abuse-reporter/README.md

74 lines
3.4 KiB
Markdown
Raw Normal View History

2020-12-06 17:58:41 +00:00
# Abuse-Reporter 0.1.0
The abuse reporter is a simple script for designed for use with the AbuseIPDB Fail2Ban integration.
Unfortunately, F2B does not allow much freedom in customising the report message; This can easily be solved with a third party
script to sanitize the report message.
This script is able to strip sensitive information from reports (e.g. hostnames, email addresses, server IP addresses, etc), before sending them.
It also tries to remove any fluff introduced by F2B from the report string.
For transparency, it keeps it's own logs using Monolog, where it stores information about who it reported, and about failed reports. The log file can be
tailed for live F2B activity.
Data removed from the reports will appear as ``[expunged]`` in the reports.
## Removing sensitive data
Right now, it only strips hostnames and machine names from the comment. This is hardcoded at the moment, though it can be easily added in the config.
Further sensitive data can be stripped using REGEX patterns to detect more hostnames and other misc items. Feel free to submit a PR.
This script was kept rather simple. It just needs to do one thing, and it needs to do it efficiently.
## Requirements
This script uses Monolog for logging and Guzzle for API requests (reports). It doesn't require any other extensions other than ext-json.
## Install
Simply install the composer requirements using ``composer`` install. Open the ``boot/init.php``file and change the hardcoded require paths. This will be
changed in the future with a standard require that works dynamically.
## Usage
Call the abuse reporter file: ``./src/reporter.php``. The arguments are not named and are therefore in the following order:
- IP Address of the abuser
- Comment for the report (Usually SSHD log snippets)
- Categories (Must be a comma delimted list of categories, found [here](https://www.abuseipdb.com/categories).)
Example usage: ``./src/reporter.php "181.28.101.14" "Brute force" "18,22"``. This is for a manual report. Refer to the category list for a list of valid categories.
The ``actionban`` of ``action.d/abuseipdb.conf`` would look like something like this: ``actionban = /usr/bin/php /path/to/abuse-reporter/src/reporter.php "<ip>" "<matches>" "<abuseipdb_category>"``.
## Repeat offenders
Sometimes, bots come back after getting banned for a while. This can be prevented by the ``recidive`` jail of F2B. However, F2B will re-ban the IP,
triggering a new report. This script doesn't remember which IP addresses it banned, and if your ban time is short enough, this can result in duplicate reports,
which will fail. This failure is logged both by the script and by F2B. This is normal, but not optimal. This feature will be added sometime later down the line.
This will also happen each time F2B restarts, because it calls ``actionban`` for each ban it restores.
## Configuration
Copy ``config/app.ini.example`` to ``config/app.ini``, then add your AbuseIPDB [API key](https://www.abuseipdb.com/account/api) in the appropriate section.
Don't forget to add your IP address to the ``ignoreip`` section of the config file to avoid reporting yourself accidentally. It's also a good idea to also add the ``ignoreip`` directive to ``jail.local`` to avoid getting locked out.
## Licensing
This script is licensed under the MIT license. See ``LICENSE`` for details.
## Contributing
Feel free to open a PR any time with more useful features!