Report abusive IPs 

---

In my previous post, I discussed the powerful capabilities of Fail2Ban in safeguarding server environments from unauthorized access. Building on that foundation, today’s entry takes our security strategy a step further. We’ll explore how to use Fail2Ban’s functionality by integrating it with the AbuseIPDB service. This integration is crucial for effectively reporting and identifying IP addresses linked to malicious online activities, further reinforcing our defenses against digital threats. Join me as we delve into setting up this essential security measure to ensure a safer online environment.

Below you can see my contributor badge. This badge shows you how many IPs I reported. All of them were blocked by Fail2Ban and automatically sent to AbuseIPDB.

AbuseIPDB

I found this website a few years ago and I was using it to check IP reputation. I never had time to configure it with my server. Today came the day to finally get involved.

AbuseIPDB is a project dedicated to helping combat the spread of hackers, spammers, and abusive activity on the internet.

Their mission is to help make the Web safer by providing a central blacklist for webmasters, system administrators, and other interested parties to report and find IP addresses that have been associated with malicious activity online.

So you can report bad IP, check IP reputation in the database, and also use the API to integrate it with your server. There are a few pricing plans but for your needs, a free account is enough.

Integrating AbuseIPDB with Fail2Ban

Before starting the configuration, ensure that Fail2Ban is installed and properly configured on your server. If you’re new to this, refer to my previous tutorial or search online for additional resources.

Steps to Integrate:

1. Register an account on the AbuseIPDB website.
2. Verify your website, which is a simple process and increases your daily request limit from 1,000 to 3,000.
3. Generate an APIv2 key, as APIv1 is deprecated.

Once logged in, the website provides clear instructions on proceeding.

Configure Fail2Ban for AbuseIPDB Reporting:

To report IPs directly to AbuseIPDB, update your Fail2Ban to at least version 0.10.0. Check your version with fail2ban-client -V and update if necessary.

Editing the Configuration:

Add the following line to each jail in your jail.local where you want to enable AbuseIPDB reporting:

%(action_abuseipdb)s[abuseipdb_apikey="your-api-key", abuseipdb_category="18,22"]

For a more global approach, update the [DEFAULT] section in jail.local:

action = %(action_)s
         %(action_abuseipdb)s[abuseipdb_apikey="your-api-key", abuseipdb_category="18"]

This allows the AbuseIPDB action to run on all jails without specifying it individually.

Restart Fail2Ban Service:

After updating your configurations, restart the service to apply changes:

sudo service fail2ban restart

or

sudo fail2ban-client reload

Check out the official documentation for more details and troubleshooting:

• Fail2Ban and AbuseIPDB Integration
• Configuring Fail2Ban with AbuseIPDB API
• Fail2Ban Official Documentation
• Fail2Ban on GitHub

Good luck and stay secure!