In the previous post, we described how to install Fail2ban to protect your system. Now we are going to go a step further to activate the reporting of malicious activity to global blacklist managed by the tool AbuseIPDB.
What is AbuseIPDB?
AbuseIPDB is a project dedicated to helping systems administrators and webmasters check and report IP addresses which are involved in malicious activities such as spamming, hacking attempts, DDoS attacks, or any abusive activity on the Internet.
This tool provides a global blacklist for webmasters, system administrators, and other interested parties to report and find IP addresses that have been associated with malicious activity online.
You can report manually an IP address which has been associated with any malicious activity or check in the search box above the main web wether an IP address has been previously reported.
Also you can find reporting statistics to have a general knowledge of the status of malicious activity on the Internet.
Why to integrate AbuseIPDB with Fail2ban?
Fail2ban scans the logs of the system to detect the malicious activity and bans the related IP addresses. We can use this information to enrich the global blacklist which can be used by people who could be interested. In this point is where AbuseIPDB is the perfect tool to be integrated with Fail2ban.
Pre-Requisites needed before the integration
- Fail2ban should be installed and working in the system. You can follow the tutorial I did to protect your system with Fail2ban.
- To have an account in AbuseIPDB, and have an API key. If you don’t have an AbuseIPDB account, you can register in this URL. Later you have to create an API key. This API is free to use.
- It’s needed to have
curlinstalled to use the AbuseIPDB API. To do it, execute:
sudo apt install curl
Activate AbuseIPDB Reporting action
Adding the API key in the Fail2ban config
The first step is to configure the previous created API key in the configure file. Fail2ban by default generates an action file for the action of Fail2ban.
To edit this file:
sudo vi /etc/fail2ban/action.d/abuseipdb.conf
At the end of the file you can find the config parameter abuseipdb_apikey, in which you have to add the API key.
It should be similar like this:
abuseipdb_apikey = e1342b15a6a7e3d4dc798b65ae22068161ff526b48eb810bf5d4795f928aec516bf641d0f047a102
Adding the action of reporting to the jails
The action to report an IP address to AbuseIPDB can be configured in one or several jails.
In our case we are going to add the action in the sshd jail.
sudo vi /etc/fail2ban/jail.d/defaults-debian.conf
And we will add the line %(action_abuseipdb)s[abuseipdb_category="18,22"] this way:
[sshd]
enabled = true
bantime = 24h
findtime = 30
maxretry = 1
action = %(action_)s
%(action_abuseipdb)s[abuseipdb_category="18,22"]
It is mandatory to add at least one category in the action. In our case we have choose the category 18 (Brute-Force) and 22 (SSH). The list of categories are defined in the AbuseIPDB action file edited before. Besides you can find the categories in the AbuseIPDB categories website with more details.
The categories defined now are these:
# ID Title Description
# 3 Fraud Orders
# 4 DDoS Attack
# 9 Open Proxy
# 10 Web Spam
# 11 Email Spam
# 14 Port Scan
# 18 Brute-Force
# 19 Bad Web Bot
# 20 Exploited Host
# 21 Web App Attack
# 22 SSH
# 23 IoT Targeted
Reload the configuration
Once the configuration has been done, we need to reload it.
sudo service fail2ban reload
Final considerations
As best practices, the considerations you should have to follow are described in the AbuseIPDB Reporting Policy.
- bantime: should be above 15 minutes.
- findtime: shouldn’t go above 60 days.
You could also create different API keys for different machines. It’s a good idea to separate the reports and the get separate statistics reports.
Conclusion
And that’s all. Now once your system detects a malicious activity from any IP address, apart from block it, your system will also report it.