Question AbuseIPDB with Fail2Ban

[MSZ]

Hi,

I would like to integrate AbuseIPDB with Fail2Ban.

My server is running Plesk Onyx Version 17.8.11 Update #14 on CentOS Linux 7.5.1804.
The Fail2Ban version on this is v0.9.6...

The required version to integrate Fail2Ban with AbuseIPDB is v0.10.0 (January 2017).
See also: Integrating AbuseIPDB with Fail2Ban

When i try
plesk installer --select-release-current --install-component fail2ban

I get the information that
You already have the latest version of product(s) and all the selected components
installed. Installation will not continue.

When I look into the Fail2Ban files on the server, then it looks pretty much like Plesk has customized this files.
So i just dont want to update with the Fail2Ban files from Github.
Is there any possibility to get Fail2Ban updated to v0.10.0 in Plesk so that I can get the integration done?

Appreciate your help.

Thanks!
MSZ
PS: Disclaimer on my Linux/Plesk skill level: medium to advanced user; not professional

 

[IgorG]

fail2ban 0.10.x version is not officially supported by Plesk yet. At the moment we are working on it in the scope of internal document PPM-2431

 

[Daedalus3]

I would very much love to see this too. AbuseIPDB as an extension (or a manual way to install it via fail2ban) would be a great integration

 

[Fabian H]

Are there any updates on that?

 

[Aytalina]

The latest version of fail2ban components is available in Plesk Obsidian.
Consider upgrading to Plesk Obsidian as we do not have plans to update fail2ban in Plesk Onyx:

Announcing Plesk Onyx Support Policy Update

Calling to all Plesk Onyx users – it’s time to say goodbye to your current software version. The dynamic hosting industry evolves very quickly. And our goal as a WebOps leading platform is to provide our customers with the best solutions. Plesk Obsidian entered the game so you can access the...

www.plesk.com

 

[danami]

If you guys are still wanting AbuseIPDB support we recently added it to the latest release of our Juggernaut Firewall extension: Announcements - Danami

 

[Ehud]

Hi,

This is now possible.

First create an account and get an API key from:

https://www.abuseipdb.com/account

The create the file:

vi /etc/fail2ban/action.d/abuseipdb.conf

Place in the content:

# Fail2ban configuration file
#
# Action to report IP address to abuseipdb.com
# You must sign up to obtain an API key from abuseipdb.com.
#
# NOTE: These reports may include sensitive Info.
# If you want cleaner reports that ensure no user data see the helper script at the below website.
#
# IMPORTANT:
#
# Reporting an IP of abuse is a serious complaint. Make sure that it is
# serious. Fail2ban developers and network owners recommend you only use this
# action for:
# * The recidive where the IP has been banned multiple times
# * Where maxretry has been set quite high, beyond the normal user typing
# password incorrectly.
# * For filters that have a low likelihood of receiving human errors
#
# This action relies on a api_key being added to the above action conf,
# and the appropriate categories set.
#
# Example, for ssh bruteforce (in section [sshd] of `jail.local`):
# action = %(known/action)s
# abuseipdb[abuseipdb_apikey="my-api-key", abuseipdb_category="18,22"]
#
# See below for categories.
#
# Added to fail2ban by Andrew James Collett (ajcollett)

## abuseIPDB Categories, `the abuseipdb_category` MUST be set in the jail.conf action call.
# Example, for ssh bruteforce: action = %(action_abuseipdb)s[abuseipdb_category="18,22"]
# ID Title Description
# 3 Fraud Orders
# 4 DDoS Attack
# 9 Open Proxy
# 10 Web Spam
# 11 Email Spam
# 14 Port Scan
# 18 Brute-Force
# 19 Bad Web Bot
# 20 Exploited Host
# 21 Web App Attack
# 22 SSH Secure Shell (SSH) abuse. Use this category in combination with more specific categories.
# 23 IoT Targeted
# See Report Categories | AbuseIPDB for more descriptions

[Definition]

# bypass action for restored tickets
norestored = 1

# Option: actionstart
# Notes.: command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false).
# Values: CMD
#
actionstart =

# Option: actionstop
# Notes.: command executed at the stop of jail (or at the end of Fail2Ban)
# Values: CMD
#
actionstop =

# Option: actioncheck
# Notes.: command executed once before each actionban command
# Values: CMD
#
actioncheck =

# Option: actionban
# Notes.: command executed when banning an IP. Take care that the
# command is executed with Fail2Ban user rights.
#
# ** IMPORTANT! **
#
# By default, this posts directly to AbuseIPDB's API, unfortunately
# this results in a lot of backslashes/escapes appearing in the
# reports. This also may include info like your hostname.
# If you have your own web server with PHP available, you can
# use my (Shaun's) helper PHP script by commenting out the first #actionban
# line below, uncommenting the second one, and pointing the URL at
# wherever you install the helper script. For the PHP helper script, see
# <https://wiki.shaunc.com/wikka.php?wakka=ReportingToAbuseIPDBWithFail2Ban>
#
# Tags: See jail.conf(5) man page
# Values: CMD
#
actionban = curl --tlsv1.2 --fail 'https://api.abuseipdb.com/api/v2/report' \
-H 'Accept: application/json' \
-H 'Key: <abuseipdb_apikey>' \
--data-urlencode 'ip=<ip>' \
--data-urlencode 'comment=<matches>' \
--data 'categories=<abuseipdb_category>'


# Option: actionunban
# Notes.: command executed when unbanning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags: See jail.conf(5) man page
# Values: CMD
#
actionunban =

[Init]
# Option: abuseipdb_apikey
# Notes Your API key from abuseipdb.com
# Values: STRING Default: None
# Register for abuseipdb [AbuseIPDB - IP address abuse reports - Making the Internet safer, one IP at a time], get api key and set below.
# You will need to set the category in the action call.
abuseipdb_apikey = your-api-key-here

Note: the "" around 'comment=<matches>' were changed to single quotes ''.

Note: the
curl --tlsv1.2 --fail 'https://api.abuseipdb.com/api/v2/report'
is something not written like that in all kind of information on the web, which may lead for curl to fail.

Now, go to fole:

/etc/fail2ban/jail.local

And BEFORE any action, add the following:

# Report ban via abuseipdb.com.
#
# See action.d/abuseipdb.conf for usage example and details.
#
action_abuseipdb = abuseipdb

Note: This is added **before any line containing action**


Now, go to any of the jails you would like to add a reporting operation to:

vi /etc/fail2ban/jail.d/your_jail_name.conf

On the action section of it , you would be adding additional line.

Note: Make sure to have SPACE at the beginning of the addiotnal line.

This would like something like this:

action = iptables-multiport[name=your_jail_name, port="http,https,7080,7081"]
sendmail[mailcmd='/usr/sbin/sendmail -f "<sender>" "<dest>"', dest="[email protected]", sender="fail2ban", sendername="Fail2Ban", name="your_jail_name"]
abuseipdb[abuseipdb_apikey="your_api_key_here", abuseipdb_category="18"]

The line you have added is:

abuseipdb[abuseipdb_apikey="your_api_key_here", abuseipdb_category="18"]

Reload Fail2Ban:

fail2ban-client reload

Possibly, also restart it:

service fail2ban restart

Have a look at the service status:

sudo fail2ban-client status

You may also want to restart some services:

systemctl restart apache2
systemctl restart nginx
systemctl restart plesk-php74-fpm

Now you may test the the api is workign, banning an IP and after checking it, unbanning via CLI:

fail2ban-client set your_jail_name banip

Now, you would be able to check it in two places:

1. The https://www.abuseipdb.com/account/api website. If it's there you may also remove it via a button.

2. The Plesk Fail2Ban log, where you may search for the IP or for 'curl'.

fail2ban-client set your-jail-name banip 192.0.2.1

Check the website and/or Fail2Ban log, and only afterwards remove, and also on the abuseipdb.com website via button.

fail2ban-client set your-jail-name unbanip 192.0.2.1

 

[Ehud]

Regarding the file:

/etc/fail2ban/action.d/abuseipdb.conf

Note 3: Make sure to place your API key at its bottom:

abuseipdb_apikey = your-api-key-here

 

[brother4]

Feel free to use this shell script: Input - Plesk Fail2Ban: Integration for AbuseIPDB