Input Plesk Fail2Ban: Integration for AbuseIPDB

[brother4]

Server operating system version

Ubuntu 22.04.2 LTS

Plesk version and microupdate number

Plesk Obsidian Version 18.0.54

Hello! If you want to report the blocked Fail2Ban IPs from Plesk to the AbuseIPDB, you can do this with the following shell script I created. This increases the likelihood that hosters will become active and infected systems will be uncovered. It includes a check that already reported IPs are not reported again.

#!/bin/bash

# Ihr AbuseIPDB API Key
API_KEY="YOUR_ABUSEIPDB_API_KEY"

# Datei, in der bereits gemeldete IPs gespeichert werden
REPORTED_IPS_FILE="/var/log/reported_ips.log"

# Wenn die Datei nicht existiert, erstelle sie
[ ! -f "$REPORTED_IPS_FILE" ] && touch "$REPORTED_IPS_FILE"

declare -A JAIL_CATEGORIES
JAIL_CATEGORIES=(
  ["plesk-apache"]="21"
  ["plesk-apache-badbot"]="21"
  ["plesk-dovecot"]="10"
  ["plesk-modsecurity"]="20"
  ["plesk-panel"]="18"
  ["plesk-postfix"]="10"
  ["plesk-proftpd"]="18"
  ["plesk-roundcube"]="18"
  ["plesk-wordpress"]="20"
  ["recidive"]="18"
  ["ssh"]="18"
)

for JAIL in "${!JAIL_CATEGORIES[@]}"; do
  BANNED_IPS=$(sudo fail2ban-client status "$JAIL" | grep "Banned IP list:" | cut -d':' -f2)
 
  for IP in $BANNED_IPS; do
    # Überprüfen, ob die IP bereits gemeldet wurde
    if ! grep -q "^$IP$" "$REPORTED_IPS_FILE"; then
      # IP an AbuseIPDB melden
      curl -X POST https://api.abuseipdb.com/api/v2/report \
        -H "Key: $API_KEY" \
        -H "Accept: application/json" \
        -d "ip=$IP&categories=${JAIL_CATEGORIES[$JAIL]}&comment=Failed login attempt detected by Fail2Ban in $JAIL jail"
      
      # IP zur Datei der bereits gemeldeten IPs hinzufügen
      echo "$IP" >> "$REPORTED_IPS_FILE"
    fi
  done
done

Store & make it executable:

nano /usr/local/sbin/abuseipdb.sh
sudo chmod +x /usr/local/sbin/abuseipdb.sh

After that it can also be called via cron job.

 

[brother4]

If no output is desired except for errors:

#!/bin/bash

# Your AbuseIPDB API Key
API_KEY="YOUR_ABUSEIPDB_API_KEY"

# File where already reported IPs are stored
REPORTED_IPS_FILE="/var/log/reported_ips.log"

# If the file doesn't exist, create it
[ ! -f "$REPORTED_IPS_FILE" ] && touch "$REPORTED_IPS_FILE"

declare -A JAIL_CATEGORIES
JAIL_CATEGORIES=(
  ["plesk-apache"]="21"
  ["plesk-apache-badbot"]="21"
  ["plesk-dovecot"]="10"
  ["plesk-modsecurity"]="20"
  ["plesk-panel"]="18"
  ["plesk-postfix"]="10"
  ["plesk-proftpd"]="18"
  ["plesk-roundcube"]="18"
  ["plesk-wordpress"]="20"
  ["recidive"]="18"
  ["ssh"]="18"
)

# Iterate over all jails
for JAIL in "${!JAIL_CATEGORIES[@]}"; do
  # Get banned IPs for the current jail
  BANNED_IPS=$(sudo fail2ban-client status "$JAIL" | grep "Banned IP list:" | cut -d':' -f2)
 
  # Iterate over all banned IPs
  for IP in $BANNED_IPS; do
    # Check if the IP was already reported
    if ! grep -q "^$IP$" "$REPORTED_IPS_FILE"; then
      # Report the IP to AbuseIPDB
      RESPONSE=$(curl -sS -X POST https://api.abuseipdb.com/api/v2/report \
        -H "Key: $API_KEY" \
        -H "Accept: application/json" \
        -d "ip=$IP&categories=${JAIL_CATEGORIES[$JAIL]}&comment=Failed login attempt detected by Fail2Ban in $JAIL jail")
      
      # Optionally check if there's an error in the response
      if echo "$RESPONSE" | grep -qi "error"; then
          echo "Error reporting IP $IP: $RESPONSE"
      fi
      
      # Add the IP to the list of reported IPs
      echo "$IP" >> "$REPORTED_IPS_FILE"
    fi
  done
done

 

[Kaspar]

@brother4 note that your script fails with IPv6 addresses because cut -d':' -f2 uses : as a separator. Which cuts off IPv6 addresses. I think the script works fine without specifying a delimiter.