Skip to content

Instantly share code, notes, and snippets.

@meramsey

meramsey/abuseipdb_block.pl

Forked from Bsebring/abuseipdb_block.pl
Last active May 30, 2020 10:43
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save meramsey/3938bd938138ff93e8cb3817d7625a07 to your computer and use it in GitHub Desktop.
Save meramsey/3938bd938138ff93e8cb3817d7625a07 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
abuseipdb_block.pl
#!/usr/bin/perl
# This file was written as an executable to be used in the auto report function
# of csf and lfd. By replacing $YOUR_API_KEY below with your abuseipdb api key,
# allows you to use this code to integrate your csf system with abuseipdb.com
use strict;
use warnings;
use HTTP::Tiny;
use JSON;
# Gather the information from the commandline passed by lfd
my $ports = $ARGV[1];
my $inout = $ARGV[3];
my $message = $ARGV[5];
my $logs = $ARGV[6];
my $trigger = $ARGV[7];
my $comment = $message . "; Ports: " . $ports . "; Direction: " . $inout
. "; Trigger: " . $trigger . "; Logs: " . $logs;
my $ua = HTTP::Tiny->new;
my $url = 'https://api.abuseipdb.com/api/v2/report';
my $data = {
ip => $ARGV[0],
comment => $comment,
categories => 14
};
my %options = (
"headers", {
"Key" => "YOUR_API_KEY",
"Accept" => "application/json"
},
);
my $response = $ua->post_form($url, $data, \%options);
my $json = JSON->new;
my $output = $json->pretty->encode($json->decode($response->{'content'}));
if ($response->{'status'} == 200){
print "Report Succesful!\n" . $output;
} elsif ($response->{'status'} == 429) {
print $output;
} elsif ($response->{'status'} == 422) {
print $output;
} elsif ($response->{'status'} == 401) {
print $output;
}
@meramsey
Copy link
Author

Switched the "$YOUR_API_KEY" to "YOUR_API_KEY" that way programmatic replacement is easier for setup vs having the $ in there which made it a pita to replace via sed

[root@wcloud:~]# grep Key /root/abuseabuseipdb_report.pl
       "Key" => "YOUR_API_KEY",
[root@wcloud:~]# sed -i "s|YOUR_API_KEY|$YOUR_API_KEY|g" /root/abuseabuseipdb_report.pl
[root@wcloud:~]# grep Key /root/abuseabuseipdb_report.pl
       "Key" => "longredactedkey",
[root@wcloud:~]#

Now its this easy:

YOUR_API_KEY="longRedactedApiKeyGoesHere";
wget -O /root/abuseabuseipdb_report.pl https://gist.github.com/whattheserver/3938bd938138ff93e8cb3817d7625a07/raw/d6685013efb075725a68901287fafe6e729d467c/abuseipdb_block.pl;
chmod +x /root/abuseabuseipdb_report.pl
sed -i 's|^BLOCK_REPORT =.*|BLOCK_REPORT = "/root/abuseabuseipdb_report.pl"|g' /etc/csf/csf.conf
sed -i "s|YOUR_API_KEY|$YOUR_API_KEY|g" /root/abuseabuseipdb_report.pl
csf -ra;
grep BLOCK_REPORT /etc/csf/csf.conf

If you haven't set it up already you can do that from a-z in one go like this:

YOUR_API_KEY="longRedactedApiKeyGoesHere";
cat >> /etc/csf/csf.blocklists <<EOL
# AbuseIPDB blacklist
# Details: https://docs.abuseipdb.com/#blacklist-endpoint
ABUSEIPDB|86400|10000|https://api.abuseipdb.com/api/v2/blacklist?&key=${YOUR_API_KEY}&plaintext
EOL
tail -3 /etc/csf/csf.blocklists
wget -O /root/abuseabuseipdb_report.pl https://gist.github.com/whattheserver/3938bd938138ff93e8cb3817d7625a07/raw/d6685013efb075725a68901287fafe6e729d467c/abuseipdb_block.pl;
chmod +x /root/abuseabuseipdb_report.pl
sed -i 's|^BLOCK_REPORT =.*|BLOCK_REPORT = "/root/abuseabuseipdb_report.pl"|g' /etc/csf/csf.conf
sed -i "s|YOUR_API_KEY|$YOUR_API_KEY|g" /root/abuseabuseipdb_report.pl
csf -ra;
grep BLOCK_REPORT /etc/csf/csf.conf

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment