LFD Reporting Script using Abuse IP DB v2 API

lfd-v2.php

#!/usr/local/bin/php
<?php

// AbuseIPDB API v2 Key
$api_key = 'xxx';

// AbuseIPDB API v2 Endpoint
$api_endpoint = 'https://api.abuseipdb.com/api/v2/';

// AbuseIPDB User ID
$user_id = 'yyy';

// Your Server IPs to hide
$server_ip = [ 'server_ip' ];

// categories to string match against
$categories = [
    '5' => 'ftpd',
    '11' => 'email',
    '18' => 'brute-force',
    '21' => 'cpanel',
    '22' => 'ssh',
    '14' => 'port scan'
  ];

// default categories to tag in AbuseIPDB report
$cats = [ '18' ];

/* DO NOT EDIT BELOW (Unless you know what you're doing) */

// get command line arguments
$args = $argv;

$msg = $args[6];
$log = $args[7];
$ips = $args[1];

// see if the message or logs include any of the keywords from categories
foreach ($categories as $id => $category) {
    if (stristr($log, $category) || stristr($msg, $category)) {
        $cats[] = $id;
    }
}

// curl request function
function request($path, $method = 'GET', $data) {
    global $api_endpoint, $api_key;

    // set api url
    $url = $api_endpoint . $path;

    // open curl connection
    $ch = curl_init();

    // set the method and data to send
    if ($method == 'POST') {
      curl_setopt($ch, CURLOPT_POST, true);
      curl_setopt($ch, CURLOPT_POSTFIELDS, $data);
    } else {
      $url .= '?' . http_build_query($data);
    }

    curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
    // set the url to call
    curl_setopt($ch, CURLOPT_URL, $url);
    // set the AbuseIPDB API Key as a header
    curl_setopt($ch, CURLOPT_HTTPHEADER, [
      'Accept: application/json;',
      'Key: ' . $api_key,
    ]);

    // execute curl call
    $result = curl_exec($ch);

    // close connection
    curl_close($ch);

    // return response as json object
    return json_decode($result);
}

// output data from lfd arguments
echo 'Remote IP: ' . $ips . PHP_EOL;
echo 'Message: ' . $msg . PHP_EOL;
echo 'Categories: ' . implode(', ', $cats) . PHP_EOL;

// check AbuseIPDB reports
$check = request('check', 'GET', [ 'ipAddress' => $ips, 'maxAgeInDays' => 1, 'verbose' => true ]);

// loop through reports to see if IP was previously reported by yourself
foreach ($check->data->reports as $report) {
    // stop script if IP already reported
    if ($report->reporterId == $user_id) {
        echo 'ALREADY REPORTED' . PHP_EOL;
        exit;
    }
}

echo 'IP Reported: '. count($check->data->reports) .' times.' . PHP_EOL;

// report new IP to AbuseIPDB
$publish = request('report', 'POST', [ 'ip' => $ips, 'categories' => implode(',', $cats), 'comment' => $msg ]);

// output reported IP and confidence score
if (isset($publish) && isset($publish->data->abuseConfidenceScore)) {
    echo 'Reported IP: '. $ips .'. Confidence Score: ' . $publish->data->abuseConfidenceScore . PHP_EOL;
}

Thanks - will try this... but two suggestions:

1. Close PHP :

line 108

die;
?>

2. Why not add after line 37

// exclude your own server from reports due to user error
// should never happen as CSF is good at avoiding this, however - still can check
if ($ips == $server_ip) { die ("reported IP is this server!"); }

3. File permission 744 should be enough

This is good, thanks @niraj-shah

How could we implement better privacy and redact the hostname that sometimes gets shown in the abuseipdb reports?

For example:

61.72.22.177 (KR/South Korea/-), 10 distributed smtpauth attacks on account [ mailer-daemon@ theuserdomain .net ] in the last 3600 secs;

Would be good if we can show [redacted] or something? Suggestion - see this
https://github.com/centminmod/centminmod-abuseipdb-reporter/blob/master/abuseipdb-reporter.py