Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
LFD Reporting Script using Abuse IP DB v2 API
#!/usr/local/bin/php
<?php
// AbuseIPDB API v2 Key
$api_key = 'xxx';
// AbuseIPDB API v2 Endpoint
$api_endpoint = 'https://api.abuseipdb.com/api/v2/';
// AbuseIPDB User ID
$user_id = 'yyy';
// Your Server IPs to hide
$server_ip = [ 'server_ip' ];
// categories to string match against
$categories = [
'5' => 'ftpd',
'11' => 'email',
'18' => 'brute-force',
'21' => 'cpanel',
'22' => 'ssh',
'14' => 'port scan'
];
// default categories to tag in AbuseIPDB report
$cats = [ '18' ];
/* DO NOT EDIT BELOW (Unless you know what you're doing) */
// get command line arguments
$args = $argv;
$msg = $args[6];
$log = $args[7];
$ips = $args[1];
// see if the message or logs include any of the keywords from categories
foreach ($categories as $id => $category) {
if (stristr($log, $category) || stristr($msg, $category)) {
$cats[] = $id;
}
}
// curl request function
function request($path, $method = 'GET', $data) {
global $api_endpoint, $api_key;
// set api url
$url = $api_endpoint . $path;
// open curl connection
$ch = curl_init();
// set the method and data to send
if ($method == 'POST') {
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, $data);
} else {
$url .= '?' . http_build_query($data);
}
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
// set the url to call
curl_setopt($ch, CURLOPT_URL, $url);
// set the AbuseIPDB API Key as a header
curl_setopt($ch, CURLOPT_HTTPHEADER, [
'Accept: application/json;',
'Key: ' . $api_key,
]);
// execute curl call
$result = curl_exec($ch);
// close connection
curl_close($ch);
// return response as json object
return json_decode($result);
}
// output data from lfd arguments
echo 'Remote IP: ' . $ips . PHP_EOL;
echo 'Message: ' . $msg . PHP_EOL;
echo 'Categories: ' . implode(', ', $cats) . PHP_EOL;
// check AbuseIPDB reports
$check = request('check', 'GET', [ 'ipAddress' => $ips, 'maxAgeInDays' => 1, 'verbose' => true ]);
// loop through reports to see if IP was previously reported by yourself
foreach ($check->data->reports as $report) {
// stop script if IP already reported
if ($report->reporterId == $user_id) {
echo 'ALREADY REPORTED' . PHP_EOL;
exit;
}
}
echo 'IP Reported: '. count($check->data->reports) .' times.' . PHP_EOL;
// report new IP to AbuseIPDB
$publish = request('report', 'POST', [ 'ip' => $ips, 'categories' => implode(',', $cats), 'comment' => $msg ]);
// output reported IP and confidence score
if (isset($publish) && isset($publish->data->abuseConfidenceScore)) {
echo 'Reported IP: '. $ips .'. Confidence Score: ' . $publish->data->abuseConfidenceScore . PHP_EOL;
}
@TomasHurtz

This comment has been minimized.

Copy link

@TomasHurtz TomasHurtz commented Mar 3, 2020

Thanks - will try this... but two suggestions:

  1. Close PHP :

line 108

die;
?>

  1. Why not add after line 37

// exclude your own server from reports due to user error
// should never happen as CSF is good at avoiding this, however - still can check
if ($ips == $server_ip) { die ("reported IP is this server!"); }

  1. File permission 744 should be enough
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.