Join the community today
Register Now

Security CSF Firewall Blocklist + AbuseIPDB API Integration

Discussion in 'System Administration' started by eva2000, Apr 2, 2023.

  1. eva2000

    eva2000 Administrator Staff Member

    50,473
    11,662
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,084
    Local Time:
    7:00 AM
    Nginx 1.25.x
    MariaDB 10.x
    Centmin Mod LEMP stack by default installs CSF Firewall and for past few days I've been working on an improved AbuseIPDB API integration with CSF Firewall with the help of ChatGPT AI that I have posted my abuseipdb-reporter.py Python script on Github. If you want the technical details of the Python script jump to the credits section of Github repo.

    Tailored for Centmin Mod LEMP stack based servers that install CSF Firewall by default with a specific focus on data privacy and prevention of sensitive data leaked to public AbuseIPDB database reports like at https://www.abuseipdb.com/check/58.142.69.205. Though technically should work with any servers that use CSF Firewall.

    Based on CSF Firewall and AbuseIPDB integration guide at https://www.abuseipdb.com/csf. However, the guides' provided Perl, Shell and Python scripts will all leak some private sensitive data about your servers in their default state for some situations, i.e. if you enable CSF Cluster mode, your CSF Cluster members' real IP addresses are leaked. The abuseipdb-reporter.py python script I created will privacy mask all sensitive info like usernames, Linux users, CSF Cluster mode members' real IP addresses and also detect and mask any registered server public IP addresses.

    Example of DEBUG = True debug mode with JSON_LOG_FORMAT = False saved log file entries at /var/log/abuseipdb-reporter-debug.log

    Data logging of processed data that AbuseIPDB will receive (DEBUG MODE: data intended to be sent to AbuseIPDB) + also a raw copy of data passed from CSF (DEBUG MODE: CSF passed data not sent to AbuseIPDB) so can compare the two:
    Code (Text):
    cat /var/log/abuseipdb-reporter-debug.log
    
    ############################################################################
    Version: 0.2.0
    DEBUG MODE: data intended to be sent to AbuseIPDB
    URL: https://api.abuseipdb.com/api/v2/report
    Headers: {"Accept":"application/json","Key":"YOUR_API_KEY"}
    IP: 147.182.171.152
    IPencoded: 147.182.171.152
    Categories: 22
    Comment: (sshd) Failed SSH login from 147.182.171.152 (US/United States/-): 5 in the last 3600 secs; Ports: *; Direction: inout; Trigger: LF_SSHD; Logs: Mar 31 22:48:39 sshd[655144]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=147.182.171.152  user=[USERNAME]
    Mar 31 22:48:41 sshd[655144]: Failed password for [USERNAME] from 147.182.171.152 port 34306 ssh2
    Mar 31 22:51:24 sshd[655193]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=147.182.171.152  user=[USERNAME]
    Mar 31 22:51:26 sshd[655193]: Failed password for [USERNAME] from 147.182.171.152 port 45160 ssh2
    Mar 31 22:52:30 sshd[655208]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=147.182.171.152  user=[USERNAME]
    ---------------------------------------------------------------------------
    DEBUG MODE: CSF passed data not sent to AbuseIPDB
    Ports: *
    In/Out: inout
    Message: (sshd) Failed SSH login from 147.182.171.152 (US/United States/-): 5 in the last 3600 secs
    Logs: Mar 31 22:48:39 hostname sshd[655144]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=147.182.171.152  user=root
    Mar 31 22:48:41 hostname sshd[655144]: Failed password for root from 147.182.171.152 port 34306 ssh2
    Mar 31 22:51:24 hostname sshd[655193]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=147.182.171.152  user=root
    Mar 31 22:51:26 hostname sshd[655193]: Failed password for root from 147.182.171.152 port 45160 ssh2
    Mar 31 22:52:30 hostname sshd[655208]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=147.182.171.152  user=root
    
    Trigger: LF_SSHD
    ############################################################################
    --------
    

    So CSF passed raw data for hostname and 147.182.171.152 but script will remove the lfd.log 4th field for hostname when sending to AbuseIPDB.

    For folks using CSF Cluster Mode, the abuseipdb-reporter.py script will also privacy mask your Cluster members IP addresses. Example in DEBUG = True mode logging:
    Code (Text):
    cat /var/log/abuseipdb-reporter-debug.log
    
    ############################################################################
    Version: 0.1.0
    DEBUG MODE: data intended to be sent to AbuseIPDB
    URL: https://api.abuseipdb.com/api/v2/report
    Headers: {'Accept': 'application/json', 'Key': 'YOUR_API_KEY'}
    IP: 49.212.187.208
    Categories: 14
    Comment:  DENY 49.212.187.208, Reason:[(sshd) Failed SSH login from 49.212.187.208 (JP/Japan/os3-301-40454.vs.sakura.ne.jp): 5 in the last 3600 secs]; Ports: *; Direction: inout; Trigger: LF_CLUSTER; Logs:
    ---------------------------------------------------------------------------
    DEBUG MODE: CSF passed data not sent to AbuseIPDB
    Ports: *
    In/Out: inout
    Message: Cluster member 45.xxx.xxx.xxx (US/United States/-) said, DENY 49.212.187.208, Reason:[(sshd) Failed SSH login from 49.212.187.208 (JP/Japan/os3-301-40454.vs.sakura.ne.jp): 5 in the last 3600 secs]
    Logs: 
    Trigger: LF_CLUSTER
    ############################################################################
    --------
    

    The CSF passed data also reveals your Cluster member's real IP address 45.xxx.xxx.xxx. The abuseipdb-reporter.py script will remove that and the full line Cluster member 45.xxx.xxx.xxx (US/United States/-) said, from the data intended to be sent to AbuseIPDB so it doesn't reveal your CSF Cluster member IP addresses.

    For AbuseIPDB API submissions of CSF Firewall LFD actions, you need to set DEBUG = False and then you can inspect the relevant logs.

    When JSON_LOG_FORMAT = False set

    From DEFAULT_APILOG_FILE = '/var/log/abuseipdb-reporter-api.log' defined non-JSON formattted log:

    When API Response returned abuseConfidenceScore score, that means submission went through.
    Code (Text):
    ############################################################################
    Version: 0.2.1
    API Request Sent:
    URL: https://api.abuseipdb.com/api/v2/report
    Headers: {'Accept': 'application/json', 'Key': 'MYKEY'}
    IP: 178.xxx.xxx.xxx
    IPencoded: 178.xxx.xxx.xxx
    Categories: 14
    Comment:  DENY 178.xxx.xxx.xxx, Reason:[(sshd) Failed SSH login from 178.xxx.xxx.xxx (GB/United Kingdom/-): 5 in the last 3600 secs]; Ports: *; Direction: inout; Trigger: LF_CLUSTER; Logs:
    API Response: {
      "data": {
       "ipAddress": "178.xxx.xxx.xxx",
       "abuseConfidenceScore": 100
      }
    }
    ############################################################################
    --------
    

    Full details are on Github. :D


    Folks might find this useful like @Matt @Chris @pamamolf @rdan @buik @BamaStangGuy @deltahf @cloud9 @Tracy Perry @Rake-GH @wmtech @brijendrasial @duderuud @happyhacking @fly @jcat