New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Pre-blocking bad IPs
Recently I began to pre-block some IP ranges due to SSH brute. Currently using this nifty script for abuseipdb:
#!/bin/bash
# get latest black list from abuseIPDB
curl -G https://api.abuseipdb.com/api/v2/blacklist \
-d confidenceMinimum=75 \
-d limit=9999999 \
-H "Key: 123..." \
-H "Accept: text/plain" | sort > /root/blacklist.ips
# Feed list to UFW
while read ip;
do
/usr/sbin/ufw insert 1 deny from $ip to any;
done < /root/blacklist.ips
exit 0
Does anyone has similar simple API to obtain abusers IPs/Net blocks or ASNs?
Comments
Yes, CrowdSec. It used to be possible to easily export blocked/blacklisted IP's via API.
Edit: also check that: https://lowendtalk.com/discussion/171824/automatically-generated-ip-blocklists-of-various-types
If you use CSF Firewall you can add AbuseIPDB block list too. I developed a script for CSF Firewall + AbuseIPDB reporting integration focused on privacy as AbuseIPDB example scripts leak privacy information about your servers to their public AbuseIPDB database.
So my integration properly masks this private info i.e. https://github.com/centminmod/centminmod-abuseipdb-reporter#csf-cluster-mode Also list how you setup AbuseIPDB block list in CSF Firewall https://github.com/centminmod/centminmod-abuseipdb-reporter
For IP to ASN, you can do local geoip database lookups using GeoLite2 database. I wrote a CSF lfd log parser in shell, python, golang and rust for such https://github.com/centminmod/centminmod-csf-lfd-parser and benchmarked their lfd log parsing speeds
python3 lfd-parser.py
./lfd-parser.sh
./lfd-parser
./target/release/lfd_parser
Rust version has best featured arguments support
Csf is a good tool, but not supported but not supported by ispconfig control panel. So I must rely on ufw.
Why even bother? If your password is strong enough, nothing is going to happen.
Clean logs at least. Having non standard SSH port or messy access_log is not much convenient
@Levi have a look at using
ipset
for blocklists instead ofufw
.It's much faster to add IP addresses to lists, more performant, and easier to manage.
https://blackhole.s-e-r-v-e-r.pw/
Don't rely on abuseipdb to block ips, it can be used to challenge ips(like a captcha or similar, assuming http), but not block them.
It's an unreliable list.