• Our team is looking to connect with folks who use email services provided by Plesk, or a premium service. If you'd like to be part of the discovery process and share your experiences, we invite you to complete this short screening survey. If your responses match the persona we are looking for, you'll receive a link to schedule a call at your convenience. We look forward to hearing from you!
  • We are looking for U.S.-based freelancer or agency working with SEO or WordPress for a quick 30-min interviews to gather feedback on XOVI, a successful German SEO tool we’re looking to launch in the U.S.
    If you qualify and participate, you’ll receive a $30 Amazon gift card as a thank-you. Please apply here. Thanks for helping shape a better SEO product for agencies!
  • The BIND DNS server has already been deprecated and removed from Plesk for Windows.
    If a Plesk for Windows server is still using BIND, the upgrade to Plesk Obsidian 18.0.70 will be unavailable until the administrator switches the DNS server to Microsoft DNS. We strongly recommend transitioning to Microsoft DNS within the next 6 weeks, before the Plesk 18.0.70 release.
  • The Horde component is removed from Plesk Installer. We recommend switching to another webmail software supported in Plesk.

Input Plesk Fail2Ban: Integration for AbuseIPDB

brother4

brother4

Basic Pleskian
Server operating system version
Ubuntu 22.04.2 LTS
Plesk version and microupdate number
Plesk Obsidian Version 18.0.54
Hello! If you want to report the blocked Fail2Ban IPs from Plesk to the AbuseIPDB, you can do this with the following shell script I created. This increases the likelihood that hosters will become active and infected systems will be uncovered. It includes a check that already reported IPs are not reported again.

Bash: 
#!/bin/bash

# Ihr AbuseIPDB API Key
API_KEY="YOUR_ABUSEIPDB_API_KEY"

# Datei, in der bereits gemeldete IPs gespeichert werden
REPORTED_IPS_FILE="/var/log/reported_ips.log"

# Wenn die Datei nicht existiert, erstelle sie
[ ! -f "$REPORTED_IPS_FILE" ] && touch "$REPORTED_IPS_FILE"

declare -A JAIL_CATEGORIES
JAIL_CATEGORIES=(
  ["plesk-apache"]="21"
  ["plesk-apache-badbot"]="21"
  ["plesk-dovecot"]="10"
  ["plesk-modsecurity"]="20"
  ["plesk-panel"]="18"
  ["plesk-postfix"]="10"
  ["plesk-proftpd"]="18"
  ["plesk-roundcube"]="18"
  ["plesk-wordpress"]="20"
  ["recidive"]="18"
  ["ssh"]="18"
)

for JAIL in "${!JAIL_CATEGORIES[@]}"; do
  BANNED_IPS=$(sudo fail2ban-client status "$JAIL" | grep "Banned IP list:" | cut -d':' -f2)
 
  for IP in $BANNED_IPS; do
    # Überprüfen, ob die IP bereits gemeldet wurde
    if ! grep -q "^$IP$" "$REPORTED_IPS_FILE"; then
      # IP an AbuseIPDB melden
      curl -X POST https://api.abuseipdb.com/api/v2/report \
        -H "Key: $API_KEY" \
        -H "Accept: application/json" \
        -d "ip=$IP&categories=${JAIL_CATEGORIES[$JAIL]}&comment=Failed login attempt detected by Fail2Ban in $JAIL jail"
      
      # IP zur Datei der bereits gemeldeten IPs hinzufügen
      echo "$IP" >> "$REPORTED_IPS_FILE"
    fi
  done
done

Store & make it executable:

Code: 
nano /usr/local/sbin/abuseipdb.sh
sudo chmod +x /usr/local/sbin/abuseipdb.sh

After that it can also be called via cron job.
 
If no output is desired except for errors:

Bash: 
#!/bin/bash

# Your AbuseIPDB API Key
API_KEY="YOUR_ABUSEIPDB_API_KEY"

# File where already reported IPs are stored
REPORTED_IPS_FILE="/var/log/reported_ips.log"

# If the file doesn't exist, create it
[ ! -f "$REPORTED_IPS_FILE" ] && touch "$REPORTED_IPS_FILE"

declare -A JAIL_CATEGORIES
JAIL_CATEGORIES=(
  ["plesk-apache"]="21"
  ["plesk-apache-badbot"]="21"
  ["plesk-dovecot"]="10"
  ["plesk-modsecurity"]="20"
  ["plesk-panel"]="18"
  ["plesk-postfix"]="10"
  ["plesk-proftpd"]="18"
  ["plesk-roundcube"]="18"
  ["plesk-wordpress"]="20"
  ["recidive"]="18"
  ["ssh"]="18"
)

# Iterate over all jails
for JAIL in "${!JAIL_CATEGORIES[@]}"; do
  # Get banned IPs for the current jail
  BANNED_IPS=$(sudo fail2ban-client status "$JAIL" | grep "Banned IP list:" | cut -d':' -f2)
 
  # Iterate over all banned IPs
  for IP in $BANNED_IPS; do
    # Check if the IP was already reported
    if ! grep -q "^$IP$" "$REPORTED_IPS_FILE"; then
      # Report the IP to AbuseIPDB
      RESPONSE=$(curl -sS -X POST https://api.abuseipdb.com/api/v2/report \
        -H "Key: $API_KEY" \
        -H "Accept: application/json" \
        -d "ip=$IP&categories=${JAIL_CATEGORIES[$JAIL]}&comment=Failed login attempt detected by Fail2Ban in $JAIL jail")
      
      # Optionally check if there's an error in the response
      if echo "$RESPONSE" | grep -qi "error"; then
          echo "Error reporting IP $IP: $RESPONSE"
      fi
      
      # Add the IP to the list of reported IPs
      echo "$IP" >> "$REPORTED_IPS_FILE"
    fi
  done
done
 
@brother4 note that your script fails with IPv6 addresses because cut -d':' -f2 uses : as a separator. Which cuts off IPv6 addresses. I think the script works fine without specifying a delimiter.
 
@Kaspar This code works fine also with IPv6:

Bash: 
#!/bin/bash

# Your AbuseIPDB API Key
API_KEY="123"

# File where already reported IPs are stored
REPORTED_IPS_FILE="/var/log/reported_ips.log"

# If the file doesn't exist, create it
[ ! -f "$REPORTED_IPS_FILE" ] && touch "$REPORTED_IPS_FILE"

declare -A JAIL_CATEGORIES
JAIL_CATEGORIES=(
  ["plesk-apache"]="21"
  ["plesk-apache-badbot"]="21"
  ["plesk-dovecot"]="10"
  ["plesk-modsecurity"]="20"
  ["plesk-panel"]="18"
  ["plesk-postfix"]="10"
  ["plesk-proftpd"]="18"
  ["plesk-roundcube"]="18"
  ["plesk-wordpress"]="20"
  ["recidive"]="18"
  ["ssh"]="18"
)

# Array to hold newly reported IPs
NEWLY_REPORTED=()

# Iterate over all jails
for JAIL in "${!JAIL_CATEGORIES[@]}"; do
  # Get banned IPs for the current jail
  BANNED_IPS=$(sudo fail2ban-client status "$JAIL" | sed -n 's/.*Banned IP list:[[:space:]]*//p' | tr ',' ' ')

  # Check if there are banned IPs
  if [ -z "$BANNED_IPS" ]; then
    continue
  fi

  # Iterate over all banned IPs
  for IP in $BANNED_IPS; do
    # Trim whitespace
    IP=$(echo "$IP" | xargs)

    # Check if the IP was already reported
    if grep -q "^$IP$" "$REPORTED_IPS_FILE"; then
      continue
    fi

    # Proceed to report the IP
    RESPONSE=$(curl -sS -X POST https://api.abuseipdb.com/api/v2/report \
      -H "Key: $API_KEY" \
      -H "Accept: application/json" \
      -d "ip=$IP&categories=${JAIL_CATEGORIES[$JAIL]}&comment=Failed login attempt detected by Fail2Ban in $JAIL jail")

    # Check for errors in the response
    if echo "$RESPONSE" | grep -qi "error"; then
      echo "Error reporting IP $IP: $RESPONSE"
    else
      echo "Successfully reported IP: $IP"
      # Add the IP to the list of reported IPs
      echo "$IP" >> "$REPORTED_IPS_FILE"
      # Add to newly reported array
      NEWLY_REPORTED+=("$IP")
    fi
  done
done

# Output the list of newly reported IPs
if [ ${#NEWLY_REPORTED[@]} -gt 0 ]; then
  echo "Newly reported IPs:"
  for NEW_IP in "${NEWLY_REPORTED[@]}"; do
    echo "$NEW_IP"
  done
else
  echo "No new IPs were reported."
fi

@LRob Thanks for sharing :)
 
@brother4 Thanks for sharing the initial script!
Since your script was used as a base for mine, do you want to be credited differently from the current "brother4 from Plesk forums"?
 
Perfect mate! I just learned a beautiful expression (mutually helping each other, that's a nice way to say it).
Feel free to fork, modify, pull request it!
All the best.
 
You must log in or register to reply here.

Similar threads

Ehud
Question Integrating AbuseIPDB RealTime IP Check, possibly using ModSecurity and LUA
Replies
12
Views
5K
Ehud
Ehud
B
Issue can't install Fail2Ban or "plesk repair installation". Plesk thinks my i am still on version 12.5.30
Replies
4
Views
2K
bnpot
B
N
Issue IP Address Banning fail2ban UTF-8 error
Replies
6
Views
6K
Ehud
Ehud
Giorgos Kontopoulos
fail2ban problems with latest update plesk 12.5.30 Update #8
Replies
0
Views
3K
Giorgos Kontopoulos
Giorgos Kontopoulos
Back
Top