Security CSF Firewall Blocklist + AbuseIPDB API Integration

eva2000 · Apr 2, 2023

Centmin Mod LEMP stack by default installs CSF Firewall and for past few days I've been working on an improved AbuseIPDB API integration with CSF Firewall with the help of ChatGPT AI that I have posted my abuseipdb-reporter.py Python script on Github. If you want the technical details of the Python script jump to the credits section of Github repo.

Tailored for Centmin Mod LEMP stack based servers that install CSF Firewall by default with a specific focus on data privacy and prevention of sensitive data leaked to public AbuseIPDB database reports like at https://www.abuseipdb.com/check/58.142.69.205. Though technically should work with any servers that use CSF Firewall.

Based on CSF Firewall and AbuseIPDB integration guide at https://www.abuseipdb.com/csf. However, the guides' provided Perl, Shell and Python scripts will all leak some private sensitive data about your servers in their default state for some situations, i.e. if you enable CSF Cluster mode, your CSF Cluster members' real IP addresses are leaked. The abuseipdb-reporter.py python script I created will privacy mask all sensitive info like usernames, Linux users, CSF Cluster mode members' real IP addresses and also detect and mask any registered server public IP addresses.

Example of DEBUG = True debug mode with JSON_LOG_FORMAT = False saved log file entries at /var/log/abuseipdb-reporter-debug.log

Data logging of processed data that AbuseIPDB will receive (DEBUG MODE: data intended to be sent to AbuseIPDB) + also a raw copy of data passed from CSF (DEBUG MODE: CSF passed data not sent to AbuseIPDB) so can compare the two:
Code (Text):
cat /var/log/abuseipdb-reporter-debug.log

############################################################################
Version: 0.2.0
DEBUG MODE: data intended to be sent to AbuseIPDB
URL: https://api.abuseipdb.com/api/v2/report
Headers: {"Accept":"application/json","Key":"YOUR_API_KEY"}
IP: 147.182.171.152
IPencoded: 147.182.171.152
Categories: 22
Comment: (sshd) Failed SSH login from 147.182.171.152 (US/United States/-): 5 in the last 3600 secs; Ports: *; Direction: inout; Trigger: LF_SSHD; Logs: Mar 31 22:48:39 sshd[655144]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=147.182.171.152  user=[USERNAME]
Mar 31 22:48:41 sshd[655144]: Failed password for [USERNAME] from 147.182.171.152 port 34306 ssh2
Mar 31 22:51:24 sshd[655193]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=147.182.171.152  user=[USERNAME]
Mar 31 22:51:26 sshd[655193]: Failed password for [USERNAME] from 147.182.171.152 port 45160 ssh2
Mar 31 22:52:30 sshd[655208]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=147.182.171.152  user=[USERNAME]
---------------------------------------------------------------------------
DEBUG MODE: CSF passed data not sent to AbuseIPDB
Ports: *
In/Out: inout
Message: (sshd) Failed SSH login from 147.182.171.152 (US/United States/-): 5 in the last 3600 secs
Logs: Mar 31 22:48:39 hostname sshd[655144]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=147.182.171.152  user=root
Mar 31 22:48:41 hostname sshd[655144]: Failed password for root from 147.182.171.152 port 34306 ssh2
Mar 31 22:51:24 hostname sshd[655193]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=147.182.171.152  user=root
Mar 31 22:51:26 hostname sshd[655193]: Failed password for root from 147.182.171.152 port 45160 ssh2
Mar 31 22:52:30 hostname sshd[655208]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=147.182.171.152  user=root

Trigger: LF_SSHD
############################################################################
--------
So CSF passed raw data for hostname and 147.182.171.152 but script will remove the lfd.log 4th field for hostname when sending to AbuseIPDB.

For folks using CSF Cluster Mode, the abuseipdb-reporter.py script will also privacy mask your Cluster members IP addresses. Example in DEBUG = True mode logging:
Code (Text):
cat /var/log/abuseipdb-reporter-debug.log

############################################################################
Version: 0.1.0
DEBUG MODE: data intended to be sent to AbuseIPDB
URL: https://api.abuseipdb.com/api/v2/report
Headers: {'Accept': 'application/json', 'Key': 'YOUR_API_KEY'}
IP: 49.212.187.208
Categories: 14
Comment:  DENY 49.212.187.208, Reason:[(sshd) Failed SSH login from 49.212.187.208 (JP/Japan/os3-301-40454.vs.sakura.ne.jp): 5 in the last 3600 secs]; Ports: *; Direction: inout; Trigger: LF_CLUSTER; Logs:
---------------------------------------------------------------------------
DEBUG MODE: CSF passed data not sent to AbuseIPDB
Ports: *
In/Out: inout
Message: Cluster member 45.xxx.xxx.xxx (US/United States/-) said, DENY 49.212.187.208, Reason:[(sshd) Failed SSH login from 49.212.187.208 (JP/Japan/os3-301-40454.vs.sakura.ne.jp): 5 in the last 3600 secs]
Logs: 
Trigger: LF_CLUSTER
############################################################################
--------
The CSF passed data also reveals your Cluster member's real IP address 45.xxx.xxx.xxx. The abuseipdb-reporter.py script will remove that and the full line Cluster member 45.xxx.xxx.xxx (US/United States/-) said, from the data intended to be sent to AbuseIPDB so it doesn't reveal your CSF Cluster member IP addresses.

For AbuseIPDB API submissions of CSF Firewall LFD actions, you need to set DEBUG = False and then you can inspect the relevant logs.

When JSON_LOG_FORMAT = False set

From DEFAULT_APILOG_FILE = '/var/log/abuseipdb-reporter-api.log' defined non-JSON formattted log:

When API Response returned abuseConfidenceScore score, that means submission went through.
Code (Text):
############################################################################
Version: 0.2.1
API Request Sent:
URL: https://api.abuseipdb.com/api/v2/report
Headers: {'Accept': 'application/json', 'Key': 'MYKEY'}
IP: 178.xxx.xxx.xxx
IPencoded: 178.xxx.xxx.xxx
Categories: 14
Comment:  DENY 178.xxx.xxx.xxx, Reason:[(sshd) Failed SSH login from 178.xxx.xxx.xxx (GB/United Kingdom/-): 5 in the last 3600 secs]; Ports: *; Direction: inout; Trigger: LF_CLUSTER; Logs:
API Response: {
  "data": {
   "ipAddress": "178.xxx.xxx.xxx",
   "abuseConfidenceScore": 100
  }
}
############################################################################
--------
Full details are on Github.

Folks might find this useful like @Matt @Chris @pamamolf @rdan @buik @BamaStangGuy @deltahf @cloud9 @Tracy Perry @Rake-GH @wmtech @brijendrasial @duderuud @happyhacking @fly @jcat

Kintaro · Nov 18, 2023

can this help me with this? https://community.centminmod.com/threads/anti-ddos-without-cloudflare.24257/

eva2000 · Nov 18, 2023

Kintaro said: ↑

can this help me with this? https://community.centminmod.com/threads/anti-ddos-without-cloudflare.24257/
Click to expand...

Will help somewhat only for "2. Integrating AbuseIPDB Blocklist Into CSF Firewall" part for using /etc/csf/csf.blocklist feature in CSF Firewall mentioned at https://github.com/centminmod/centminmod-abuseipdb-reporter. The rest won't as that is for reporting CSF Firewall logged banned IPs to AbuseIPDB database - which will help other folks using the /etc/csf/csf.blocklist feature in CSF Firewall as well.

But for other DDOS attacks, probably would need Cloudflare. If you're using non Cloudflare Enterprise plans, for non-apex domains, you can use Cloudflare for SaaS https://developers.cloudflare.com/cloudflare-for-platforms/cloudflare-for-saas/ to extend Cloudflare service/product coverage for a non-Cloudflare domain i.e. sub.domain.com , without changing nameservers on sub.domain.com. If you have Cloudflare Enterprise plan, you can also extend Cloudflare service/product coverage to apex domains i.e. domain.com not using Cloudflare namservers.

Cloudflare for SaaS
Cloudflare for SaaS allows you to extend the security and performance benefits of Cloudflare’s network to your customers via their own custom or vanity domains.

As a SaaS provider, you may want to support subdomains under your own zone in addition to letting your customers use their own domain names with your services. For example, a customer may want to use their vanity domain app.customer.com to point to an application hosted on your Cloudflare zone service.saas.com. Cloudflare for SaaS allows you to increase security, performance, and reliability of your customers’ domains.

non-contract service, which provides full access, free of metered usage fees, limits, and certain other restrictions.

Benefits
When you use Cloudflare for SaaS, it helps you to:

Provide custom domain support.

Keep your customers’ traffic encrypted.

Keep your customers online.

Facilitate fast load times of your customers’ domains.

Gain insight through traffic analytics.

Limitations
If your customers already have their applications on Cloudflare, they cannot control some Cloudflare features for hostnames managed by your Custom Hostnames configuration, including:

Argo

Early Hints

Page Shield

Spectrum

Wildcard DNS

How it works
As the SaaS provider, you can extend Cloudflare’s products to customer-owned custom domains by adding them to your zone as custom hostnames. Through a suite of easy-to-use products, Cloudflare for SaaS routes traffic from custom hostnames to an origin, set up on your domain. Cloudflare for SaaS is highly customizable. Three possible configurations are shown below.
Click to expand...

Log in / Register

Forums

Join the community today

Security CSF Firewall Blocklist + AbuseIPDB API Integration

eva2000 Administrator Staff Member

Kintaro Member

eva2000 Administrator Staff Member

.

Log in / Register

Useful Searches

Join the community today

Security CSF Firewall Blocklist + AbuseIPDB API Integration

eva2000 Administrator Staff Member

Kintaro Member

eva2000 Administrator Staff Member

.