Fail2ban: Fail2ban and abuseipdb intergration
Environment:
- Fail2Ban version (including any possible distribution suffixes):
- OS, including release name/version: Debian 9 (stretch), Python 2.7.13,
- [x ] Fail2Ban installed via OS/distribution mechanisms: Fail2Ban v0.9.6
- [ ] You have not applied any additional foreign patches to the codebase
- [ ] Some customizations were done to the configuration (provide details below is so)
The issue:
Ok so I have an issue with Fail2ban and integrating abuseipdb
so at first it was not uploading reports to abuseipdb.
So I started reading the documents and I found this
https://www.abuseipdb.com/fail2ban.html
actionban = curl --fail --ciphers ecdhe_ecdsa_aes_256_sha --data 'key=<abuseipdb_apikey>' --data-urlencode 'comment=<matches>' --data 'ip=<ip>' --data 'category=<abuseipdb_category>' "https://www.abuseipdb.com/report/json"
Now when I run this though via the command prompt I get the following
error.
curl --fail --ciphers ecdhe_ecdsa_aes_256_sha --data 'key=<abuseipdb_apikey>' --data-urlencode 'comment=<matches>' --data 'ip=<ip>' --data 'category=<abuseipdb_category>' "https://www.abuseipdb.com/report/json"
Which is what the action is suppose to do when it goes to upload a report
Now when I run that command though at my prompt I get the following error
root@server1:/etc/fail2ban# curl --fail --ciphers ecdhe_ecdsa_aes_256_sha --data 'key=<abuseipdb_apikey>' --data-urlencode 'comment=<matches>' --data 'ip=<ip>' --data 'category=<abuseipdb_category>' "https://www.abuseipdb.com/report/json"
curl: (59) failed setting cipher list: ecdhe_ecdsa_aes_256_sha
So it is saying that it can't set the cipher I am not quite sure why Debian 9 can't
seem to use that cipher but there appears to be some kind of issue and it can't
set the cypher ecdhe_ecdsa_aes_256_sha
This is Debian 9 (stretch)
uname -a
Linux server1 4.9.0-8-amd64 #1 SMP Debian 4.9.130-2 (2018-10-27) x86_64 GNU/Linux
curl -V
curl 7.52.1 (x86_64-pc-linux-gnu) libcurl/7.52.1 OpenSSL/1.0.2q zlib/1.2.8 libidn2/0.16 libpsl/0.17.0 (+libidn2/0.16) libssh2/1.7.0 nghttp2/1.18.1 librtmp/2.3
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtmp rtsp scp sftp smb smbs smtp smtps telnet tftp
Features: AsynchDNS IDN IPv6 Largefile GSS-API Kerberos SPNEGO NTLM NTLM_WB SSL libz TLS-SRP HTTP2 UnixSockets HTTPS-proxy PSL
python -V
Python 2.7.13
fail2ban-client -V
Fail2Ban v0.9.6
Now this is a brand new fresh install that I just installed as well about
3 days ago.
Now I started doing some looking around for some information about this info
and I found some.
https://github.com/fail2ban/fail2ban/issues/2044
Now when I run the command that he recommends
in that post it works!
actionban = curl --tlsv1.1 --data 'key=<abuseipdb_apikey>' --data-urlencode "comment=<matches>" --data 'ip=<ip>' --data 'category=<abuseipdb_category>' "https://www.abuseipdb.com/report/json"
appears that is supposed to go in /etc/fail2ban/action.d/abuseipdb.conf
Now this is at line 89 for me
The line that is currently in the abuseipdb.conf is
actionban = lgm=$(printf '%%s\n...' "<matches>"); curl --fail --tlsv1.1 --data "key=<abuseipdb_apikey>" --data-urlencode "comment=$lgm" --data "ip=<ip>" --data "category=<abuseipdb_category>" "https://www.abuseipdb.com/report/json"
Now if I change it to look like this the curl part now at least works
curl --tlsv1.1 --data 'key=<abuseipdb_apikey>' --data-urlencode "comment=<matches>" --data 'ip=<ip>' --data 'category=<abuseipdb_category>' "https://www.abuseipdb.com/report/json"
```
I have not seen any reports uploaded yet to abuseipdb but I believe that there
is some kind of issue with Debian 9 and the curl and the cipher it is using
Now in my abuseipdb.conf it is now
```ini
actionban = curl --tlsv1.1 --data 'key=<abuseipdb_apikey>' --data-urlencode "comment=<matches>" --data 'ip=<ip>' --data 'category=<abuseipdb_category>' "https://www.abuseipdb.com/report/json"
I did a restart of fail2ban after I applied the changes.
Can some one take a look into this please?
Thank you,
Steps to reproduce
- Be on a machine with Debian 9 installed on it.
Run the command
curl --fail --ciphers ecdhe_ecdsa_aes_256_sha --data 'key=<abuseipdb_apikey>' --data-urlencode 'comment=<matches>' --data 'ip=<ip>' --data 'category=<abuseipdb_category>' "https://www.abuseipdb.com/report/json"
Expected behavior
That the reports will upload properly to abuseipdb.com
Observed behavior
Any additional information
Configuration, dump and another helpful excerpts
I don't believe that this is a configuration issue I can upload
my jail.local but that isn't the issue here. appears to be
that one curl line that is my issue.
thereporter42
All 7 comments
- This is not an issue of fail2ban
- Similar issues were fixed in #2101 (for f2b 0.10):
- either you should update your fail2ban version (and possibly update filter like in the PR if it will be < 0.10.3, like in commit fc76ccf19218f7eb14afcbf916fe47c3c9ccaa95)
- or you could try to merge it to your old 0.9th version (I don't know whether it will works there out of the box).
- Additionally I do not understand quite what you want say us with this long ticket (what exactly your issue is). Anyway if you'll change the curl parameters as discussed in #2044 (resp. in resulted PR, see commit fc76ccf19218f7eb14afcbf916fe47c3c9ccaa95), it should work well.
Thus closed as duplicate resp. 3rd party (and obsolete) issue.
sebres
on 7 Feb 2019
Wow people here are assholes. This issue is NOT fixed.. I have the latest version of F2B
and the problem isn't resolved. What an absolutely shitty project when people report
an issue and the developers refuse to look at it.
This matter is also in no way obsolete either!
This is an issue with Fail2Ban as well. Screw this I will find another solution
with another program like Fail2Ban since the devs here are that big of
assholes.
thereporter42
on 9 Feb 2019
No one has been an asshole to you. You're being aggressive for no reason.
Sebres - who replied to your issue - helps every single person who posts an issue. He's fantastically helpful.
He told you what you needed to do. You do NOT have the latest version. You're on 0.9.x - he told you to update to 0.10.x
He also said he wasn't 100% sure what you were asking. He said: if you have resolved it by using the modified command, you could merge yours.
And finally, it appears to him that the issue is not with fail2ban but with the third-party program you are using.
None of that makes him an "asshole".
I'm sorry that you feel it is appropriate to respond with such aggressive rudeness. Sebres is a volunteer and does not deserve to be insulted the way you've insulted him.
It's bizarre that you will actually now go and find another program just because you don't like the answer you received. That is a perverse way to handle server security.
evilplan
on 9 Feb 2019
@thereporter42
You have reported an issue with v0.9.6...
Neiter its is latest version. (This are 0.10.4 and 0.11).
Nor this is an issue of fail2ban self (moreover configuration resp. action for something not developed here).
Furthermore you have found a wrong place to report an issue (this is developer repository, so basically not the place where you are obtaining your fail2ban and its configs).
And last but not least, this subject is already several times discussed and I have neither the time nor the intention to repeat this explanations here and again.
And now shut up and put your complaints elsewhere, unless you don't get basic principles how adults take part in the conversation.
People like you destroying the open source world, because nobody has still lust hereafter to participate to the projects... Let alone the contribution is for nothing and waste of time.
sebres
on 9 Feb 2019
There is NO 3rd party program what so ever.... this is all run by Fail2Ban
all there is is a conf file in your action.d directory but that is NOT a 3rd party
program. I am running the latest version as well on debian 9.
And tell me to "And now shut up and put your complaints elsewhere"
Just shows how big of an ahole that you are.
oh and for the record I already pulled the LATEST version of the conf
file right from the git hub area and that was what I was using
https://github.com/fail2ban/fail2ban/blob/0.11/config/action.d/abuseipdb.conf
Clearly this is NOT a 3rd party program and I am working with
the existing conf file that is already here! All of what I was
talking about was all in that file which you do support
and have in your own repository.
That was the file that i was talking about was the abuseipdb.conf
and that is NOT a 3rd party program and is part of Fail2Ban.
I am not destroying anything either I am trying to get an issue
with Fail2Ban fixed. But you don't have any interest in fixing
an issue with your program so i will find another program to
run I guess that is better developed and where the devs
actually care.
thereporter42
on 9 Feb 2019
- It is a 3rd party issue, because basically neither abuseipdb service nor the curl are part of fail2ban.
- Fail2ban is just a tool which is normally configured for basic needs by the maintainer for each distribution separately. Emphasis on basic, so some extra configurations although may be available in fail2ban out of the box, however could expect some tuning, but even without the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
- We as fail2ban developers and contributors can't and won't test each action or filter that fail2ban already provided (or will still provide in the future) with each *nux distribution and each version of those. This is basically impossible and expects lot of time that we all don't have.
- Yes, I closed this issue for reasons already described above (but also because I just want to retain the overview about issues with really important things). And if one still does understand how the curl execution parameter should be adjusted, he could kindly ask: "would someone like to help me with the curl ... on stretch ... for older f2b-version". That is.
Note also it is really development repo-here, so possibly on platforms and forums like serverfault, stackoverflow and superuser you could have more chances to get the answer.
I am not destroying anything either I am trying to get an issue with Fail2Ban fixed
- Still again it looks like it is fixed in newest version, but if not and something still does not work there, provide an output/errors from the newest version. You posted me a lot of outputs of curl that was for some reasons not compatible on your stretch.
Thus again - if something does not work with latest version, just provide an output of this. Only.
I don't want to see the results of version which is already several years obsolete.
And thereby don't forget to be friendly and nice to your developers. - As for destroying, what do you think how many devs and contributors fail2ban has since its existence?
And of many other OS projects. Where are all the people? Nobody want make the work for free and in reward get listen insults or still suffering people like you. - People that want really contribute, propose a well thought modification but not "my old fail2ban action does not compatible with curl".
sebres
on 9 Feb 2019
BS you are using curl as part of your main package for fail2ban and the issue isn't with curl itself
it is an issue with YOUR line used in the conf file which came right from YOUR
repository
And it is NOT fixed in the latest version because as I said I grabbed the conf file
right from the latest version and the issue still occurs.
All you have to do is fix your conf file for this issue that comes as PART
of the Fail2ban program. This is NOT a 3rd party issue what so ever.
You should at least be willing to accept reports on actions conf files
that you include on your own repo and that is the case here.
You people are just a bunch of aholes who doesn't want to do anything
about a reported issue to you.
Again the issue here isn't with curl it is with YOUR conf file wow you
people are utterly useless.
Curl itself is functioning fine it is your action line in the conf file
that is the issue!
The conf file comes with the package and this is NOT something I
wrote myself I never setup these actions manually this is a
default action that comes WITH fail2ban this again is NOT a 3rd
party issue.
I am running the latest version as well for Debian that they have
in their packages. Clearly there must be reasons as to why
they are not putting the latest version on their package
list, maybe because it is buggy as hell and people like myself
are finding issues like this on Debian that the creator of this
program refuses to acknowledge.
Again this matter isn't fixed in the latest version because well
I grabbed the conf file from the repo and the issue still exists.
So again this is a valid report which you refuse to even consider
or look at and instead just immediately closed it.
My report also was not simply that oh my curl version doesn't work
with fail2ban either my report was extremely detailed and I even
gave a way to fix the issue. So please stop trying to make it sound
like I posted a simple one line statement here on my bug report because
that was not the case.
Again this issue isn't resolved but the devs seem to refuse to look at it.
Wow I mean really this is your conf file that you provide on your repo
and you won't look at an issue with it? Pretty poor developer if you ask
me.
thereporter42
on 9 Feb 2019
Related issues
electrofloat
路
3Comments
gaia
路
3Comments
Madh93
路
6Comments
DazzlerJay
路
7Comments
wienfuchs
路
5Comments
Most helpful comment
No one has been an asshole to you. You're being aggressive for no reason.
Sebres - who replied to your issue - helps every single person who posts an issue. He's fantastically helpful.
He told you what you needed to do. You do NOT have the latest version. You're on 0.9.x - he told you to update to 0.10.x
He also said he wasn't 100% sure what you were asking. He said: if you have resolved it by using the modified command, you could merge yours.
And finally, it appears to him that the issue is not with fail2ban but with the third-party program you are using.
None of that makes him an "asshole".
I'm sorry that you feel it is appropriate to respond with such aggressive rudeness. Sebres is a volunteer and does not deserve to be insulted the way you've insulted him.
It's bizarre that you will actually now go and find another program just because you don't like the answer you received. That is a perverse way to handle server security.