Page 1 of 1

Reporting Abuser, Hackers & Spammers to AbuseIPDB

Posted: September 25th, 2023, 3:09 am
by admin
We've just added ConfigServer Security & Firewall + AbuseIPDB to Integrating report to AbuseIPDB with CSF - Automatically Block Bad IPs.
to report thousands of IP addresses engaging spamming, hacking, vulnerability scanning, and other malicious activity in real time.

Create an executable script that reports to AbuseIPDB.
Since CSF uses Perl, the public script we display here is written in Perl.

Code: Select all

nano /path/to/abuseipdb_report.pl
Copy and paste this script from https://www.abuseipdb.com/csf:
Don't forget to replace and insert $YOUR_API_KEY from AbuseIPDB within this line.

Code: Select all

"Key" => "$YOUR_API_KEY",
and this is the full script:

Code: Select all

#!/usr/bin/perl
# This file was written as an executable to be used in the auto report function
# of csf and lfd. By replacing $YOUR_API_KEY below with your abuseipdb api key,
# allows you to use this code to integrate your csf system with abuseipdb.com
use strict;
use warnings;
use HTTP::Tiny;
use JSON;

# Gather the information from the commandline passed by lfd
my $ports = $ARGV[1];
my $inout = $ARGV[3];
my $message = $ARGV[5];
my $logs = $ARGV[6];
my $trigger = $ARGV[7];
my $comment = $message . "; Ports: " . $ports . "; Direction: " . $inout
    . "; Trigger: " . $trigger . "; Logs: " . $logs;
my $ua = HTTP::Tiny->new;

my $url = 'https://api.abuseipdb.com/api/v2/report';

my $data = {
    ip => $ARGV[0],
    comment => $comment,
    categories => 14
};

my %options = (
   "headers", {
       "Key" => "$YOUR_API_KEY",
       "Accept" => "application/json"
   },
);

my $response = $ua->post_form($url, $data, \%options);
my $json = JSON->new;
my $output = $json->pretty->encode($json->decode($response->{'content'}));

if ($response->{'status'} == 200){
    print "Report Succesful!\n" . $output;
} elsif ($response->{'status'} == 429) {
    print $output;
} elsif ($response->{'status'} == 422) {
    print $output;
} elsif ($response->{'status'} == 401) {
    print $output;
}
and Save it.

Set the BLOCK_REPORT variable in /etc/csf/csf.conf to the executable script file.
Since UI csf.conf not available in WHM csf plugin to be added in the BLOCK_REPORT (restricted UI item), use ROOT bash shell instead:

Code: Select all

nano /etc/csf/csf.conf
find and edit this line:

Code: Select all

BLOCK_REPORT = "/path/to/abuseipdb_report.pl"
and save it.
To make sure your change has been changed, you can view it in WHM CSF plugin configuration firewall.
WHM>> Home /Plugins /ConfigServer Security & Firewall --> Firewall configuration
and NOW...
BLOCK_REPORT = "/path/to/abuseipdb_report.pl" should be existing there.

Also... Make sure Reporting abuseipdb_block.pl working with your server:

Code: Select all

touch /path/to/abuseipdb_report.pl
chmod +x /path/to/abuseipdb_report.pl
chown root:root /path/to/abuseipdb_report.pl
and restart your CSF and LFD:

Code: Select all

csf -ra
Since I really hate this malicious brute force activity within my server:

Code: Select all

[root@srv8 ~]# tail -n -30 /var/log/exim_rejectlog
2023-09-25 02:46:34 H=[72.11.134.225]:60976 rejected connection in "connect" ACL: Host is banned
2023-09-25 02:53:49 H=[141.98.6.232]:60204 rejected connection in "connect" ACL: Country is banned
2023-09-25 02:53:49 H=[141.98.6.232]:60206 rejected connection in "connect" ACL: Country is banned
2023-09-25 02:53:49 H=[141.98.6.232]:60210 rejected connection in "connect" ACL: Country is banned
2023-09-25 02:53:49 H=[141.98.6.232]:60207 rejected connection in "connect" ACL: Country is banned
2023-09-25 02:53:49 H=[141.98.6.232]:60208 rejected connection in "connect" ACL: Country is banned
2023-09-25 02:53:49 H=[141.98.6.232]:60209 rejected connection in "connect" ACL: Country is banned
2023-09-25 02:58:10 H=[72.11.134.225]:51463 rejected connection in "connect" ACL: Host is banned
2023-09-25 03:09:34 H=[89.216.99.6]:32719 rejected connection in "connect" ACL: Country is banned
2023-09-25 03:15:32 H=[72.11.134.225]:56545 rejected connection in "connect" ACL: Host is banned
2023-09-25 03:21:23 H=[196.0.32.242]:47602 rejected connection in "connect" ACL: Country is banned
2023-09-25 03:32:02 H=[141.98.6.232]:49611 rejected connection in "connect" ACL: Country is banned
2023-09-25 03:32:02 H=[141.98.6.232]:49608 rejected connection in "connect" ACL: Country is banned
2023-09-25 03:32:02 H=[141.98.6.232]:49610 rejected connection in "connect" ACL: Country is banned
2023-09-25 03:32:02 H=[141.98.6.232]:49612 rejected connection in "connect" ACL: Country is banned
2023-09-25 03:32:02 H=[141.98.6.232]:49614 rejected connection in "connect" ACL: Country is banned
2023-09-25 03:32:02 H=[141.98.6.232]:49613 rejected connection in "connect" ACL: Country is banned
2023-09-25 03:35:51 H=[162.243.139.14]:48276 rejected connection in "connect" ACL: Host is banned
2023-09-25 03:35:51 H=[162.243.139.14]:43500 rejected connection in "connect" ACL: Host is banned
2023-09-25 03:35:51 H=[162.243.139.14]:56214 rejected connection in "connect" ACL: Host is banned
2023-09-25 03:35:52 H=[162.243.139.14]:55376 rejected connection in "connect" ACL: Host is banned
2023-09-25 03:35:52 H=[162.243.139.14]:52890 rejected connection in "connect" ACL: Host is banned
2023-09-25 03:35:54 H=[162.243.139.14]:58992 rejected connection in "connect" ACL: Host is banned
2023-09-25 03:38:53 H=[72.11.134.225]:60900 rejected connection in "connect" ACL: Host is banned
2023-09-25 03:39:52 H=[46.42.1.196]:43764 rejected connection in "connect" ACL: Country is banned
2023-09-25 03:43:12 H=scan-10.shadowserver.org [74.82.47.3]:21930 rejected connection in "connect" ACL: Host is banned
2023-09-25 03:44:18 H=scanner-27.ch1.censys-scanner.com [167.94.138.125]:37582 rejected connection in "connect" ACL: Host is banned
2023-09-25 03:59:30 H=[37.189.3.22]:56323 rejected connection in "connect" ACL: Country is banned
2023-09-25 04:00:37 dovecot_login authenticator failed for (71-53-156-229.cltn.centurylink.net) [71.53.156.229]:63464: 535 Incorrect authentication data (set_id=mailer-daemon@mailersafelist.com)
2023-09-25 04:03:39 H=[72.11.134.225]:62656 rejected connection in "connect" ACL: Host is banned
[root@srv8 ~]#
I'm really tired of watching those above malicious brute force activity...
That's why any kind of autoresponders, Including SPAM ARREST, BOXBE and ZONE ALARM disallow to used with all of our sites.