Join the community today
Register Now

Security CSF Firewall Blocklist + AbuseIPDB API Integration

Discussion in 'System Administration' started by eva2000, Apr 2, 2023.

  1. eva2000

    eva2000 Administrator Staff Member

    55,796
    12,271
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,857
    Local Time:
    9:10 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Centmin Mod LEMP stack by default installs CSF Firewall and for past few days I've been working on an improved AbuseIPDB API integration with CSF Firewall with the help of ChatGPT AI that I have posted my abuseipdb-reporter.py Python script on Github. If you want the technical details of the Python script jump to the credits section of Github repo.

    Tailored for Centmin Mod LEMP stack based servers that install CSF Firewall by default with a specific focus on data privacy and prevention of sensitive data leaked to public AbuseIPDB database reports like at https://www.abuseipdb.com/check/58.142.69.205. Though technically should work with any servers that use CSF Firewall.

    Based on CSF Firewall and AbuseIPDB integration guide at https://www.abuseipdb.com/csf. However, the guides' provided Perl, Shell and Python scripts will all leak some private sensitive data about your servers in their default state for some situations, i.e. if you enable CSF Cluster mode, your CSF Cluster members' real IP addresses are leaked. The abuseipdb-reporter.py python script I created will privacy mask all sensitive info like usernames, Linux users, CSF Cluster mode members' real IP addresses and also detect and mask any registered server public IP addresses.

    Example of DEBUG = True debug mode with JSON_LOG_FORMAT = False saved log file entries at /var/log/abuseipdb-reporter-debug.log


    Data logging of processed data that AbuseIPDB will receive (DEBUG MODE: data intended to be sent to AbuseIPDB) + also a raw copy of data passed from CSF (DEBUG MODE: CSF passed data not sent to AbuseIPDB) so can compare the two:
    Code (Text):
    cat /var/log/abuseipdb-reporter-debug.log
    
    ############################################################################
    Version: 0.2.0
    DEBUG MODE: data intended to be sent to AbuseIPDB
    URL: https://api.abuseipdb.com/api/v2/report
    Headers: {"Accept":"application/json","Key":"YOUR_API_KEY"}
    IP: 147.182.171.152
    IPencoded: 147.182.171.152
    Categories: 22
    Comment: (sshd) Failed SSH login from 147.182.171.152 (US/United States/-): 5 in the last 3600 secs; Ports: *; Direction: inout; Trigger: LF_SSHD; Logs: Mar 31 22:48:39 sshd[655144]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=147.182.171.152  user=[USERNAME]
    Mar 31 22:48:41 sshd[655144]: Failed password for [USERNAME] from 147.182.171.152 port 34306 ssh2
    Mar 31 22:51:24 sshd[655193]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=147.182.171.152  user=[USERNAME]
    Mar 31 22:51:26 sshd[655193]: Failed password for [USERNAME] from 147.182.171.152 port 45160 ssh2
    Mar 31 22:52:30 sshd[655208]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=147.182.171.152  user=[USERNAME]
    ---------------------------------------------------------------------------
    DEBUG MODE: CSF passed data not sent to AbuseIPDB
    Ports: *
    In/Out: inout
    Message: (sshd) Failed SSH login from 147.182.171.152 (US/United States/-): 5 in the last 3600 secs
    Logs: Mar 31 22:48:39 hostname sshd[655144]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=147.182.171.152  user=root
    Mar 31 22:48:41 hostname sshd[655144]: Failed password for root from 147.182.171.152 port 34306 ssh2
    Mar 31 22:51:24 hostname sshd[655193]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=147.182.171.152  user=root
    Mar 31 22:51:26 hostname sshd[655193]: Failed password for root from 147.182.171.152 port 45160 ssh2
    Mar 31 22:52:30 hostname sshd[655208]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=147.182.171.152  user=root
    
    Trigger: LF_SSHD
    ############################################################################
    --------
    

    So CSF passed raw data for hostname and 147.182.171.152 but script will remove the lfd.log 4th field for hostname when sending to AbuseIPDB.

    For folks using CSF Cluster Mode, the abuseipdb-reporter.py script will also privacy mask your Cluster members IP addresses. Example in DEBUG = True mode logging:
    Code (Text):
    cat /var/log/abuseipdb-reporter-debug.log
    
    ############################################################################
    Version: 0.1.0
    DEBUG MODE: data intended to be sent to AbuseIPDB
    URL: https://api.abuseipdb.com/api/v2/report
    Headers: {'Accept': 'application/json', 'Key': 'YOUR_API_KEY'}
    IP: 49.212.187.208
    Categories: 14
    Comment:  DENY 49.212.187.208, Reason:[(sshd) Failed SSH login from 49.212.187.208 (JP/Japan/os3-301-40454.vs.sakura.ne.jp): 5 in the last 3600 secs]; Ports: *; Direction: inout; Trigger: LF_CLUSTER; Logs:
    ---------------------------------------------------------------------------
    DEBUG MODE: CSF passed data not sent to AbuseIPDB
    Ports: *
    In/Out: inout
    Message: Cluster member 45.xxx.xxx.xxx (US/United States/-) said, DENY 49.212.187.208, Reason:[(sshd) Failed SSH login from 49.212.187.208 (JP/Japan/os3-301-40454.vs.sakura.ne.jp): 5 in the last 3600 secs]
    Logs: 
    Trigger: LF_CLUSTER
    ############################################################################
    --------
    

    The CSF passed data also reveals your Cluster member's real IP address 45.xxx.xxx.xxx. The abuseipdb-reporter.py script will remove that and the full line Cluster member 45.xxx.xxx.xxx (US/United States/-) said, from the data intended to be sent to AbuseIPDB so it doesn't reveal your CSF Cluster member IP addresses.

    For AbuseIPDB API submissions of CSF Firewall LFD actions, you need to set DEBUG = False and then you can inspect the relevant logs.

    When JSON_LOG_FORMAT = False set

    From DEFAULT_APILOG_FILE = '/var/log/abuseipdb-reporter-api.log' defined non-JSON formattted log:

    When API Response returned abuseConfidenceScore score, that means submission went through.
    Code (Text):
    ############################################################################
    Version: 0.2.1
    API Request Sent:
    URL: https://api.abuseipdb.com/api/v2/report
    Headers: {'Accept': 'application/json', 'Key': 'MYKEY'}
    IP: 178.xxx.xxx.xxx
    IPencoded: 178.xxx.xxx.xxx
    Categories: 14
    Comment:  DENY 178.xxx.xxx.xxx, Reason:[(sshd) Failed SSH login from 178.xxx.xxx.xxx (GB/United Kingdom/-): 5 in the last 3600 secs]; Ports: *; Direction: inout; Trigger: LF_CLUSTER; Logs:
    API Response: {
      "data": {
       "ipAddress": "178.xxx.xxx.xxx",
       "abuseConfidenceScore": 100
      }
    }
    ############################################################################
    --------
    

    Full details are on Github. :D

    Folks might find this useful like @Matt @Chris @pamamolf @rdan @buik @BamaStangGuy @deltahf @cloud9 @Tracy Perry @Rake-GH @wmtech @brijendrasial @duderuud @happyhacking @fly @jcat
     
  2. Kintaro

    Kintaro Member

    106
    11
    18
    Dec 2, 2016
    Italy
    Ratings:
    +30
    Local Time:
    1:10 PM
    1.15.x
    MariaDB 10
  3. eva2000

    eva2000 Administrator Staff Member

    55,796
    12,271
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,857
    Local Time:
    9:10 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Will help somewhat only for "2. Integrating AbuseIPDB Blocklist Into CSF Firewall" part for using /etc/csf/csf.blocklist feature in CSF Firewall mentioned at https://github.com/centminmod/centminmod-abuseipdb-reporter. The rest won't as that is for reporting CSF Firewall logged banned IPs to AbuseIPDB database - which will help other folks using the /etc/csf/csf.blocklist feature in CSF Firewall as well.

    But for other DDOS attacks, probably would need Cloudflare. If you're using non Cloudflare Enterprise plans, for non-apex domains, you can use Cloudflare for SaaS https://developers.cloudflare.com/cloudflare-for-platforms/cloudflare-for-saas/ to extend Cloudflare service/product coverage for a non-Cloudflare domain i.e. sub.domain.com , without changing nameservers on sub.domain.com. If you have Cloudflare Enterprise plan, you can also extend Cloudflare service/product coverage to apex domains i.e. domain.com not using Cloudflare namservers.