Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
LFD Reporting Script using Abuse IP DB v2 API
#!/usr/local/bin/php
<?php
// AbuseIPDB API v2 Key
$api_key = 'xxx';
// AbuseIPDB API v2 Endpoint
$api_endpoint = 'https://api.abuseipdb.com/api/v2/';
// AbuseIPDB User ID
$user_id = 'yyy';
// Your Server IPs to hide
$server_ip = [ 'server_ip' ];
// categories to string match against
$categories = [
'5' => 'ftpd',
'11' => 'email',
'18' => 'brute-force',
'21' => 'cpanel',
'22' => 'ssh',
'14' => 'port scan'
];
// default categories to tag in AbuseIPDB report
$cats = [ '18' ];
/* DO NOT EDIT BELOW (Unless you know what you're doing) */
// get command line arguments
$args = $argv;
$msg = $args[6];
$log = $args[7];
$ips = $args[1];
// see if the message or logs include any of the keywords from categories
foreach ($categories as $id => $category) {
if (stristr($log, $category) || stristr($msg, $category)) {
$cats[] = $id;
}
}
// curl request function
function request($path, $method = 'GET', $data) {
global $api_endpoint, $api_key;
// set api url
$url = $api_endpoint . $path;
// open curl connection
$ch = curl_init();
// set the method and data to send
if ($method == 'POST') {
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, $data);
} else {
$url .= '?' . http_build_query($data);
}
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
// set the url to call
curl_setopt($ch, CURLOPT_URL, $url);
// set the AbuseIPDB API Key as a header
curl_setopt($ch, CURLOPT_HTTPHEADER, [
'Accept: application/json;',
'Key: ' . $api_key,
]);
// execute curl call
$result = curl_exec($ch);
// close connection
curl_close($ch);
// return response as json object
return json_decode($result);
}
// output data from lfd arguments
echo 'Remote IP: ' . $ips . PHP_EOL;
echo 'Message: ' . $msg . PHP_EOL;
echo 'Categories: ' . implode(', ', $cats) . PHP_EOL;
// check AbuseIPDB reports
$check = request('check', 'GET', [ 'ipAddress' => $ips, 'maxAgeInDays' => 1, 'verbose' => true ]);
// loop through reports to see if IP was previously reported by yourself
foreach ($check->data->reports as $report) {
// stop script if IP already reported
if ($report->reporterId == $user_id) {
echo 'ALREADY REPORTED' . PHP_EOL;
exit;
}
}
echo 'IP Reported: '. count($check->data->reports) .' times.' . PHP_EOL;
// report new IP to AbuseIPDB
$publish = request('report', 'POST', [ 'ip' => $ips, 'categories' => implode(',', $cats), 'comment' => $msg ]);
// output reported IP and confidence score
if (isset($publish) && isset($publish->data->abuseConfidenceScore)) {
echo 'Reported IP: '. $ips .'. Confidence Score: ' . $publish->data->abuseConfidenceScore . PHP_EOL;
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.