What is AbuseIPDB?
AbuseIPDB provides a free API for reporting and checking IP addresses. Every day webmasters, system administrators, and other IT professionals use our API to report thousands of IP addresses engaging spamming, hacking, vulnerability scanning, and other malicious activity in real time.
What is Fail2Ban?
Fail2ban is a tool to help you protect your public facing linux instances from brute-force attack and other automated attacks by monitoring the app logs for malicious activity.
Installation
Installing Fail2Ban
For Debian based system (Ubuntu & Such), you can install it with apt-get
1$ apt-get update
2$ apt-get install fail2ban
For RHEL based system (CentOS, Rocky, Alma), you need to install the EPEL repository first.
1$ sudo dnf install epel-release
2$ sudo dnf install fail2ban fail2ban-firewalld
Once the Installation is complete you can run the following command
1$ sudo systemctl status fail2ban
Fail2Ban should be enabled on your system. the output should look something like this:
1root@mother:~# systemctl status fail2ban
2● fail2ban.service - Fail2Ban Service
3 Loaded: loaded (/lib/systemd/system/fail2ban.service; enabled; vendor preset: enabled)
4 Active: active (running) since Tue 2022-07-12 16:50:44 EDT; 20h ago
5 Docs: man:fail2ban(1)
6 Process: 1037325 ExecStartPre=/bin/mkdir -p /run/fail2ban (code=exited, status=0/SUCCESS)
7 Main PID: 1037327 (fail2ban-server)
8 Tasks: 5 (limit: 7062)
9 Memory: 38.9M
10 CPU: 1min 24.068s
11 CGroup: /system.slice/fail2ban.service
12 └─1037327 /usr/bin/python3 /usr/bin/fail2ban-server -xf start
13
14Jul 12 16:50:44 mother systemd[1]: Starting Fail2Ban Service...
15Jul 12 16:50:44 mother systemd[1]: Started Fail2Ban Service.
16Jul 12 16:50:45 mother fail2ban-server[1037327]: Server ready
AbuseIPDB configuration
Verify Fail2Ban AbuseIPDB module is Installed
The ability to report abusive IPs directly to AbuseIPDB was added to the master Fail2Ban repository in v0.10.0 (January 2017). If you have an older version of Fail2Ban installed on your server, you’ll either have to update Fail2Ban or install the abuseipdb.conf action file yourself. To check what version of Fail2Ban you have installed, run the following command: fail2ban-client -V
You can verify that your installation of Fail2Ban supports AbuseIPDB by checking that the action config file /etc/fail2ban/action.d/abuseipdb.conf exists. If it does not exist, you can add it manually by copying the latest config file from the Fail2Ban Github.
Create a .local file from the default jail.conf:
1$ cp /etc/fail2ban/jail.{conf,local}
Activate AbuseIPDB Reporting Action
You can invoke the AbuseIPDB action from some or all of the jails configured in jail.local. The action must be called with two parameters - your AbuseIPDB API key, and the abuse category (or categories) you would like to report the IP for. If these parameters are missing or invalid, your reports will fail.
%(action_abuseipdb)s[abuseipdb_apikey="my-api-key", abuseipdb_category="18,22"]
This line of code must be added to each jail for which you want to activate AbuseIPDB reporting.
Lets configure it, edit the jail.local with your favorite text editor
1$ nano /etc/fail2ban/jail.local
Find the [sshd] line then edit it so it look to something like this:
1[sshd]
2enabled = true
3
4# To use more aggressive sshd modes set filter parameter "mode" in jail.local:
5# normal (default), ddos, extra or aggressive (combines all).
6# See "tests/files/logs/sshd" or "filter.d/sshd.conf" for usage example and details.
7#mode = normal
8port = ssh
9logpath = %(sshd_log)s
10backend = %(sshd_backend)s
11
12# Ban IP and report to AbuseIPDB for SSH Brute-Forcing
13action = %(action_)s
14 %(action_abuseipdb)s[abuseipdb_apikey="my-api-key", abuseipdb_category="18,22"]
Make sure to change the my-api-key to your API key!
Here’s a table of some of the most popular AbuseIPDB report categories for customizing your reports:
| FTP Brute-Force | Port Scan | Hacking | Brute-Force | Bad Web Bot | SSH | Web App Attack |
|---|---|---|---|---|---|---|
| 5 | 14 | 15 | 18 | 19 | 22 | 21 |
Once you have updated your jail.local configuration, save the file and restart the Fail2Ban service to ensure your configuration is working:
fail2ban-client reload
If your configuration is correct, Fail2Ban should start running the AbuseIPDB action each time a new IP is banned. Log in and check your reported IPs page, and watch as Fail2Ban starts automatically reporting IPs to AbuseIPDB under your account!
Thats it! gtfo and enjoy your super secure server.
- Discord: discord.darrennathanael.com
- Connect: connect.darrennathanael.com
- Previous
How to Resize Image on the fly with NGINX - Next
How I setup my serverless website for free using Cloudflare pages