail2ban.pid
dbfile = /var/lib/fail2ban/fail2ban.sqlite3
dbpurgeage = 1d/etc/fail2ban/jail.local
[INCLUDES]
before = paths-debian.conf
[DEFAULT]
ignoreip = 127.0.0.1/8 192.168.1.1/24
ignorecommand =
bantime = 36000
findtime = 360000
maxretry = 5
backend = auto
usedns = warn
logencoding = auto
enabled = false
filter = %(__name__)s
destemail = root@localhost
sender = root@localhost
mta = sendmail
protocol = tcp
chain = INPUT
port = 0:65535
fail2ban_agent = Fail2Ban/%(fail2ban_version)s
banaction = iptables-multiport
banaction_allports = iptables-allports
action_ = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", cha$
[DEFAULT]
abuseipdb_my_key = put your api key here
abuseipdb = abuseipdb[abuseipdb_apikey="%(_abuseipdb_my_key)s"]
action_mw = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", c$
%(mta)s-whois[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", protocol="%(protocol)s"$
action_mwl = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", $
%(mta)s-whois-lines[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", logpath=%(logpat$
action_xarf = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s",$
xarf-login-attack[service=%(__name__)s, sender="%(sender)s", logpath=%(logpath)s, port="%(port)s"]
action_cf_mwl = cloudflare[cfuser="%(cfemail)s", cftoken="%(cfapikey)s"]
%(mta)s-whois-lines[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", logpath=%(log$
action_blocklist_de = blocklist_de[email="%(sender)s", service=%(filter)s, apikey="%(blocklist_de_apikey)s", a$
action_badips = badips.py[category="%(__name__)s", banaction="%(banaction)s", agent="%(fail2ban_agent)s"]
action_badips_report = badips[category="%(__name__)s", agent="%(fail2ban_agent)s"]
action = %(action_)s
logpath = /var/log/fail2ban.log
#updated reports code from february 2028
#3 Fraud Orders Fraudulent orders.
#4 DDoS Attack Participating in distributed denial-of-service (usually part of botnet).
#5 FTP Brute-Force
#6 Ping of Death Oversized IP packet.
#7 Phishing Phishing websites and/or email.
#8 Fraud VoIP
#9 Open Proxy Open proxy, open relay, or Tor exit node.
#10 Web Spam Comment/forum spam, HTTP referer spam, or other CMS spam.
#11 Email Spam Spam email content, infected attachments, phishing emails, and spoofed senders (typical$
#12 Blog Spam CMS blog comment spam.
#13 VPN IP Conjunctive category.
#14 Port Scan Scanning for open ports and vulnerable services.
#15 Hacking
#16 SQL Injection At#18 Brute-Force Credential brute-force attacks on webpage logins and services like SSH, FTP, SIP, SMTP,$
#17 Spoofing
#19 Bad Web Bot Webpage scraping (for email addresses, content, etc) and crawlers that do not honor rob$
#20 Exploited Host Host is likely infected with malware and being used for other attacks or to host malici$
#21 Web App Attack Attempts to probe for or exploit installed web applications such as a CMS like WordPres$
#22 SSH Secure Shell (SSH) abuse. Use this category in combination with more specific categories.
#23 IoT Targeted
[http-get-dos]
enabled = true
port = http,https
filter = http-get-dos
maxretry = 360
findtime = 120
action = iptables[name=HTTP, port=http, protocol=tcp]
abuseipdb[abuseipdb_category="4,22"]tempts at SQL injection.
[sshd]
enabled = true
port = 1:65535
filter = sshd
maxretry = 4
action = iptables[name=SSH, port=ssh, protocol=tcp]
abuseipdb[abuseipdb_category="4,14,18,22"]/etc/fail2ban/action.d/abuseipbd.local ( put tlsv1.2 vs 1.1 )
[Definition]
actionstart =
actionstop =
actioncheck =
actionban = curl --tlsv1.2 --data 'key=<abuseipdb_apikey>' --data-urlencode 'comment=<matches>' --data 'ip=<ip>$
actionunban =
[Init]
abuseipdb_apikey = put api key here
stratege1401
commented
6 years ago To anyone , you can clearly close my case !!!
Thank you again.
uhlhosting
commented
1 year ago @stratege1401 can you show me the complete line from the actionban?
actionban = curl --tlsv1.2 --data 'key=<abuseipdb_apikey>' --data-urlencode 'comment=<matches>' --data 'ip=<ip>$I also get: curl: (59) failed setting cipher list: ecdhe_ecdsa_aes_256_sha'
Tried to use fail2ban with automatic abuseIPBD reports , get a curl (59) cypher error when curl script is run. Followed the https://wiki.shaunc.com/wikka.php?wakka=ReportingToAbuseIPDBWithFail2Ban
Environment:
Debian 9.3 ( Stable + Sid MIX ) 4.9.0-5-amd64 Debian 4.9.65-3+deb9u2 php 1:7.0+49 mariadb-client and mariadb-core 10.1 10.1.26-0+deb9u1 Fail2ban 0.10.2 --> apt-get install from SID source.list apache 2.4.29-2 openssl 1.1.0f-3+deb9u1 curl 7.52.1-5+deb9u4
[X] You have not applied any additional foreign patches to the codebase [X] No customizations were done to the configuration
The issue:
Steps to reproduce
run by daemon fail2ban OR manualy, same results
Expected behavior
should have a connection, but the cypher error prohibid connection
Observed behavior
no reports done
Any additional information
none
Configuration, dump and another helpful excerpts
Any customizations done to /etc/fail2ban/ configuration
Relevant parts of /var/log/fail2ban.log file:
preferably obtained while running fail2ban with
loglevel = 4Relevant lines from monitored log files in question: