Reporting to AbuseIPDB

AbuseIPDB is a collaborative platform that allows its users to report and check IP addresses associated with malicious activities, helping to identify and mitigate potential threats in cybersecurity.

This page explains how to report bad IPs but NOT how to check incoming IPs reputation.

Requirements

  • An account on AbuseIPDB
  • reaction can access the internet (at least AbuseIPDB's servers)

Setup

Grant access to the API

  1. Create an API token here
  2. Put it inside a file accessible by reaction
  3. Make sure only reaction (or root) can access it

Typical example:

echo "0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef" | sudo tee /etc/reaction/abuseip.key
sudo chown reaction:reaction /etc/reaction/abuseip.key
sudo chmod 400 /etc/reaction/abuseip.key

Configure reaction

In your reaction.jsonnet, add this:

local abuseip_params = {
  badbots: {
    category: "19",
    comment: "Did not follow robots.txt directives",
  },
  sshbruteforce: {
    category: "18,22",
    comment: "Bruteforced SSH server",
  },
  webattack: {
    category: "21",
    comment: "Requested unexistent endpoint (Wordpress login, etc.)",
  },
};

local report(type) = {
  abuseIP: {
    cmd: ['curl',
      '--fail', '--silent', '--show-error',
      'https://api.abuseipdb.com/api/v2/report',
      '--variable', 'API_KEY@/etc/reaction/abuseip.key',
      '--header', 'Accept: application/json',
      '--expand-header', 'Key: {{API_KEY:trim}}',
      '--data-urlencode', 'comment=' + abuseip_params[type].comment,
      '--data-urlencode', 'ip=<ip>',
      '--data', 'categories=' + abuseip_params[type].category,
    ],
    // do not run again on reaction restart
    oneshot: true,
  },
};

Usage

You can use the report('type'), in combination with banFor if you want to.

The type must be declared in abuseip_params, refer to Advanced configuration if needed.

Ex:

// [...]
   actions: banFor('24h') + report('webattack'),

Advanced configuration

You may edit the abuseip_params variable to add relevant categories and descriptions.

The reference is here: https://www.abuseipdb.com/categories

Comments supports variables, thus this is a valid configuration:

local banFor(time) = {
  // [...]
};

local abuseip_params = {
  webattack: {
    category: "21",
    comment: "HTTP <method> on a non-existent endpoint (Wordpress)",
  },
};

local report(type) = {
  abuseIP: {
    cmd: ['curl',
      '--fail', '--silent', '--show-error',
      'https://api.abuseipdb.com/api/v2/report',
      '--variable', 'API_KEY@/etc/reaction/abuseip.key',
      '--header', 'Accept: application/json',
      '--expand-header', 'Key: {{API_KEY:trim}}',
      '--data-urlencode', 'comment=' + abuseip_params[type].comment,
      '--data-urlencode', 'ip=<ip>',
      '--data', 'categories=' + abuseip_params[type].category,
    ],
    // do not run again on reaction restart
    oneshot: true,
  },
};

{
  patterns: {
    ip: {
      // see Patterns section
    },
    method: {
      regex: 'GET|POST|PUT|HEAD',
    }
  },

  start: [
    // [...],
  ],
  stop: [
    // [...],
  ],

  streams: {
    web: {
      cmd: [ 'journalctl', '-fu', 'haproxy.service' ],
      filters: {
        scanners: {
          regex: [
            // wordpress
            @': <ip>:\d+ .+<method> .*/wp-login\w+',
          ],
          actions: banFor('720h') + report('webattack'),
        },
      },
    },
  },
}