• Please be aware: Kaspersky Anti-Virus has been deprecated
    With the upgrade to Plesk Obsidian 18.0.64, "Kaspersky Anti-Virus for Servers" will be automatically removed from the servers it is installed on. We recommend that you migrate to Sophos Anti-Virus for Servers.
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.

Input Plesk Fail2Ban: Integration for AbuseIPDB

brother4

brother4

Basic Pleskian
Server operating system version
Ubuntu 22.04.2 LTS
Plesk version and microupdate number
Plesk Obsidian Version 18.0.54
Hello! If you want to report the blocked Fail2Ban IPs from Plesk to the AbuseIPDB, you can do this with the following shell script I created. This increases the likelihood that hosters will become active and infected systems will be uncovered. It includes a check that already reported IPs are not reported again.

Bash: 
#!/bin/bash

# Ihr AbuseIPDB API Key
API_KEY="YOUR_ABUSEIPDB_API_KEY"

# Datei, in der bereits gemeldete IPs gespeichert werden
REPORTED_IPS_FILE="/var/log/reported_ips.log"

# Wenn die Datei nicht existiert, erstelle sie
[ ! -f "$REPORTED_IPS_FILE" ] && touch "$REPORTED_IPS_FILE"

declare -A JAIL_CATEGORIES
JAIL_CATEGORIES=(
  ["plesk-apache"]="21"
  ["plesk-apache-badbot"]="21"
  ["plesk-dovecot"]="10"
  ["plesk-modsecurity"]="20"
  ["plesk-panel"]="18"
  ["plesk-postfix"]="10"
  ["plesk-proftpd"]="18"
  ["plesk-roundcube"]="18"
  ["plesk-wordpress"]="20"
  ["recidive"]="18"
  ["ssh"]="18"
)

for JAIL in "${!JAIL_CATEGORIES[@]}"; do
  BANNED_IPS=$(sudo fail2ban-client status "$JAIL" | grep "Banned IP list:" | cut -d':' -f2)
 
  for IP in $BANNED_IPS; do
    # Überprüfen, ob die IP bereits gemeldet wurde
    if ! grep -q "^$IP$" "$REPORTED_IPS_FILE"; then
      # IP an AbuseIPDB melden
      curl -X POST https://api.abuseipdb.com/api/v2/report \
        -H "Key: $API_KEY" \
        -H "Accept: application/json" \
        -d "ip=$IP&categories=${JAIL_CATEGORIES[$JAIL]}&comment=Failed login attempt detected by Fail2Ban in $JAIL jail"
      
      # IP zur Datei der bereits gemeldeten IPs hinzufügen
      echo "$IP" >> "$REPORTED_IPS_FILE"
    fi
  done
done

Store & make it executable:

Code: 
nano /usr/local/sbin/abuseipdb.sh
sudo chmod +x /usr/local/sbin/abuseipdb.sh

After that it can also be called via cron job.
 
If no output is desired except for errors:

Bash: 
#!/bin/bash

# Your AbuseIPDB API Key
API_KEY="YOUR_ABUSEIPDB_API_KEY"

# File where already reported IPs are stored
REPORTED_IPS_FILE="/var/log/reported_ips.log"

# If the file doesn't exist, create it
[ ! -f "$REPORTED_IPS_FILE" ] && touch "$REPORTED_IPS_FILE"

declare -A JAIL_CATEGORIES
JAIL_CATEGORIES=(
  ["plesk-apache"]="21"
  ["plesk-apache-badbot"]="21"
  ["plesk-dovecot"]="10"
  ["plesk-modsecurity"]="20"
  ["plesk-panel"]="18"
  ["plesk-postfix"]="10"
  ["plesk-proftpd"]="18"
  ["plesk-roundcube"]="18"
  ["plesk-wordpress"]="20"
  ["recidive"]="18"
  ["ssh"]="18"
)

# Iterate over all jails
for JAIL in "${!JAIL_CATEGORIES[@]}"; do
  # Get banned IPs for the current jail
  BANNED_IPS=$(sudo fail2ban-client status "$JAIL" | grep "Banned IP list:" | cut -d':' -f2)
 
  # Iterate over all banned IPs
  for IP in $BANNED_IPS; do
    # Check if the IP was already reported
    if ! grep -q "^$IP$" "$REPORTED_IPS_FILE"; then
      # Report the IP to AbuseIPDB
      RESPONSE=$(curl -sS -X POST https://api.abuseipdb.com/api/v2/report \
        -H "Key: $API_KEY" \
        -H "Accept: application/json" \
        -d "ip=$IP&categories=${JAIL_CATEGORIES[$JAIL]}&comment=Failed login attempt detected by Fail2Ban in $JAIL jail")
      
      # Optionally check if there's an error in the response
      if echo "$RESPONSE" | grep -qi "error"; then
          echo "Error reporting IP $IP: $RESPONSE"
      fi
      
      # Add the IP to the list of reported IPs
      echo "$IP" >> "$REPORTED_IPS_FILE"
    fi
  done
done
 
@brother4 note that your script fails with IPv6 addresses because cut -d':' -f2 uses : as a separator. Which cuts off IPv6 addresses. I think the script works fine without specifying a delimiter.
 
@Kaspar This code works fine also with IPv6:

Bash: 
#!/bin/bash

# Your AbuseIPDB API Key
API_KEY="123"

# File where already reported IPs are stored
REPORTED_IPS_FILE="/var/log/reported_ips.log"

# If the file doesn't exist, create it
[ ! -f "$REPORTED_IPS_FILE" ] && touch "$REPORTED_IPS_FILE"

declare -A JAIL_CATEGORIES
JAIL_CATEGORIES=(
  ["plesk-apache"]="21"
  ["plesk-apache-badbot"]="21"
  ["plesk-dovecot"]="10"
  ["plesk-modsecurity"]="20"
  ["plesk-panel"]="18"
  ["plesk-postfix"]="10"
  ["plesk-proftpd"]="18"
  ["plesk-roundcube"]="18"
  ["plesk-wordpress"]="20"
  ["recidive"]="18"
  ["ssh"]="18"
)

# Array to hold newly reported IPs
NEWLY_REPORTED=()

# Iterate over all jails
for JAIL in "${!JAIL_CATEGORIES[@]}"; do
  # Get banned IPs for the current jail
  BANNED_IPS=$(sudo fail2ban-client status "$JAIL" | sed -n 's/.*Banned IP list:[[:space:]]*//p' | tr ',' ' ')

  # Check if there are banned IPs
  if [ -z "$BANNED_IPS" ]; then
    continue
  fi

  # Iterate over all banned IPs
  for IP in $BANNED_IPS; do
    # Trim whitespace
    IP=$(echo "$IP" | xargs)

    # Check if the IP was already reported
    if grep -q "^$IP$" "$REPORTED_IPS_FILE"; then
      continue
    fi

    # Proceed to report the IP
    RESPONSE=$(curl -sS -X POST https://api.abuseipdb.com/api/v2/report \
      -H "Key: $API_KEY" \
      -H "Accept: application/json" \
      -d "ip=$IP&categories=${JAIL_CATEGORIES[$JAIL]}&comment=Failed login attempt detected by Fail2Ban in $JAIL jail")

    # Check for errors in the response
    if echo "$RESPONSE" | grep -qi "error"; then
      echo "Error reporting IP $IP: $RESPONSE"
    else
      echo "Successfully reported IP: $IP"
      # Add the IP to the list of reported IPs
      echo "$IP" >> "$REPORTED_IPS_FILE"
      # Add to newly reported array
      NEWLY_REPORTED+=("$IP")
    fi
  done
done

# Output the list of newly reported IPs
if [ ${#NEWLY_REPORTED[@]} -gt 0 ]; then
  echo "Newly reported IPs:"
  for NEW_IP in "${NEWLY_REPORTED[@]}"; do
    echo "$NEW_IP"
  done
else
  echo "No new IPs were reported."
fi

@LRob Thanks for sharing :)
 
@brother4 Thanks for sharing the initial script!
Since your script was used as a base for mine, do you want to be credited differently from the current "brother4 from Plesk forums"?
 
You must log in or register to reply here.

Similar threads

Ehud
Question Integrating AbuseIPDB RealTime IP Check, possibly using ModSecurity and LUA
Replies
12
Views
4K
Ehud
Ehud
B
Issue can't install Fail2Ban or "plesk repair installation". Plesk thinks my i am still on version 12.5.30
Replies
4
Views
2K
bnpot
B
N
Issue IP Address Banning fail2ban UTF-8 error
Replies
6
Views
5K
Ehud
Ehud
gennolo
Resolved fail2ban and plesk-proftpd jail
Replies
4
Views
3K
clinton4
C
Giorgos Kontopoulos
fail2ban problems with latest update plesk 12.5.30 Update #8
Replies
0
Views
3K
Giorgos Kontopoulos
Giorgos Kontopoulos
Back
Top