Skip to content

Instantly share code, notes, and snippets.

@djprmf
Created October 31, 2021 09:22
Show Gist options
  • Save djprmf/0a8f170041ae7bdec5e823062509136b to your computer and use it in GitHub Desktop.
Save djprmf/0a8f170041ae7bdec5e823062509136b to your computer and use it in GitHub Desktop.
Abuse reporting to AbuseIPDB from CSF
#!/usr/local/bin/php
<?php
// Credits
// https://www.webniraj.com/2019/03/12/auto-reporting-lfd-block-reports-to-abuse-ip-db-v2/
// AbuseIPDB API v2 Key
$api_key = 'xxx';
// AbuseIPDB API v2 Endpoint
$api_endpoint = 'https://api.abuseipdb.com/api/v2/';
// AbuseIPDB User ID
$user_id = 'yyy';
// Your Server IPs to hide
$server_ip = [ 'server_ip' ];
// categories to string match against
$categories = [
'5' => 'ftpd',
'11' => 'email',
'18' => 'brute-force',
'21' => 'cpanel',
'22' => 'ssh',
'14' => 'port scan'
];
// default categories to tag in AbuseIPDB report
$cats = [ '18' ];
/* DO NOT EDIT BELOW (Unless you know what you're doing) */
// get command line arguments
$args = $argv;
$msg = $args[6];
$log = $args[7];
$ips = $args[1];
// see if the message or logs include any of the keywords from categories
foreach ($categories as $id => $category) {
if (stristr($log, $category) || stristr($msg, $category)) {
$cats[] = $id;
}
}
// curl request function
function request($path, $method = 'GET', $data) {
global $api_endpoint, $api_key;
// set api url
$url = $api_endpoint . $path;
// open curl connection
$ch = curl_init();
// set the method and data to send
if ($method == 'POST') {
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, $data);
} else {
$url .= '?' . http_build_query($data);
}
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
// set the url to call
curl_setopt($ch, CURLOPT_URL, $url);
// set the AbuseIPDB API Key as a header
curl_setopt($ch, CURLOPT_HTTPHEADER, [
'Accept: application/json;',
'Key: ' . $api_key,
]);
// execute curl call
$result = curl_exec($ch);
// close connection
curl_close($ch);
// return response as json object
return json_decode($result);
}
// output data from lfd arguments
echo 'Remote IP: ' . $ips . PHP_EOL;
echo 'Message: ' . $msg . PHP_EOL;
echo 'Categories: ' . implode(', ', $cats) . PHP_EOL;
// check AbuseIPDB reports
$check = request('check', 'GET', [ 'ipAddress' => $ips, 'maxAgeInDays' => 1, 'verbose' => true ]);
// loop through reports to see if IP was previously reported by yourself
foreach ($check->data->reports as $report) {
// stop script if IP already reported
if ($report->reporterId == $user_id) {
echo 'ALREADY REPORTED' . PHP_EOL;
exit;
}
}
echo 'IP Reported: '. count($check->data->reports) .' times.' . PHP_EOL;
// report new IP to AbuseIPDB
$publish = request('report', 'POST', [ 'ip' => $ips, 'categories' => implode(',', $cats), 'comment' => $msg ]);
// output reported IP and confidence score
if (isset($publish) && isset($publish->data->abuseConfidenceScore)) {
echo 'Reported IP: '. $ips .'. Confidence Score: ' . $publish->data->abuseConfidenceScore . PHP_EOL;
}
@solaceten
Copy link

This is great - but how can we use redacted hostnames in the reports displayed in abuseipdb....

@djprmf
Copy link
Author

djprmf commented Mar 25, 2024

This is great - but how can we use redacted hostnames in the reports displayed in abuseipdb....

The reports from abuseipdb are made to show the hostnames from the abuse IP

@solaceten
Copy link

No - it's this script that determines the data sent TO abuseipdb. for example, these guys do it differently https://github.com/centminmod/centminmod-abuseipdb-reporter?tab=readme-ov-file

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment