Koozali.org: home of the SME Server

fail2ban and AbuseIPDB

Offline William R H

  • *
  • 23
  • +0/-0
fail2ban and AbuseIPDB
« on: March 24, 2022, 01:42:00 PM »
I see that fail2ban has a built in capability to send jail entries off to abuseIPDB. See https://www.abuseipdb.com/fail2ban.html

Several questions:

  • Is there any value in sending a report in - what does it offer me, you or the world at large?
  • assuming it is worthwhile - how to set it up with smeserver config/template system?

I'm willing to have a go at it but am completely new to that sort of thing.

PS: I did look at the web management page for fail2ban but saw nothing there...
PPS: fail2ban-client -V gives me 0.11.2 Is that the latest version?

Offline TerryF

  • grumpy old man
  • *
  • 1,821
  • +6/-0
Re: fail2ban and AbuseIPDB
« Reply #1 on: March 24, 2022, 10:43:47 PM »
Not sure of Q1 and 2, others may have some answers , but on a default install of smeserver-fail2ban there is a

/etc/fail2ban/action.d/abuseipdb.conf 

reading the details there suspect it would not be difficult to enable..account at abuseip a given

Yes 0.11.2 is latest
--
qui scribit bis legit

Offline ReetP

  • *
  • 3,722
  • +5/-0
Re: fail2ban and AbuseIPDB
« Reply #2 on: March 25, 2022, 12:48:38 AM »
I see that fail2ban has a built in capability to send jail entries off to abuseIPDB. See https://www.abuseipdb.com/fail2ban.html

Several questions:

Is there any value in sending a report in - what does it offer me, you or the world at large?

You'd need to read all their information and decide if and how you can utilise it.

That is a key question before you go any further.

Quote
  • assuming it is worthwhile - how to set it up with smeserver config/template system?

I'm willing to have a go at it but am completely new to that sort of thing.

There is mountains of info in the wiki. You need to grab a coffee and a test machine, and read and play. You will learn far more that way.

https://wiki.koozali.org/Template-driven_configuration_system
https://wiki.koozali.org/Template_Tutorial

It really isn't hard. Just start by browsing the templates in your own TEST server in /etc/e-smith/templates

Look at how they generate actual files. Look at how they can get variables from configuration entries.

You can then copy them to templates-custom and try some small changes.

When you get stuck on a specific issue then describe what you have done, and then ask..

To enable AbuseIDBP you will have to do a combination of add some of their stuff and customise a bit of the existing templates.

Quote
PS: I did look at the web management page for fail2ban but saw nothing there...

Nope because F2B does what it does, and you want to add an enhancement.

...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline magwm

  • *
  • 157
  • +0/-0
  • SmeLover
    • Gadis Tourist Service Italia SRL
Re: fail2ban and AbuseIPDB
« Reply #3 on: April 26, 2023, 05:46:41 PM »
I would try the same thing. I am already quite familiar with the templates-custom folder structure, but I fail to understand how I could give the correct category of the attack.

I would create the folder
/etc/e-smith/templates-custom/fail2ban/jail.conf/

then create a copy of /etc/e-smith/templates/etc/fail2ban/jail.conf/30Service10ssh
(and every following 30Service you have configured)

and add between 'action' and 'EOF' the row

Code: [Select]
    action_abuseipdb[abuseipdb_apikey="my-api-key", abuseipdb_category="18"]
where the 18 should be the category chosen from

https://www.abuseipdb.com/categories

MagWm

Offline Jean-Philippe Pialasse

  • *
  • 2,746
  • +11/-0
  • aka Unnilennium
    • http://smeserver.pialasse.com
Re: fail2ban and AbuseIPDB
« Reply #4 on: April 27, 2023, 12:03:34 AM »
fail2ban allow you to add manually some configuration without using the SME templates-custom.  Furter more this will be part of the backup since SME 10.1.


simply use the appropriate .d folder to add your .conf file. and if a .conf file with same name already exist and is templated you can create a .local file.