to report thousands of IP addresses engaging spamming, hacking, vulnerability scanning, and other malicious activity in real time.
Create an executable script that reports to AbuseIPDB.
Since CSF uses Perl, the public script we display here is written in Perl.
Code: Select all
nano /path/to/abuseipdb_report.plDon't forget to replace and insert $YOUR_API_KEY from AbuseIPDB within this line.
Code: Select all
"Key" => "$YOUR_API_KEY",Code: Select all
#!/usr/bin/perl
# This file was written as an executable to be used in the auto report function
# of csf and lfd. By replacing $YOUR_API_KEY below with your abuseipdb api key,
# allows you to use this code to integrate your csf system with abuseipdb.com
use strict;
use warnings;
use HTTP::Tiny;
use JSON;
# Gather the information from the commandline passed by lfd
my $ports = $ARGV[1];
my $inout = $ARGV[3];
my $message = $ARGV[5];
my $logs = $ARGV[6];
my $trigger = $ARGV[7];
my $comment = $message . "; Ports: " . $ports . "; Direction: " . $inout
. "; Trigger: " . $trigger . "; Logs: " . $logs;
my $ua = HTTP::Tiny->new;
my $url = 'https://api.abuseipdb.com/api/v2/report';
my $data = {
ip => $ARGV[0],
comment => $comment,
categories => 14
};
my %options = (
"headers", {
"Key" => "$YOUR_API_KEY",
"Accept" => "application/json"
},
);
my $response = $ua->post_form($url, $data, \%options);
my $json = JSON->new;
my $output = $json->pretty->encode($json->decode($response->{'content'}));
if ($response->{'status'} == 200){
print "Report Succesful!\n" . $output;
} elsif ($response->{'status'} == 429) {
print $output;
} elsif ($response->{'status'} == 422) {
print $output;
} elsif ($response->{'status'} == 401) {
print $output;
}Set the BLOCK_REPORT variable in /etc/csf/csf.conf to the executable script file.
Since UI csf.conf not available in WHM csf plugin to be added in the BLOCK_REPORT (restricted UI item), use ROOT bash shell instead:
Code: Select all
nano /etc/csf/csf.confCode: Select all
BLOCK_REPORT = "/path/to/abuseipdb_report.pl"To make sure your change has been changed, you can view it in WHM CSF plugin configuration firewall.
WHM>> Home /Plugins /ConfigServer Security & Firewall --> Firewall configuration
and NOW...
BLOCK_REPORT = "/path/to/abuseipdb_report.pl" should be existing there.
Also... Make sure Reporting abuseipdb_block.pl working with your server:
Code: Select all
touch /path/to/abuseipdb_report.pl
chmod +x /path/to/abuseipdb_report.pl
chown root:root /path/to/abuseipdb_report.plCode: Select all
csf -raCode: Select all
[root@srv8 ~]# tail -n -30 /var/log/exim_rejectlog
2023-09-25 02:46:34 H=[72.11.134.225]:60976 rejected connection in "connect" ACL: Host is banned
2023-09-25 02:53:49 H=[141.98.6.232]:60204 rejected connection in "connect" ACL: Country is banned
2023-09-25 02:53:49 H=[141.98.6.232]:60206 rejected connection in "connect" ACL: Country is banned
2023-09-25 02:53:49 H=[141.98.6.232]:60210 rejected connection in "connect" ACL: Country is banned
2023-09-25 02:53:49 H=[141.98.6.232]:60207 rejected connection in "connect" ACL: Country is banned
2023-09-25 02:53:49 H=[141.98.6.232]:60208 rejected connection in "connect" ACL: Country is banned
2023-09-25 02:53:49 H=[141.98.6.232]:60209 rejected connection in "connect" ACL: Country is banned
2023-09-25 02:58:10 H=[72.11.134.225]:51463 rejected connection in "connect" ACL: Host is banned
2023-09-25 03:09:34 H=[89.216.99.6]:32719 rejected connection in "connect" ACL: Country is banned
2023-09-25 03:15:32 H=[72.11.134.225]:56545 rejected connection in "connect" ACL: Host is banned
2023-09-25 03:21:23 H=[196.0.32.242]:47602 rejected connection in "connect" ACL: Country is banned
2023-09-25 03:32:02 H=[141.98.6.232]:49611 rejected connection in "connect" ACL: Country is banned
2023-09-25 03:32:02 H=[141.98.6.232]:49608 rejected connection in "connect" ACL: Country is banned
2023-09-25 03:32:02 H=[141.98.6.232]:49610 rejected connection in "connect" ACL: Country is banned
2023-09-25 03:32:02 H=[141.98.6.232]:49612 rejected connection in "connect" ACL: Country is banned
2023-09-25 03:32:02 H=[141.98.6.232]:49614 rejected connection in "connect" ACL: Country is banned
2023-09-25 03:32:02 H=[141.98.6.232]:49613 rejected connection in "connect" ACL: Country is banned
2023-09-25 03:35:51 H=[162.243.139.14]:48276 rejected connection in "connect" ACL: Host is banned
2023-09-25 03:35:51 H=[162.243.139.14]:43500 rejected connection in "connect" ACL: Host is banned
2023-09-25 03:35:51 H=[162.243.139.14]:56214 rejected connection in "connect" ACL: Host is banned
2023-09-25 03:35:52 H=[162.243.139.14]:55376 rejected connection in "connect" ACL: Host is banned
2023-09-25 03:35:52 H=[162.243.139.14]:52890 rejected connection in "connect" ACL: Host is banned
2023-09-25 03:35:54 H=[162.243.139.14]:58992 rejected connection in "connect" ACL: Host is banned
2023-09-25 03:38:53 H=[72.11.134.225]:60900 rejected connection in "connect" ACL: Host is banned
2023-09-25 03:39:52 H=[46.42.1.196]:43764 rejected connection in "connect" ACL: Country is banned
2023-09-25 03:43:12 H=scan-10.shadowserver.org [74.82.47.3]:21930 rejected connection in "connect" ACL: Host is banned
2023-09-25 03:44:18 H=scanner-27.ch1.censys-scanner.com [167.94.138.125]:37582 rejected connection in "connect" ACL: Host is banned
2023-09-25 03:59:30 H=[37.189.3.22]:56323 rejected connection in "connect" ACL: Country is banned
2023-09-25 04:00:37 dovecot_login authenticator failed for (71-53-156-229.cltn.centurylink.net) [71.53.156.229]:63464: 535 Incorrect authentication data (set_id=mailer-daemon@mailersafelist.com)
2023-09-25 04:03:39 H=[72.11.134.225]:62656 rejected connection in "connect" ACL: Host is banned
[root@srv8 ~]#That's why any kind of autoresponders, Including SPAM ARREST, BOXBE and ZONE ALARM disallow to used with all of our sites.
