I just set up AbuseIPDB with one of my fail2ban instances, mostly just out of curiosity and because it seemed simple enough. However, following that guide with an old-ish version of fail2ban made me end up with “$f2bV_matches” as a report comment, which doesn’t look too good.
A quick search led me to this Github issue, which is quite a long read and a bit confusing. But long story short, there was a bug in the provided “action.d/abuseipdb.conf” configuration file, prior to a somewhat unclear fail2ban version (0.10.3?). Note that I suspect it could apply to a later version if you somehow keep installed configuration files when upgrading.
Anyhow, since it’s all in that configuration file, you can just grab the appropriate line in the fixed version, which I’ll copy here as well:
actionban = lgm=$(printf '%%.1000s\n...' "<matches>"); curl -sSf "https://api.abuseipdb.com/api/v2/report" -H "Accept: application/json" -H "Key: <abuseipdb_apikey>" --data-urlencode "comment=$lgm" --data-urlencode "ip=<ip>" --data "categories=<abuseipdb_category>"
Then put that line as a replacement of the existing one in /etc/fail2ban/action.d/abuseipdb.conf
Note that while you’re at it, you can set your API key in this file as well (abuseipdb_apikey = ... at the very bottom). This way, you don’t have to put it in every single jail, which helps make things more readable and maintainable, IMO.
And that’s about it, if you’ve followed the rest of the setup instructions provided by AbuseIPDB. Don’t forget to at least reload fail2ban (sudo systemctl reload fail2ban), although for me it seemed that something restarting it worked better (in such case, don’t forget that it may submit duplicate reports, which you should delete)
A few other useful commands (mostly for my own copy-pasting convenience 👀):
sudo tail /var/log/fail2ban.log sudo tail /var/log/fail2ban.log > /home/export.txt sudo tail /var/log/auth.log sudo nano /etc/fail2ban/fail2ban.local sudo nano /etc/fail2ban/jail.conf
And while I’m at it, let’s get that contributor badge going (I hope it works with subdomains) (edit: yes it does):
Update 2024-03-19
If getting fail2ban [490]: ERROR Failed during configuration: Have not found any log file for sshd jail, it probably means logs are not being written to /var/log/auth.log because syslog was not installed. A fix could be to either install syslog (or rsyslog), or to configure fail2ban to use systemd as a backend, by adding backend = systemd to the jail configuration. Cf also this ticket on Github.
Some more useful commands
sudo systemctl status fail2ban sudo systemctl status ssh.service sudo apt policy openssh-server sudo fail2ban-client unban --all
Last but not least, make sure these packages are installed, otherwise the ban jail will fail to execute fully:
- iptables
- curl
0 Responses
Stay in touch with the conversation, subscribe to the RSS feed for comments on this post.