74 lines
3.4 KiB
Markdown
74 lines
3.4 KiB
Markdown
# Abuse-Reporter 0.1.0
|
|
|
|
The abuse reporter is a simple script for designed for use with the AbuseIPDB Fail2Ban integration.
|
|
|
|
Unfortunately, F2B does not allow much freedom in customising the report message; This can easily be solved with a third party
|
|
script to sanitize the report message.
|
|
|
|
This script is able to strip sensitive information from reports (e.g. hostnames, email addresses, server IP addresses, etc), before sending them.
|
|
It also tries to remove any fluff introduced by F2B from the report string.
|
|
|
|
For transparency, it keeps it's own logs using Monolog, where it stores information about who it reported, and about failed reports. The log file can be
|
|
tailed for live F2B activity.
|
|
|
|
Data removed from the reports will appear as ``[expunged]`` in the reports.
|
|
|
|
|
|
## Removing sensitive data
|
|
|
|
Right now, it only strips hostnames and machine names from the comment. This is hardcoded at the moment, though it can be easily added in the config.
|
|
|
|
Further sensitive data can be stripped using REGEX patterns to detect more hostnames and other misc items. Feel free to submit a PR.
|
|
|
|
|
|
This script was kept rather simple. It just needs to do one thing, and it needs to do it efficiently.
|
|
|
|
|
|
## Requirements
|
|
|
|
This script uses Monolog for logging and Guzzle for API requests (reports). It doesn't require any other extensions other than ext-json.
|
|
|
|
|
|
## Install
|
|
|
|
Simply install the composer requirements using ``composer`` install. Open the ``boot/init.php``file and change the hardcoded require paths. This will be
|
|
changed in the future with a standard require that works dynamically.
|
|
|
|
|
|
## Usage
|
|
|
|
Call the abuse reporter file: ``./src/reporter.php``. The arguments are not named and are therefore in the following order:
|
|
|
|
- IP Address of the abuser
|
|
- Comment for the report (Usually SSHD log snippets)
|
|
- Categories (Must be a comma delimted list of categories, found [here](https://www.abuseipdb.com/categories).)
|
|
|
|
Example usage: ``./src/reporter.php "181.28.101.14" "Brute force" "18,22"``. This is for a manual report. Refer to the category list for a list of valid categories.
|
|
|
|
The ``actionban`` of ``action.d/abuseipdb.conf`` would look like something like this: ``actionban = /usr/bin/php /path/to/abuse-reporter/src/reporter.php "<ip>" "<matches>" "<abuseipdb_category>"``.
|
|
|
|
|
|
## Repeat offenders
|
|
|
|
Sometimes, bots come back after getting banned for a while. This can be prevented by the ``recidive`` jail of F2B. However, F2B will re-ban the IP,
|
|
triggering a new report. This script doesn't remember which IP addresses it banned, and if your ban time is short enough, this can result in duplicate reports,
|
|
which will fail. This failure is logged both by the script and by F2B. This is normal, but not optimal. This feature will be added sometime later down the line.
|
|
|
|
This will also happen each time F2B restarts, because it calls ``actionban`` for each ban it restores.
|
|
|
|
|
|
## Configuration
|
|
|
|
Copy ``config/app.ini.example`` to ``config/app.ini``, then add your AbuseIPDB [API key](https://www.abuseipdb.com/account/api) in the appropriate section.
|
|
|
|
Don't forget to add your IP address to the ``ignoreip`` section of the config file to avoid reporting yourself accidentally. It's also a good idea to also add the ``ignoreip`` directive to ``jail.local`` to avoid getting locked out.
|
|
|
|
## Licensing
|
|
|
|
This script is licensed under the MIT license. See ``LICENSE`` for details.
|
|
|
|
|
|
## Contributing
|
|
|
|
Feel free to open a PR any time with more useful features!
|