Created
October 31, 2021 09:22
-
-
Save djprmf/0a8f170041ae7bdec5e823062509136b to your computer and use it in GitHub Desktop.
Abuse reporting to AbuseIPDB from CSF
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/local/bin/php | |
<?php | |
// Credits | |
// https://www.webniraj.com/2019/03/12/auto-reporting-lfd-block-reports-to-abuse-ip-db-v2/ | |
// AbuseIPDB API v2 Key | |
$api_key = 'xxx'; | |
// AbuseIPDB API v2 Endpoint | |
$api_endpoint = 'https://api.abuseipdb.com/api/v2/'; | |
// AbuseIPDB User ID | |
$user_id = 'yyy'; | |
// Your Server IPs to hide | |
$server_ip = [ 'server_ip' ]; | |
// categories to string match against | |
$categories = [ | |
'5' => 'ftpd', | |
'11' => 'email', | |
'18' => 'brute-force', | |
'21' => 'cpanel', | |
'22' => 'ssh', | |
'14' => 'port scan' | |
]; | |
// default categories to tag in AbuseIPDB report | |
$cats = [ '18' ]; | |
/* DO NOT EDIT BELOW (Unless you know what you're doing) */ | |
// get command line arguments | |
$args = $argv; | |
$msg = $args[6]; | |
$log = $args[7]; | |
$ips = $args[1]; | |
// see if the message or logs include any of the keywords from categories | |
foreach ($categories as $id => $category) { | |
if (stristr($log, $category) || stristr($msg, $category)) { | |
$cats[] = $id; | |
} | |
} | |
// curl request function | |
function request($path, $method = 'GET', $data) { | |
global $api_endpoint, $api_key; | |
// set api url | |
$url = $api_endpoint . $path; | |
// open curl connection | |
$ch = curl_init(); | |
// set the method and data to send | |
if ($method == 'POST') { | |
curl_setopt($ch, CURLOPT_POST, true); | |
curl_setopt($ch, CURLOPT_POSTFIELDS, $data); | |
} else { | |
$url .= '?' . http_build_query($data); | |
} | |
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); | |
// set the url to call | |
curl_setopt($ch, CURLOPT_URL, $url); | |
// set the AbuseIPDB API Key as a header | |
curl_setopt($ch, CURLOPT_HTTPHEADER, [ | |
'Accept: application/json;', | |
'Key: ' . $api_key, | |
]); | |
// execute curl call | |
$result = curl_exec($ch); | |
// close connection | |
curl_close($ch); | |
// return response as json object | |
return json_decode($result); | |
} | |
// output data from lfd arguments | |
echo 'Remote IP: ' . $ips . PHP_EOL; | |
echo 'Message: ' . $msg . PHP_EOL; | |
echo 'Categories: ' . implode(', ', $cats) . PHP_EOL; | |
// check AbuseIPDB reports | |
$check = request('check', 'GET', [ 'ipAddress' => $ips, 'maxAgeInDays' => 1, 'verbose' => true ]); | |
// loop through reports to see if IP was previously reported by yourself | |
foreach ($check->data->reports as $report) { | |
// stop script if IP already reported | |
if ($report->reporterId == $user_id) { | |
echo 'ALREADY REPORTED' . PHP_EOL; | |
exit; | |
} | |
} | |
echo 'IP Reported: '. count($check->data->reports) .' times.' . PHP_EOL; | |
// report new IP to AbuseIPDB | |
$publish = request('report', 'POST', [ 'ip' => $ips, 'categories' => implode(',', $cats), 'comment' => $msg ]); | |
// output reported IP and confidence score | |
if (isset($publish) && isset($publish->data->abuseConfidenceScore)) { | |
echo 'Reported IP: '. $ips .'. Confidence Score: ' . $publish->data->abuseConfidenceScore . PHP_EOL; | |
} |
This is great - but how can we use redacted hostnames in the reports displayed in abuseipdb....
The reports from abuseipdb are made to show the hostnames from the abuse IP
No - it's this script that determines the data sent TO abuseipdb. for example, these guys do it differently https://github.com/centminmod/centminmod-abuseipdb-reporter?tab=readme-ov-file
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
This is great - but how can we use redacted hostnames in the reports displayed in abuseipdb....