Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Sign In Register

Quick Links


Categories

In this Discussion

Pre-blocking bad IPs
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Pre-blocking bad IPs

LeviLevi Member
in General

Recently I began to pre-block some IP ranges due to SSH brute. Currently using this nifty script for abuseipdb:

#!/bin/bash

# get latest black list from abuseIPDB

curl -G https://api.abuseipdb.com/api/v2/blacklist \
  -d confidenceMinimum=75 \
  -d limit=9999999 \
  -H "Key: 123..." \
  -H "Accept: text/plain" | sort > /root/blacklist.ips

# Feed list to UFW

while read ip;
do
        /usr/sbin/ufw insert 1 deny from $ip to any;
done < /root/blacklist.ips

exit 0

Does anyone has similar simple API to obtain abusers IPs/Net blocks or ASNs?

Comments

  • HotmarerHotmarer Member
    edited May 21

    Yes, CrowdSec. It used to be possible to easily export blocked/blacklisted IP's via API.

    Edit: also check that: https://lowendtalk.com/discussion/171824/automatically-generated-ip-blocklists-of-various-types

    Thanked by 1MateiSR
  • eva2000eva2000 Veteran
    edited May 21

    If you use CSF Firewall you can add AbuseIPDB block list too. I developed a script for CSF Firewall + AbuseIPDB reporting integration focused on privacy as AbuseIPDB example scripts leak privacy information about your servers to their public AbuseIPDB database.

    So my integration properly masks this private info i.e. https://github.com/centminmod/centminmod-abuseipdb-reporter#csf-cluster-mode Also list how you setup AbuseIPDB block list in CSF Firewall https://github.com/centminmod/centminmod-abuseipdb-reporter

    For IP to ASN, you can do local geoip database lookups using GeoLite2 database. I wrote a CSF lfd log parser in shell, python, golang and rust for such https://github.com/centminmod/centminmod-csf-lfd-parser and benchmarked their lfd log parsing speeds

    Language Script/Executable Speed-up Factor Real Time User Time System Time
    Python python3 lfd-parser.py 86.29x 0m1.003s 0m0.495s 0m0.647s
    Shell ./lfd-parser.sh 1.00x 1m26.528s 2m39.696s 0m10.917s
    Golang ./lfd-parser 3762.09x 0m0.023s 0m0.021s 0m0.004s
    Rust ./target/release/lfd_parser 9614.22x 0m0.009s 0m0.004s 0m0.005s 
    ./target/release/lfd_parser -p /var/log/lfd.log-20230326.gz -a 9808 -a 9318
[
  {
    "timestamp": "Mar 19 06:37:34",
    "ip": "110.11.234.8",
    "type": "Blocked in csf",
    "asn_number": 9318,
    "asn_org": "SK Broadband Co Ltd",
    "info": "LF_SSHD"
  },
  {
    "timestamp": "Mar 26 02:44:29",
    "ip": "117.132.192.31",
    "type": "Blocked in csf",
    "asn_number": 9808,
    "asn_org": "China Mobile Communications Group Co., Ltd.",
    "info": "LF_SSHD"
  },
  {
    "timestamp": "Mar 26 02:44:29",
    "ip": "117.132.192.31",
    "type": "Blocked in csf",
    "asn_number": 9808,
    "asn_org": "China Mobile Communications Group Co., Ltd.",
    "info": "LF_DISTATTACK"
  }
]

    ./target/release/lfd_parser -p /var/log/lfd.log-20230326.gz -n LF_DISTATTACK

[
  {
    "timestamp": "Mar 26 02:35:49",
    "ip": "2.59.62.229",
    "type": "Blocked in csf",
    "asn_number": 63023,
    "asn_org": "AS-GLOBALTELEHOST",
    "info": "LF_DISTATTACK"
  },
  {
    "timestamp": "Mar 26 02:44:29",
    "ip": "117.132.192.31",
    "type": "Blocked in csf",
    "asn_number": 9808,
    "asn_org": "China Mobile Communications Group Co., Ltd.",
    "info": "LF_DISTATTACK"
  }
]

    Rust version has best featured arguments support

    /usr/local/bin/lfd_parser --help
Log Analyzer 

USAGE:
    lfd_parser [OPTIONS]

OPTIONS:
    -a <asn>...         Filter by ASN number
    -d <db_path>        Path to the GeoLite2 database [default: /usr/share/GeoIP/GeoLite2-ASN.mmdb]
    -h, --help          Print help information
    -i <ip>...          Filter by IP address
    -n <info>...        Filter by Info
    -p <path>           Path to the log file [default: /var/log/lfd.log]
  • LeviLevi Member

    Csf is a good tool, but not supported but not supported by ispconfig control panel. So I must rely on ufw.

  • sillycatsillycat Member

    Why even bother? If your password is strong enough, nothing is going to happen.

  • tentortentor Member, Host Rep

    @sillycat said:
    Why even bother? If your password is strong enough, nothing is going to happen.

    Clean logs at least. Having non standard SSH port or messy access_log is not much convenient

  • tjntjn Member

    @Levi have a look at using ipset for blocklists instead of ufw.
    It's much faster to add IP addresses to lists, more performant, and easier to manage.

  • dosaidosai Member

    https://blackhole.s-e-r-v-e-r.pw/

  • FatGrizzlyFatGrizzly Member, Host Rep

    Don't rely on abuseipdb to block ips, it can be used to challenge ips(like a captcha or similar, assuming http), but not block them.

    It's an unreliable list.

    Thanked by 2shaikhmanal quicksilver03
Sign In or Register to comment.